8

We are creating a Console to administer, view logs and metrics, create resources on Kubernetes in a multicloud environment.
The Console ( a web app ) is deployed on GKE in GCP, but we can't figure out how we can connect and reach K8S Api-Servers in multiple VPC with overlapping IPs, without exposing them on public IP.
I draw a little diagram to expose the problem.

enter image description here

Are there some products or best practice to perform this securely?
Product vendors for example Mongo Atlas or Confluent Cloud seems to have solved this issue, they can create infrastructure in multiple cloud and administer them.

Thomas8
  • 1,117
  • 1
  • 11
  • 22
  • There is no such thing as an overlapping VPC. You can have two different VPCs that have the same subnet CIDR blocks but you cannot connect them together. Your diagram shows two systems with the same IP address. How do expect routing to work? You reference Mongo and Confluent. Neither links demonstrate a solution to overlapping networks. – John Hanley Oct 20 '20 at 09:04
  • well when you create a MongoDB on Atlas they assign the same CIDR on all new projects but the mongo atlas console can talk to all the different clusters for database connection. I infer that somewhere in cloud architecture in Atlas their backend can talk to all the different mongodb cluster created for all users. A user can have multiple projects in the same region with overlapping IPs. – Thomas8 Oct 20 '20 at 09:13
  • I think you are confusing talking to a management node that then manages subnodes. You are then addressing the management node, which must have a unique IP address (within all VPCs) which then manages subnetwork nodes. – John Hanley Oct 20 '20 at 09:23
  • As I understand you want to **run an app (Console)** to administer K8S clusters in GCP & AWS including some in VPC's that have overlapping IP address ranges. Or do you want to **connect** those VPC's ? If so then it's just no possible due to routing issues. – Wojtek_B Oct 20 '20 at 15:39
  • @Wojtek_B I specifically want to connect to K8S api-server to deploy pod and whatever – Thomas8 Oct 20 '20 at 19:51

3 Answers3

3

It's not possible to connect two overlapping networks with VPN even if they're in different clouds (GCP & AWS).

I'd suggest to use NAT translation on both sides and connect networks using VPN. Here's some documentation that may help you. Unfortunatelly it's quite a bit of reading and setting up. Not the easiest solution but it has the benefit of being reliable and it's a quite old and tested approach.

General docs

GCP side

AWS side

You second option is to split the original networks in smaller chunks so they wold not overlap but that's not always possible (due to network being small enough already and many IP's are used up...).

Wojtek_B
  • 4,245
  • 1
  • 7
  • 21
0

It depends on couple factors in the environments. To access an overlapping network you need some form of gateway. it can be some kind of proxy socks/http/other or a router/gw(with nat..). If you can access the 192.168.23.0/24 or any other subnet that can connect to the aws 192.168.2.0/24 subnet from gcp then you can use either one of the solutions. I assume that aws and gcp can provide the tunnel between the gw/proxy network. If you don't need security layer for the tunnel you can use a vxlan tunnel and secure the tcp/other app protocol.

elico
  • 59
  • 4
-1

Using Google Cloud VPN with AWS Virtual Private Gateway you can accomplish such a thing. A detailed description by Google is given in this documentation.

It describes two VPN topologies:

  • A site-to-site Route-based IPsec VPN tunnel configuration.
  • A site-to-site IPsec VPN tunnel configuration using Google Cloud Router and dynamic routing with the BGP protocol.

Additionally, when CIDR-ranges overlap. You would need to create a new VPC/CIDR ranges that are non-overlapping. Otherwise, you could never connect to instances that have IP-addresses in both AWS and GCP.

Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
  • Edit your answer with details. Refer to documentation as a reference. – John Hanley Oct 20 '20 at 09:05
  • @Nebulastic >You would need to create a new VPC/CIDR ranges that are non-overlapping. It does it mean that I can't have overlapping IPs in my whole architecture? This is hardly limiting the number of my customer. – Thomas8 Oct 20 '20 at 09:19
  • No, you cannot. Google Cloud VPCs does not support overlapping IP ranges. If you have two systems with the same address, which one establishes the IP connection? You are misunderstanding the basics of how IP addresses and routes packets. – John Hanley Oct 20 '20 at 09:30
  • Yes that is what I meant, my formulation was wrong! – Cloudkollektiv Oct 20 '20 at 09:32