GCE Managed Instance Group - static IP address for outbound server requests

3
votes

Is it possible to set up a static IP address or range of IPs for server requests to external dbs and web services?

We have a web app running on Google Compute Engine managed instance group. We want to lock down access to our db to specific IP addresses. However the server IPs on the managed instance group are stateless, and the IPs change with each update to the web app. Is it possible to assign a static IP/range of IPs to our outbound server traffic?

We've investigated NAT Gateways, and VPC Peering a bit, but it doesn't seem to exactly fit our requirements. It's kind of a 'load-balancer for outbound server traffic' or something that would seem to fit what we're looking for...

Any advice greatly appreciated.

3
google-cloud-platformgoogle-compute-engine

3 Answers

1
votes

A use case would be where the IG has to connect back to private cloud that is firewall managed. Having the IG draw from a pre-set 'range' of IP's would be useful to security teams.

The security team could pre-program a range of IP's that the scalable IG would draw from.

This way the IG would draw from a present and preconfigure (on the privCloud FW) range of IPs when it scales up.

0
votes

I think you can not directly make static IP's during the creation of a Managed Instance Group or by specifying them in an Instance Template. The IP's will be set as ephemeral at first.

By going to VPC Network -> External IP Addresses you can reserve IP's/easily promote them to static IPs and assign them to the specific VM's you wish.

This is a good explanation on how reserving IP's for GCE works.

You can also reserve Static Internal Addresses if you so wish.

Hope this helps.

0
votes

Locking down access to specific IP's is not a good idea if you have GCP managed instance group. As of now, there is no option for giving static external ips for managed group instances. If you do so also it will be meaningless because of the autoscaling behavior. I recommend you look into this link if you are using CloudSQL managed service from GCP for DBs.

Also if you are using non-managed/external DB use Nginx proxy