How to make Anthos bare metal cluster accessible to external Internet users?

Google Cloud Serverless Applications
1

Doing a POC on Anthos bare metal and found the issue:

  • setting loadBlancer.mode to “bundled”;
  • for loadBalancer.adressPools, the Google Cloud Docs says “The IP address ranges … must be in the same subnet as the nodes running load balancers.”
  • the Cloud Console page remark at address pools entry echos by saying “The IP addresses in each pool must be in the same subnet as the cluster nodes. You’ll use one of these IP addresses for your Ingress VIP.”
  • the bmctl command further echos by a pre-flight check error message “IP 62.216.154.175 does not belong to the subnet of 10.200.0.4/24” where IP 62.216.154.175 is the external IP we tried to give;

The above virtually means the load balancers can only be accessed from within the same LAN space. That could not be the purpose of providing the app. So how can we make Anthos bare metal clusters be accessed by external Internet users?

I appreciate any advice.

Mike

2

Hi @diymikie ,

Can you share the documentations that you used when you configured this cluster?

For the Anthos bare metal to be exposed to the Internet, I would recommend you to follow these documentations:

  1. If you haven’t seen this steps yet, you can re-create a Deployment and A service (guide).

  2. By using a VPN.

3

The doc we’re following are Create an Anthos on bare metal user cluster on Compute Engine VMs using Anthos On-Prem API clients and Create an Anthos on bare metal hybrid cluster on Compute Engine VMs.

Your guide is the Quickstart section with real machine deployment. But to save the facility effort, we’ve tried to do it with GCP VM. But even in the Quickstart, I guess the same question remains - the loadbalancer IP derived 172.16.1.21 looks like internal IP, rather than external.

As for the VPN idea, I think it doesn’t help too much, since when we launch a web app to the average Internet users we won’t bother to require VPN.

4

I’d like to close this question, as I’ve learned that it is an easy solution to set up some NAT work on a router or firewall which will translate an exposed external IP to internal IP in the subnet.

Guess that’s why the design of Anthos for bare metal went with the subnet IP pool instead of providing external IP pool option offerred by the MetalLB loadbalancer.

Thanks for any attention.