- I have a compute engine instance with persistent file storage that I need outside of my GKE cluster.
- I would like to open a specific TCP port on the Compute Engine instance so that only nodes within the GKE cluster can access it.
- The Compute Engine instance and GKE cluster are in the same GCP project, network, and subnet.
- The GKE cluster is not private and I have an ingress exposing the only service I want exposed to the internet.
I've tried creating firewall rules of three different types that do not work:
- By shared service account on both Compute Engine instance and K8s nodes.
- By network tags - (yes I am using the network tags as explicitly specified on the VM instance page).
- By IP address, where I use network tag for target and private IANA IP ranges
10.0.0.0/8
,172.16.0.0/12
, and192.168.0.0/16
for source.
The only thing that works is the last option but using 0.0.0.0/0
for source IP range.
I've looked at a few related questions such as:
- Google App Engine communicate with Compute Engine over internal network
- Can I launch Google Container Engine (GKE) in Private GCP network Subnet?
But I'm not looking to make my GKE cluster private and I have tried to create the firewall rules using network tags to no avail.
What am I missing or is this not possible?