How do I connect Cloud Composer Airflow DAG to a VPN

3
votes

How do I allow a Cloud Composer Airflow DAG to connect to a REST API via VPN gateway? The cluster is connected to the according VPC.

The kube-proxy is able to reach the API, yet the containers can not.

I have SSH'd into the kube-proxy and containers and tried a traceroute. The containers' traceroute ends with the kube-proxy. The kube-proxy has 4 hops before reaching destination.

I have dumped the iptables from the kube-proxy, they do not specify anything in regards to NATing the VPCs subnet with the containers.

The VPC subnet also does not show up in the containers, which is by design.

Some reading material: https://www.stackrox.com/post/2020/01/kubernetes-networking-demystified/

EDIT1: More info: Let's assume the VPN connects the VPC to the remote 10.200.0.0 network.
The VPC has multiple subnets. The primary range is e.g. 10.10.0.0/20. For each Kubernetes cluster we have two more subnet, one for each pod (10.16.0.0/14) and another for services (10.20.0.0/20). The gateway is 10.10.0.1.
Each pod again has it's own range, where pod_1 is 10.16.0.0/14, pod_2 is 10.16.1.0/14, pod_3 10.16.3.0/14 and so on.
One of the kube-proxies has multiple network adapters. It resides in the 10.10.0.0 network with eth0 and has a cbr0 bridge to 10.16.0.0. Through said kube-proxy via the bridge the workers for Airflow are connecting to the network. One worker e.g. 10.16.0.1 has only one network adapter.

The kube-proxy can reach the 10.200.0.0 network. The Airflow workers can not.

How do we get the worker to access the 10.200.0.0 network? Do we need to change the iptables of the kube-proxy?

1
networkinggoogle-cloud-platformairflowgoogle-kubernetes-engine
Does the VPN deploy in the current VPC? Or do you perform a peering to reach it?guillaume blaquiere
@guillaumeblaquiere it is deployed in the current VPC w/ Google Cloud Classic VPN.niolm
Do you see the request arrived on the other side of the VPN? Most of time, when I set up a VPN, I forgot the way back...guillaume blaquiere
Hi @guillaumeblaquiere, I edited my initial post to explain the network a bit more. Our VPN does work as intened and from any other VM we can access and work with the API. Now we want to deploy our code in a DAG so it runs automatically.niolm
Hmm, if your connection works, if you don't have special firewall rules, if the subnets are in the same VPC, it should work... Do you have NAT configured?guillaume blaquiere

1 Answers

1
votes

One of the possible solutions would be to forward the packages from the kube virtual interface to the node's real one. E.g. adding the following rules to ip tables:

iptables -A FORWARD -i cbr0 -o eth0 -d 10.200.0.0/25 -j ACCEPT
iptables -A FORWARD -i eth0 -o cbr0 -s 10.200.0.0/25 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE