GCP: How to access a L2 VM (qemu) running in a pod in gcp by IP from internet?

Question

i have a cluster of 2 nodes created in gcp. the worker node (L1 VM) has nested virtualization enabled. i have created a pod in this L1 VM. and i have launched a L2 VM using qemu in this pod. my objective is to access this L2 VM only by a IP address from external word (inte.net). there are many services running in my VM (L2 VM) and i need to access it only by IP.

i created a tunnel from node to L2 VM (which is within pod) to get dhcp address to my VM. but it seems dhcp offer and ack messages are blocked by google cloud.

i have got a public IP in the cluster through which i can reach to private IP of node. most probably there is a NAT configured in the cloud for the node's private IP. can i configure node as a NAT gw so that i can push this packet further from inte.net to L2 VM?

any other suggestions are welcome!

Answer 1

I think you are trying to implement something like a bastion host . However, this is something that you shouldn't do with kube.netes. Although you 'can' implement it with kube.netes, it is simply not made for it.

I see there two vivid options for you:

A. Create another virtual machine (GCE instance) inside the same VPC as the cluster and set it up as a bastion host or as an endpoint for a VPN.

B. You can use the identity aware proxy (IAP) to tunnel the traffic to your machine inside the VPC as described here

The IAP is probably the best solution for your usecase.

Also consider using simple GCE instances as opposed to a kube.netes cluster. A kube.netes cluster is very useful if you have a lot of workload that is too much for one node or if you need to scale out and in etc. Your usecase looks to me more that you still think in the traditional server world and less about cattle vs pets .