How to establish communication between two private GCP clusters which are located in different regions?

3
votes

I'm fairly novice in GCP and would like to ask a question:

I have two private clusters in the same region with internal LB (all in one VPC), currently pods from both clusters are able to communicate with each other over HTTP.

As far as I understand from the documentation - internal LB is a regional product, therefore if the private clusters were located in different regions the above scenario wouldn't be possible.

What do I need to do in order to make pods of two private clusters which are located on different regions to be able to communicate with each other?

My guess is that I have to define external LB for both of those clusters and using firewall rules allow communication only cluster to cluster via external IP and block all communication from the outside world.

2
kubernetesgoogle-cloud-platformgoogle-compute-enginegoogle-kubernetes-engine
Yes, internal load balancers are regional. Thus, for now, you can not use it to load balance two different clusters in two different regions. There is already a feature request about it at this link where you can upvote (click me too).Fady
So currently the only viable option is to use an external load balancer and restrict access from the world using firewall rules.Medvednic
Assuming traffic is flowing from Region A to Region B, you can use Cloud NAT in Region A in order for the private cluster to communicate externally, and configure a loadbalancer (not internal) service for the private cluster in Region B with loadbalancersourceranges like this example.Fady

2 Answers

1
votes

since these are different IP ranges (at least in auto mode), it may not help that it is global VPC - when this should be the case, you'd have to add a VPN tunnel, in order to route these network segments. also consider the possibility to add two tunnels; one for ingress and one for egress traffic.

an alternative to VPN tunnels might be VPC Network Peering, were the main difference is:

Peered VPC networks remain administratively separate. Routes, firewalls, VPNs, and other traffic management tools are administered and applied separately in each of the VPC networks.

1
votes

Google's VPC is global. This means that all of your regions are part of the same network. Everything in your VPC that uses IP addresses in the VPC can talk to each other with appropriate rules in the VPC Firewall.