I am working on an on premises VMWARE to GCVE migration project. One of the requirements we have is for a 3rd party API vendor to be able to whitelist IPs on their side, this is related to egress traffic going out of GCVE. This means there should be a static IP on the GCVE side and all traffic from GCVE VMs must pass through this IP. I see that GCVE provides its own GCVE internet gateway out of the box . From what i understand this is different from the standard VPC internet gateway. Can the GCVE internet gateway be associated with a static IP or a CIDR IP range that i can provide to my 3rd party API vendor to whitelist. Is there a better solution.
You should configure a Cloud NAT gateway. This allows resources without external IP addresses, such as your GCVE VMs, to communicate with the internet.
Here’s how to implement this solution:
Establish VPC Connection : A standard prerequisite for many GCVE functionalities is the connection of your GCVE private cloud to a Google Cloud VPC.
Reserve an IP address: In your Google Cloud project, reserve one or more static external IP addresses. These will be the public-facing IPs that your third-party vendor will whitelist.
Configure Cloud NAT: In the same VPC that is connected to your GCVE environment, create a Cloud NAT gateway. You will associate the reserved static IP address with this gateway during the configuration.
Route GCVE traffic: To configure routing within GCVE’s NSX-T Manager, you must advertise a default route (0.0.0.0/0) from your Virtual Private Cloud (VPC) to your GCVE private cloud. This action directs all internet-bound traffic from Virtual Machines (VMs) in GCVE through the VPC.
With this setup, when a VM in GCVE sends traffic to the internet, it’s routed through your VPC and processed by the Cloud NAT gateway. The gateway translates the VM’s private source IP to a reserved static public IP. This means that to a third-party API vendor, all traffic will appear to come from that single, predictable IP address, allowing them to safely whitelist it.