1

I'm having a microservice architecture and one of my services needs to access some specific IP (3.*.*.*:63815) to connect WebSocket. So from the provider side, I have whitelist my ingress External IP.

But when I tried to connect, the connection is not established.

Do I need to update any firewall rules or add custom IP/Port access inside via Ingress?

Any help on this will be appreciated!

Edit:

  1. I'm using GCP Cloud for this
  2. I need to connect a external FIXapi client from the POD
Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45
Muthu Kumar
  • 885
  • 2
  • 14
  • 25
  • Are you sure your external IP is detected as `ingress External IP`? How exactly packets flow from inside the pod to the external network? – zerkms Apr 09 '21 at 06:08
  • @zerkms I'm not sure about it. Please suggest which ip is used for whitlisting – Muthu Kumar Apr 09 '21 at 06:18
  • Use the IP that your pods are seen from the external network. – zerkms Apr 09 '21 at 06:37
  • 2
    Most probably you will need to whitelist the IP address of the nodes that your pods are running on – dishant makwana Apr 09 '21 at 07:00
  • 1
    Hello, I have difficulties to understand your question. Please edit your question to include: 1. In which way the communication should happen (if it's incoming or outgoing traffic from a `Pod`), 2. Please specify which cloud provider are you using. 3. If it's feasible please attach the [minimal, reproducible example](https://stackoverflow.com/help/minimal-reproducible-example). – Dawid Kruk Apr 09 '21 at 13:59
  • @DawidKruk I have updated the Question, Let me know if you want information – Muthu Kumar Apr 10 '21 at 05:31
  • @MuthuKumar I've provided an answer for your question. Please take a look and let me know if you have questions/concerns. – Dawid Kruk Apr 12 '21 at 16:13

1 Answers1

0

I need to agree and give more visibility to the comment made by user @dishant makwana:

Most probably you will need to whitelist the IP address of the nodes that your pods are running on

Assuming that you want to send a request from your GKE Pod to a service located outside of your project/organization/GCP, you should allow the traffic on your "on-premise" location from your GCP resources.

The source IP of the traffic that you are creating could be either:

  • GKE Nodes External IP addresses - if the cluster is not created private.
  • Cloud NAT IP address - if you've configured Cloud NAT for your private cluster.

A side note!

If you haven't created a Cloud NAT for your private cluster, you won't be able to reach external sources.

Answering following question:

Do I need to update any firewall rules or add custom IP/Port access inside via Ingress?

If we are speaking about GKE/GCP environment then, no. You don't need to modify any firewall rules from GCP side (assuming that you haven't reconfigured your firewall rules in any way).

Ingress resource (not rule) in Kubernetes/GKE is used to expose your own application to the external access (it's for inbound traffic, not outbound).

Citing the official documentation:

Implied rules

Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console:

Implied allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination, except for traffic blocked by Google Cloud. A higher priority firewall rule may restrict outbound access. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a Cloud NAT instance. For more information, see Internet access requirements.

Implied deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them. A higher priority rule might allow incoming access. The default network includes some additional rules that override this one, allowing certain types of incoming connections.

-- Cloud.google.com: VPC: Docs: Firewall: Default firewall rules

Additional resources:

Dawid Kruk
  • 8,982
  • 2
  • 22
  • 45