K
Q

Communication between services in a Shared VPC for GKE

8/6/2018

I set up this configuration for my projects:

https://cloud.google.com/vpc/images/shared-vpc/shared-vpc-example-two-tier.svg

Everything is running under Google Kubernetes Engine.

  • NodeJS service in Tier 1 Service project with subnet: 10.0.4.0/22

must connect to a

  • NodeJS API in Tier 2 service project with subnet: 172.16.4.0/22 which is deploy behind an Internal LB:

.

kubectl describe svc gateway-node-api  --namespace master

Name:                     gateway-node-api
Namespace:                master
Labels:                   app=node-api
                          chart=node-api-0.1.2
                          heritage=Tiller
                          release=gateway-node-api
Annotations:              cloud.google.com/load-balancer-type=Internal
Selector:                 app=node-api,release=gateway-node-api
Type:                     LoadBalancer
IP:                       172.16.23.21
LoadBalancer Ingress:     172.16.4.5
Port:                     http  3000/TCP
TargetPort:               http/TCP
NodePort:                 http  31386/TCP
Endpoints:                172.20.2.30:3000
Session Affinity:         None
External Traffic Policy:  Cluster

Using 172.16.4.5:3000 in the Tier 1 NodeJS service doesn't connect to Tier 2 NodeJS API.

What could I have possibly missed?

-- Julien Deruere
google-cloud-platform
google-kubernetes-engine
networking

Similar Questions

How to connect MongoDB which is running on Kubernetes cluster through UI tools like MongoDB Compass or RoboMongo?
Kubernetes volume hostPath doesn't work for multiple replica
Backup for docker WITHOUT using volumes
How to debug QuotaSpecBinding for rate-limits in istio?
Cert-manager fails to complete dns01 challenge with cloudflare

1 Answer

8/7/2018

Found my problem, I didn't read enough the firewall rules documentation:

https://cloud.google.com/vpc/docs/firewalls

After configuring my Shared VPC, I created a rule applying for all the network for all incoming request:

shared-network-allow-ssh-icmp    shared-network  INGRESS    1000      icmp,tcp:22,tcp:80

And realize that I also need to apply a rule that allow all instances of the network to be accessible on all tcp port when receiving a request from the subnetwork of Tier 1 service:

service1-allow-tcp               shared-network  INGRESS    1000      tcp:1-65535
-- Julien Deruere
Source: StackOverflow