15

I'm trying to determine the best way in GCP to assign a single, external IP address for OUTBOUND traffic. My use case: I need to provide a static IP to a 3rd party so they can whitelist it, so that my instances are able to access their API. Because I may add or subtract GCE instances in the future, I do not want to give them multiple static IPs which could change.

I found a similar question here but wasn't sure it addresses my use case.

I have a standard GCP network set up; there are no VPNs and all VMs have unique external IPs. I actually like it this way because I need to be able to SSH to the VMs. But from my VMs to the internet, I'd like traffic to appear that it is all coming from a single IP. The immediate thought that comes to my head and that the docs hint at is create a NAT instance, then route outbound traffic through that. A few issues with that approach:

  1. I have to set up and maintain a box solely for the purpose of NAT
  2. It's not HA; if that instance or availability zone dies, my other instances won't be able to route traffic externally
  3. It doesn't seem very repeatable if I have to recreate configuration in the future

Specifically, I am using GKE / Kubernetes for this project. Is there a best practice to accomplish this use case that is HA, low maintenance and repeatable?

Community
  • 1
rob-cng
  • 151
  • 1
  • 3
  • I believe the best option for you is to setup a VPN, which will help while using GKE as well. For example: http://serverfault.com/questions/750389/gke-pod-connecting-via-vpn, and it is cost effective. – George Sep 20 '16 at 20:57
  • @George I don't think VPN would work for this, because I don't control the other side. As in, I wouldn't be establishing a VPN with the 3rd party; I need to route traffic over the internet. – rob-cng Sep 21 '16 at 19:09
  • 1
    So having NAT Gateway should do it, but this will cause a single point of failure. One thing that came to mind as well, having static IPs for your instances and have the other party whitelist them. If you wish to delete any of the instances, the IP will still be reserved which you can attach to newly created instances. And as long as the IP is being used (attached to an instance), it's free of charge. – George Sep 21 '16 at 19:31
  • Yes, I think we'll have to go with this workaround until GCP comes out with NAT as as service similar to AWS. Thanks – rob-cng Sep 22 '16 at 12:36
  • I would suggest filing a feature request about it here: https://code.google.com/p/google-compute-engine/issues/list – George Sep 22 '16 at 15:36
  • 1
    Were you ever able to solve this issue? If so please consider posting a self-answer so the community can benefit – Faizan Feb 01 '17 at 21:35

2 Answers2

5

Google Cloud now provides a managed NAT Gateway service - Cloud NAT.

This gateway can be used with a GKE cluster, which provides a stable public egress IP to all the pods inside it, which enables them to be whitelisted by third party service providers.

The example implementation for using Cloud NAT with GKE is provided here - https://cloud.google.com/nat/docs/gke-example

Also, since this is a managed software based NAT, bandwidth and availability wont be impacted.

This still needs a bastion host to be able to ssh into your instances though.

Parag
  • 650
  • 1
  • 7
  • 12
4

You can do this by routing all of your traffic via a single instance that does NAT for the other instances. Google has a guide for doing this at https://cloud.google.com/compute/docs/networking#natgateway

David
  • 338
  • 1
  • 6