Public GKE cluster’s egress traffic via cloud NAT for ip whitelisting

Google Cloud Serverless Applications
8

If your microservice needs to communicate with services outside the cluster and you don’t need to expose your microservice to external traffic, you might not need a LoadBalancer service. Instead, you can use a Service of type ClusterIP, which exposes the service within the cluster but not externally.

Regarding the issue of your microservice needing to exit through a static IP instead of the node’s IP, here are a few options to consider:

  1. Egress Gateway with Node Pools: You can create a dedicated node pool with nodes that have static external IPs assigned. Then, configure your microservice to run on this specific node pool. This way, the egress traffic from your microservice will consistently use the same static external IP.

  2. External NAT Gateway: While Google Kubernetes Engine (GKE) public clusters generally use the nodes’ IPs for egress traffic, you can set up an External NAT Gateway which allows your egress traffic to use a static IP address. This can be achieved by configuring a Cloud NAT gateway and directing your egress traffic through it. This way, regardless of which node your microservice is running on, the traffic will exit through the static IP associated with the NAT gateway.

  3. External Service: If your microservice needs to access external services (not within your GKE cluster) and you want to control the egress IP, you can deploy a separate application in your cluster that acts as a proxy. This proxy can use a static IP or a NAT gateway, and your microservice communicates with this proxy instead of directly with external services.

  4. Service Mesh: Using a service mesh like Istio or Linkerd can provide advanced control over your microservices’ communication, including egress traffic. These tools allow you to configure egress gateways and control the egress IP addresses for your services.

Remember that the choice between these options depends on your specific requirements, infrastructure setup, and desired level of control over egress traffic. It’s also worth noting that some of these solutions might have associated costs or complexity, so you should carefully evaluate the trade-offs before implementing any of them in your environment.