CLOUD NAT + GKE Public Cluster

Hi All,

I am trying to get a static ip for my application hosted in GKE public cluster for whitelisting to a different application, i tried to use NAT gateway and Masquerading outbound traffic. Post installing the agent i am not getting any error and this approach is not working. Can anyone please help me to solve this issue. I followed this blog but no use.

Do you know which IP(s) your Pods are exiting the cluster with?
you can create a simple webserevr, access it from the Pods inside your cluster which are configured for the egress router with a simple curl command, and check if that is the same IP

Yes i followed the same approach and the ip is not the same i can see pod ip and i was not able to see any changes. I am running my GKE cluster in debain 11 os.
sudo iptables -t nat -L IP-MASQ-AGENT
iptables: No chain/target/match by that name

a bit weird that you are getting the Pod IP and not the node IP on a webserver outside the cluster but I might not be getting the layout correctly.

did you change the nonMasqueradeCIDRs to not be 0.0.0.0/0 and add specific CIDRs to which you do not wish to masquerade?

Also, there is a more formal doc from google - maybe try this one:

i am having doubts on what ip to set for nonMasqueradeCIDRs, currently my config file looks like
nonMasqueradeCIDRs:

  • 0.0.0.0/0
    masqLinkLocal: true
    resyncInterval: 60s

My instinct is to put the pods cidr and services cidr of your cluster so that pod to pod or pod to service communication will not go through the egress nat

I tried all but still the same error

iptables: No chain/target/match by that name.
I am still getting this error
below is the config file
nonMasqueradeCIDRs:

  • 10.44.0.0/14
  • 10.128.0.0/20
  • 10.48.0.0/20
    masqLinkLocal: true
    resyncInterval: 60s