0

I want to have an URL for my web app that is running in gke and that is only accessible from specific VPN. The web application should be accessible via HTTPS, i.e. valid certificates are configured accordingly

So for example I am in my corporate vpn and i have a conection between vpn and vpc. I Deploy want deploy this simple web app and want it to be accessible only trough my vpn.

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: ilb-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: ilb-deployment
  template:
    metadata:
      labels:
        app: ilb-deployment
    spec:
      containers:
      - name: hello-app
        image: us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0

and I deploy a service of typ internal load balancer

apiVersion: v1
kind: Service
metadata:
  name: ilb-svc
  annotations:
    networking.gke.io/load-balancer-type: "Internal"
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  selector:
    app: ilb-deployment
  ports:
  - name: tcp-port
    protocol: TCP
    port: 8080
    targetPort: 8080

I get an internal IP adress, but I cant open it from my vpn. What is the next step?

Asis
  • 1
  • 1
  • Where is the VPN ? Is it from your corporate network to GCP ? – boredabdel Aug 09 '23 at 12:19
  • yes exactly. So I don't want to put it on public internet but only through corporate network. I heard there is a way to do it with internal load balancer – Asis Aug 10 '23 at 08:05
  • I mean yes if you expose the app via Internal LoadBalancer. Than it should just work across the VPN https://cloud.google.com/load-balancing/docs/l7-internal/setting-up-l7-internal#configure-a-network – boredabdel Aug 11 '23 at 08:54
  • In one of the other topic "https://stackoverflow.com/questions/72884365/gke-web-application-network-access-control" the guy has a similar questions and you said, that internal load balancer work only, if you have a connection between your company network and Google cloud like CloudVPN. Is it still the case? – Asis Aug 11 '23 at 09:23
  • Internal Load Balancers are only accessible from the VPC. If you have a VPN from your company's corporate network to the VPC. Than that LoadBalancer will just look like an Internal IP (similar to a VM) and it should just work Yes – boredabdel Aug 15 '23 at 09:03
  • @boredabdel - your comment is not correct. Systems on the other side of the VPN will have a route to the load balancer but will not have addresses within the VPC. – John Hanley Aug 15 '23 at 16:08
  • Well technically a VPN between two networks will make them Virtual one large network. So systems on boths ends will just see internal IP's and routes and will not care about the VPN. Systems on the other side of the VPN (the corporate side) will see the Internal LoadBalancer IP as an IP within the VPC and they can just reach out to it. I'm not sure how you concluded what you wrote :) – boredabdel Aug 15 '23 at 16:24
  • @boredabdel Hey, I just looked in to internal load balancer dokumentation, but it didnt help me. https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing?hl=de#gcloud_1 I edited a post a little bit for understanding where I am – Asis Aug 17 '23 at 15:01
  • @boredabdel - VPNs provide a **route** to connect two or more subnets. There is a substantial difference between being able to reach (forward traffic to) another subnet versus being part of that subnet. – John Hanley Aug 17 '23 at 15:06

0 Answers0