3

What is "VPC Native" in GKE cluster?

Does "VPC Native disabled GKE cluster" restrict connecting to Cloud SQL via Private IP? We have a GKE cluster whose "VPC Native" is disabled and we have whitelisted GKE cluster in cloud sql, even post that connectivity fails.

Also, what is the recommended way to connect cloud sql from private GKE cluster? Suppose we have an application which we are migrating from AWS to GKE, we don't want to build cloud proxy.

Improve this question
2
  • are you able to connect to other google api s from the cluster ? Also the VPC Native is disabled as it is mandatory for private clusters in GKE to have them enabled , so its just the field that is disabled. The documentation suggests proxy to be used as a good and secure approach but if you are not willing to go that way , you can use a private IP way and try it out. cloud.google.com/sql/docs/mysql/… Commented Jul 20, 2020 at 12:40
  • @tarunkhosla thanks, We are trying a simple use case, deploy an app which can connect to cloud sql. Do you suggest, VPC native should be enabled or disabled? Yes, we don't want to take proxy route, hence trying private IP. Will VPC Native disabled and trying this "cloud.google.com/sql/docs/mysql/…" WORK? Also please can you let us know, is it secure to use private IP approach for production? What could be possible issues once could face if private IP approach taken? Commented Jul 21, 2020 at 6:11

2 Answers 2

Reset to default
2

The VPC Native in GKE changes the way routes are established to handle pod traffic between nodes.

In fact if you compare two clusters, one using VPC-native and the other using the legacy approach, now inexplicably called “advanced routing,” you’ll find they’re pretty much identical from the inside down to the command line arguments passed to the kubelet, kube-dns and kube-proxy on startup. So you’re not going to break anything switching your workloads to a VPC-native cluster, unless you’re doing something stranger than I can currently imagine as I write this.

See this article to find more details.

what is the recommended way to connect cloud sql from private GKE cluster?

By documentation:

The Cloud SQL Proxy is the recommended way to connect to Cloud SQL, even when using private IP. This is because the proxy provides strong encryption and authentication using IAM, which can help keep your database secure.

Even you want to create a sloud sql proxy, it is the recomentation from documentation. Here you can find more details about CloudSQL connections.

As mentioned in this documentation, you need to have your GKE cluster and CLoudSQL in the same network.

For connecting using private IP, the GKE cluster must be VPC-native and in the same VPC network as the Cloud SQL instance.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

@Kooopakiller thanks for the comments and details, this will help. We have read documentation on Cloud SQL Proxy and strong encryption and authentication using IAM it provides. What about just Private IP, what would be needed to make it secure and build authentication? Also is it the correct approach?
You can use private ip to connect, here you can see some ways to connect in the CloudSQL, but your cloudsql and gke nodes must be in the same network to permit this, as mentioned in the answer.
0

I went through a similar problem, where GKE was configured to use Native VPC and still couldn't access the private SQL Cloud (with private IP), even with the VPC Peering of the private network configured in the VPC that Gke uses.

I managed to solve it just by changing the range of the secondary IPS in my terraform, from:

ip_allocation_policy { cluster_ipv4_cidr_block = "192.16.128.0/17" services_ipv4_cidr_block = "192.168.1.0/24" }

To:

ip_allocation_policy { cluster_ipv4_cidr_block = "10.248.0.0/14" services_ipv4_cidr_block = "10.246.240.0/20" }

I don't know how to explain why it didn't work, but it solved the problem.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.