I have this problem: I need to request some 3rd party HTTP resource through a VPN from a Cloud Function. The counterpart can route only one IP as an origin of the requests but the VPC connector attached to Cloud Function is /28 CIDR so I don't know what IP of that range is gonna use to tell counterpart to add it in the route of VPN traffic.
Maybe I can use some internal NAT / proxy to forward that traffic but I want to solve with some native or cleaner solution.
I'll appreciate your help.
It might be possible to find a third party solution which does the proxy process in order to avoid the /28 range of the VPC Connector and send traffic with an unique and known IP address. Although it'd be interesting I haven't find it. Going to keep looking and let you know if I can find a solution or workaround.
Related
I have a problem where our firm has many GCP projects, and I need to expose services on my project to these distinct GCP projects. Firewalling in individual IPs isn't really sustainable, as we dynamically spin up and tear down hundreds of GCE VMs a day.
I've successfully joined a network from my project to another project via GCP's VPN, but I'm not sure what the best practice should be joining multiple networks to my single network, especially since most of the firm has the same default internal address subnetwork range for the project's default network. I understand that doing it the way that I am will probably work (it's unclear if it'll actually reach the right network, though), but this creates a huge ambiguity in terms of IP collisions, where potentially two VMs could exists in separate networks and have the same internal IP.
I've read that outside of the cloud, most VPNs support NAT remapping, which seems to let you remap the internal IP space of the remote peer's subnet (like, 10.240.* to 11.240.*), such that you can never have ambiguity from the peer doing the remapping.
I also know that Cloud Router may be an option, but it seems like a solution to a very specific problem that doesn't fully encompass this one: dynamically adding and removing subnets to the VPN.
Thanks.
I think you will need to utilize the custom subnet mode network (non-default), specify non-overlapping IP ranges for the networks to avoid collision. See "Creating a new network with custom subnet ranges" in this doc: https://cloud.google.com/compute/docs/subnetworks#networks_and_subnetworks
On GCE we plan on having a large number of worker compute VM instances (like 1000). Each worker instance need to access Google Cloud buckets storage. We don't have enough pubic IP address quota to give all of the compute nodes public IP addresses so they will have private IP addresses. In tests, we found (and were surprised) that we couldn't access the Google Cloud bucket service from a private IP address.
We found a way to route packets from the private ip addresses through a proxy instance but we're afraid this isn't going to scale well. One (or a few) proxies for 1000 workers? -- it sounds like it might not scale well and seems unnecessary.
Perhaps we just don't not understand something. Is there a way to make a instance with a private IP address access Google Cloud buckets without routing through a proxy instance?
It is not possible to access services outside your GCE network without a public IP. Your best bet is to apply to increase your public IP address quota.
May be you could start with setting up a Proxy per say 100 worker instances and see how your performance for Cloud Buckets access is. Is it ready-only vs. read-write ?
I assume the support for NAT is already available with the routing and networking available in compute engine? Looking for some easy to read documentation and commands to setup a situation where either one instance acts as a router and other instances can use that to access the public internet. Another scenario I'm looking for is how to make instances with no external IP address be able to access the internet. Is there a gcutil friendly way of scripting this up?
It sounds like you're looking for the Routes Collection. For your first case, the examples should show you how one instance can act as a gateway for other instances by setting a route for the internal nodes to use the gateway as a "next hop" for their traffic.
For your second scenario, there is a caveat listed that "Currently, any packets sent to the Internet must be sent by an instance that has an external IP address. If you create a route that sends packets to the Internet from a particular instance, that instance must also have an external IP. If you create a route that sends packets to the Internet gateway, but the source instance doesn't have an external IP address, the packet will be dropped."
how do I add a NIC to a compute engine instance? I need more then one NIC so I can build out an environment...I've looked all over and there is nothing on how to do it...
I know it's probably some API call through the SDK, but I have no idea, and I can't find anything on it.
EDIT:
It's the rhel6 image. figured I should clarify.
The question is probably old and a lot has changed since. Now it's definitely possible to add more nics to an instance but only at creation time (you can find a networking tab on the create instance page on the portal - corresponding rest api exists too). Each nic has to connect to a different virtual network, so you need to create more before creating the instance (if you don't have already).
Do you need an external address or an internal address? If external, you can use gcutil to add an IP address to an existing instance. If internal, you can configure a static network address on the instance, and add a route entry to send traffic for that address to that instance.
I was looking for similiar thing (to have a VM which runs Apache and nginx simultaneously on different IPs), but it seems like although you can have multiple networks (up to 5) in a project and each network can belong to multiple instances, you can not have more than one network per instance. From the documentation:
A project can contain multiple networks and each network can have multiple instances attached to it. [...] A network belongs to only one project and each instance can only belong to one network.
I'm really new with this technology, and I can't found information regarding this.
I'm trying to migrate a cluster solution to google compute engine, creating 4 webservers with a loadbancer.
I was thinking to use haproxy and keepalived, but is this possible? can I request a VIP?
I didn't see the option to request a VIP.
Thank you
You can reserve an IP address, and then add it to an instance when you launch it.
In GCE, those are called "Reserved IP Addresses", the documentation shows how you reserve them and assign them.