How to allow egress to maps.googleapi.com

4/10/2018

I have Micro services running on GKE clusters.They need to communicate with https://maps.googleapis.com/ . All these microservices are running in a cluster which is created in a custom network. Now If I want to Know will need to allow egress for these clusters/(Nodes) or Since it is also GCP service by default cmmuninication is allowed? If I need To allow a firewall rule for egress, How Can I do that for Domain name instead of IP. I read that the IP may change for these maps.googleapis.com. Can you please help me.

-- Ram
google-cloud-platform
google-kubernetes-engine
kubernetes

1 Answer

4/10/2018

GKE works on the same infrastructure that Google Compute Engine.

Unfortunately, it is not possible to add firewall rules with destination defined as a DNS address.

Although Google Maps API is a part of Google services, there are no template or something like that to add it as an exception to the firewall and firewall do not know anything about Google services. If you block all egress traffic - access to all APIs will be blocked too.

So, you need to get IP ranges of the API somehow and add them to the firewall.

I found the only one way how to get all ranges (using DNS names) here. But, you should have:

the Google Maps APIs Premium Plan or a previous Google Maps APIs for Work or Google Maps for Business license.

If you have it, just go to that link where you can get a current list of domains related to Google Maps API.

If not, you can try to allow traffic to all addresses which Google is publishing as its CIRD blocks, it might help.

You can get it by nslookup command:

nslookup -q=TXT _spf.google.com 8.8.8.8

And then get all "include" names from the answer, like:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
-- Anton Kostenko
Source: StackOverflow