0

In GKE you can use External Ingress Controller to expose a service to the world and if you want you can use Google Cloud Armor to manage traffic and if required deny it with codes 403, 404, 502.

Lets say I have two services under External Ingress Controller: page1.com and page2.com

Is there a way to configure Ingress Controller (not necessarily via External Ingress Controller) so that page1.com would be accessible to anyone and page2.com would be accessible only to specific IP (lets say my home IP) and if you try to access page2.com from some other IP your attempt would just timeout instead of returning 403, 404 or 502?

I saw that there is an option to use Internal Load Balancer which would be accessible via Cloud VPN or IAP but they don't seem to fit as with Cloud VPN (if I understood correctly) you need some on-prem network and with IAP you would still get a prompt to login with Google Account instead of timing out.

sanevi
  • 1

1 Answers1

0

Yes, you can create GKE ingress for each service(page1.com and page2.com) and then create one cloud armor policy which allows only from your home IP. The public service doesn't need cloud armor policy.

See this documentation for using BackendConfig to attach Cloud Armor policy to your service. Note that, it is also doable to create one ingress for both services, with host rules to point at each service.

Daniel t.
  • 9,061
  • 1
  • 32
  • 36
  • Thank you for the suggestion! Cloud Armor sounds like a good option, but it doesn't timeout the connection if the IP isn't allowed, it returns one of the 3 status code – sanevi Aug 11 '22 at 02:48