如何通过 Google Cloud Classic VPN 从外部网络连接到 Kubernetes 工作负载集群 IP?
[英]How can i connect to a Kubernetes Workload Cluster IP from an external network via a Google Cloud Classic VPN?
问题描述
We have a Kubernetes cluster running on GKE, using its own VPC created for this with a subnet of 10.184.0.0/20 .
我们有一个在 GKE 上运行的 Kubernetes 集群,使用自己为此创建的 VPC,子网为10.184.0.0/20 。 This cluster has a workload that has been assigned an external load balancer towards public access, along with an internal cluster IP towards internal communication.该集群有一个工作负载,该工作负载已分配给公共访问的外部负载均衡器,以及用于内部通信的内部集群 IP。 The subnet of the services is 10.0.0.0/20 .服务的子网是10.0.0.0/20 。
There is a google cloud Classic VPN setup on the same VPC to be able to access the private network.在同一个 VPC 上有一个谷歌云经典 VPN 设置能够访问专用网络。
We have another system hosted on-premise that is connecting via the above VPN using a tunnel.我们有另一个本地托管的系统,它使用隧道通过上述 VPN 进行连接。 The on-premise network can ping the Nodes in the VPC via their private IPs on the subnet 10.184.0.0/20 , but is enable to ping / telnet to the cluster IP which is on the subnet 10.0.0.0/20 .本地网络可以通过子网10.184.0.0/20上的私有 IP ping VPC 中的节点,但可以 ping / telnet 到子网10.0.0.0/20上的集群 IP。
Is this possible to achieve?这有可能实现吗?
1 个解决方案
解决方案1
1 2020-09-28 21:17:15
This is indeed possible, since your tunnel is already up and you can ping your nodes my guess is that you are unable to reach the pod and services ranges from your on-prem application, meaning that you are only advertising the main 10.184.0.0/20 CIDR but not the secondaries, am I right?这确实是可能的,因为您的隧道已经启动并且您可以 ping 您的节点,我的猜测是您无法从您的本地应用程序访问 pod 和服务范围,这意味着您只宣传主 10.184.0.0/ 20 CIDR 但不是辅助设备,对吗?
You can easily check that by running a connectivity test , it will simulate traffic between source-destination (in this case source is an IP from your on-prem network and the destination should be your Service IP) taking into consideration several products (firewall rules, VPC peering, routes, VPN tunnels, etc) and will let you know if there is something wrong/missing in your environment.您可以通过运行连接测试轻松检查,它会模拟源-目标之间的流量(在这种情况下,源是来自您的本地网络的 IP,目标应该是您的服务 IP),同时考虑多种产品(防火墙规则) 、VPC 对等互连、路由、VPN 隧道等),并让您知道您的环境是否有问题/缺失。
If you are missing those ranges in your VPN configuration, you will need to re-create it and be sure to add the secondary ranges in the traffic selectors (or use a wide 0.0.0.0/0 CIDR).如果您在 VPN 配置中缺少这些范围,则需要重新创建它并确保在流量选择器中添加次要范围(或使用宽 0.0.0.0/0 CIDR)。
Finally, remember that you need to expose your applications using services (Cluster IP, NodePort, Load Balancer) and test again from your on-premises network.最后,请记住,您需要使用服务(集群 IP、NodePort、负载均衡器)公开您的应用程序,并从您的本地网络再次测试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.