K
Q

Google Compute Engine - How to allow access from (only) other project instances?

5/6/2016

With Google Compute Engine, how do I create a firewall rule so that only instances within the same project are allowed access? Access from other clusters (within same project) should be allowed.

The scenario is to allow a GKE cluster to access a cluster of RethinkDB database servers that run on GCE instances.

-- aknuds1
firewall
google-compute-engine
google-kubernetes-engine

Similar Questions

Google Container Engine - How to auto-scale an instance group based on HTTP load?
What are the steps to implement HTTPS with Google Cloud Containers?
How to enable containers internet access through flannel?
OSI Layer Model for Docker?

2 Answers

5/9/2016

Turns out the problem was that I was accessing the RethinkDB instances via external IPs. For some reason, this causes the firewall rule with internal source IPs not to match. The solution was to access the instances via internal DNS names instead, in which case the firewall rule applies.

Furthermore, there is a default firewall rule already, default-allow-internal, which allows any traffic between instances on the same project. Therefore I do not need to create my own rule.

-- aknuds1
Source: StackOverflow
5/6/2016

"So that only instances within the same project are allowed access" to what?

I assume you don't mean access to the cluster's apiserver, since that IP should already be accessible from all your instances.

If you mean accessing a container in a cluster from an instance outside the cluster, you can create a firewall rule to be more permissive about allowing traffic within your GCE network. You can either be very permissive or a little more fine-grained when doing this:

  1. Very permissive - just create a firewall rule that allows traffic from the source IP range 10.0.0.0/8 to all instances in your network (don't add any "target tags") on all the protocols and ports your care about (e.g. tcp:1-65535,udp:1-65535,icmp). The 10.0.0.0/8 range will cover all instances and containers in your network (and nothing outside of it).

  2. Separate firewall per cluster - do the same thing as number one, but add the target tag that's on all nodes in the cluster. You can get this from looking at one of the instances' tags or by looking at the target tags on the firewalls that GKE created for your cluster when it was created. The benefit of this approach is that it will let everything in your network talk to your cluster without exposing anything else in your network that you don't want to open up quite so much.

If you mean accessing a service from outside the cluster, then it's a little tougher since you need to run the kube-proxy on the instances outside the cluster and configure it to talk to the cluster's apiserver in order to route the service packets properly.

-- Alex Robinson
Source: StackOverflow