Network Communication issues on GKE Cluster

General Discussions
1

Hi everyone, in the project I’m working on, a Palo Alto firewall was implemented to create a VPN between the internal network and GCP. One of the network cards in this firewall is connected to the GCP network, the same network where the cluster is located. Our cluster has a private node poll and a NAT configuration for communication with the internet.
However, I’m having difficulty getting communication from this cluster to pass through the firewall. As a test, we placed a VM in the same VPC as the cluster and were able to communicate between the VM and the internal network, but this scenario is not possible from within the cluster.
I’ve attached a drawing of the architecture I’m using for better understanding and help.

Cluster information:

Kubernetes version: 1.29.8-gke.1031000
Cloud being used: GCP
Host OS: Container-Optimized OS
CNI and version:
CRI and version: containerd://1.7.15

DataPlatform - VPN Architecture (2)
DataPlatform - VPN Architecture (2)1920×864 62.2 KB

1 Like
2

Many times in my experience it either port (depending on which port you are using) or most of the time its route that is not open. Not sure about where/how its setup on Pali Alto firewall but in GCP you can check here

https://console.cloud.google.com/networking/networks/details/default?project=<REPlACE_YOUR_PROJECT_NAME>&pageTab=ROUTES

The routes needs to be setup on both side in my understanding. Firewall as well as GCP VPC/VPN.

2 Likes