I use Google Kubernetes Engine to run on demand pods. Each pod is publicly exposed to the internet using a nodeport service.
I am looking for a way in GKE to get a single IP or an IP range for outbound connections, to give them to third party API's to whitelist them.
The GKE node IPs are not manageable when nodes autoscale or when I upgrade them. I need a way to maintain a consistent outbound IP.
I have tried using a simple NAT Gateway to the Kubernetes nodes (Using the example from here), and while this routes the outbound connections
to the NAT Gateway, it breaks inbound traffic to the pods(Nodeport service) since they get dropped off at the NAT gateway.
-
Is there a default IP range for a google cloud region which I can provide to the third party to whitelist
(or) -
If GKE provides a way to select node external IPs from a pre reserved list of static IP's
(or) -
Is there any other way to accomplish having a single static IP or an IP range that represents the outbound traffic from the pods
I have found similar questions like this, but they don't address my problem as the pods should be externally connectable, which breaks when using a NAT.
Best Answer
Google Cloud now provides a managed NAT Gateway service - Cloud NAT.
This gateway can be used with a GKE cluster, which provides a stable public egress IP to all the pods inside it, which enables them to be whitelisted by third party service providers.
The example implementation for using Cloud NAT with GKE is provided here - https://cloud.google.com/nat/docs/gke-example