Setup a Kubernetes Cluster on GCP with Cloud NAT

David Verdejo
Nov 7, 2018 · 4 min read
Photo by Cameron Venti on Unsplash

This week, one friend told me that after he read our last article about Cloud NAT, he wanted to know how to setup with a Kubernetes cluster.

So here is the step-by-step process. In the first place, we have to setup a NAT gateway (see the steps this article):

To see the IPs assigned to the service, we use the following command (remember that we have to query the associated router to the NAT service):

gcloud beta compute routers get-status <router> --region <region>

Now we are going to setup a new Kubernetes cluster in the same region where we created the NAT gateway

We wait until the cluster is on-line and then connect (it will open a Cloud Shell session and download the associated cluster credentials):

After this, we can test our Internet gateway. To confirm that we are using the Cloud NAT, we are going to use the docker “travelping/nettools” (source) to create a pod and open a session:

kubectl run -it nettools --image=travelping/nettools --rm --restart=Never -- sh

As soon as we connect to the container, we use curl with ifconfig.me to see our external ip:

We can see that this IP is not associated to the NAT service (in our case 35.233.3.163 or 35.205.243.254). The problem is that we are using the external IP linked to the Kubernetes node and, in order to use the NAT service, the Kubernetes node mustn’t have any associated external IP

With this in mind, we are going to recreate our Kubernetes cluster (we can’t use the previous one). We need to expand the advanced options of the cluster and check “Enable VPC-native (using alias IP)”. By using alias IP, the VPC control panel automatically manages routing setup for Pods.

Then we can check the option “Private cluster” and provide the “Master IP range” (the size of the private block for the master cluster must be /28 and it cannot overlap any existing subnet in our VPC). This creates a cluster that runs the nodes with private IPs and the cluster master with a publicly-reachable endpoint. We uncheck the “Enable master authorized networks” to setup an easy connection to our master but it is strongly recommended to restrict access to specified sets of IP addresses in production.

As soon as the cluster is on-line, we are going to repeat the test with the nettools container

And now we are using the Cloud NAT service.

In conclusion, to setup a Kubernetes cluster with Cloud NAT, we need to select the following options:

  • Enable “Enable VPC-native (using alias IP)”

bluekiri

We design, deploy and manage 24/7 the cloud architecture…

Thanks to Andreea Mihalcea

David Verdejo

Written by

CTO at Bluekiri.

bluekiri

bluekiri

We design, deploy and manage 24/7 the cloud architecture that best suits your business needs. We ensure optimal performance of your servers and applications by identifying the most demanding processes and components of your infra and fine tuning them thanks to our super teams.

David Verdejo

Written by

CTO at Bluekiri.

bluekiri

bluekiri

We design, deploy and manage 24/7 the cloud architecture that best suits your business needs. We ensure optimal performance of your servers and applications by identifying the most demanding processes and components of your infra and fine tuning them thanks to our super teams.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store