2

I am working on a solution where we are using a GCP Cloud Build trigger to access an external 3rd party service in order to download files before uploading them to the cloud. However, the service provider is requesting a limited CIDR range to allow through their firewall for security purposes.

In the documentation for Cloud Build, it specifically states that you can set a static IP range for a private pool that you configure.

https://cloud.google.com/build/docs/private-pools/use-in-private-network#defining_a_static_ip_range

However, the documentation that it links to never actually makes mention of defining a static IP range for external use.

I have the trigger set up to use the Private Pool that I created in the VPC in my project, but while I can limit it to one of the 60 or so IP ranges that Google Cloud uses, this is still too many to really give to the provider.

I attempted to set up a Cloud NAT, but it doesn't appear to work with Cloud Build (which admittedly matches what the documentation says).

Is there a good way to set up a static external IP address or range of IP addresses to use with the Cloud Build Private Pool?

Ian Connor
  • 21
  • 3

1 Answers1

2

This is not possible.

The problem with the documentation is that mentions it is possible to set a static IP range (notice it says range) but is about private IPs, not public ones.

The purpose of private pools for Cloud Build is that your build can access to private resources in your VPC and sometimes can be confused that the workers are part of the project.

If we look at the network diagram for private pools, you will notice that actually the workers are in Service Producer Project and connects to our project through a VPC peering.

Private Pools Net Arch

This means that to set a static IP, you need to access to the Service Producer Project and configure there the NAT which obviously is not possible.

As well setting the NAT in your project won't work since again you could need to do any other net configurations in that Service Project which is not feasible.

There is already a Feature Request for this so you may want to follow up there any progress.

Puteri
  • 3,348
  • 4
  • 12
  • 27
  • 1
    This is the worst design decision on GCPs part that I've seen. The "solution" options are no help either, they recommend setting up a bunch of VPN connections, complete with BGP, ASNs, and more cost for those resources and data transfer, completely shocked to get to this point, and now be unable to run a gke-deploy over private networking easily. The best solution, meaning low overhead, and equal security is to use a secure proxy instance, tunnel over IAP and have the gke-deploy cloud builder kubectl commands use that proxy. This solution is currently not documented by GCP either. – rojomisin May 23 '23 at 21:58