I'm trying to determine the best way in GCP to assign a single, external IP address for OUTBOUND traffic. My use case: I need to provide a static IP to a 3rd party so they can whitelist it, so that my instances are able to access their API. Because I may add or subtract GCE instances in the future, I do not want to give them multiple static IPs which could change.
I found a similar question here but wasn't sure it addresses my use case.
I have a standard GCP network set up; there are no VPNs and all VMs have unique external IPs. I actually like it this way because I need to be able to SSH to the VMs. But from my VMs to the internet, I'd like traffic to appear that it is all coming from a single IP. The immediate thought that comes to my head and that the docs hint at is create a NAT instance, then route outbound traffic through that. A few issues with that approach:
- I have to set up and maintain a box solely for the purpose of NAT
- It's not HA; if that instance or availability zone dies, my other instances won't be able to route traffic externally
- It doesn't seem very repeatable if I have to recreate configuration in the future
Specifically, I am using GKE / Kubernetes for this project. Is there a best practice to accomplish this use case that is HA, low maintenance and repeatable?
Best Answer
Google Cloud now provides a managed NAT Gateway service - Cloud NAT.
This gateway can be used with a GKE cluster, which provides a stable public egress IP to all the pods inside it, which enables them to be whitelisted by third party service providers.
The example implementation for using Cloud NAT with GKE is provided here - https://cloud.google.com/nat/docs/gke-example
Also, since this is a managed software based NAT, bandwidth and availability wont be impacted.
This still needs a bastion host to be able to ssh into your instances though.