The requirement is for a stable set of egress IP addresses from a GKE cluster for allowlisting by a third party, following best practices.
Option A is not recommended: Using a single node lacks scalability and high availability. Relying on a single node's static IP creates a single point of failure and doesn't align with GKE's design principles. Disabling autoscaling hinders elasticity.
Option C is complex and unreliable: Public nodes typically have ephemeral external IPs (unless manually configured per node, which is difficult to manage with autoscaling). Dynamically tracking and emailing IPs daily is operationally burdensome and prone to race conditions where the allowlist might lag behind IP changes.
Option D uses Cloud NAT but with dynamic IPs. Dynamic IPs change over time, making them unsuitable for stable firewall allowlists.
Option B is the Google-recommended practice: Configuring the GKE cluster with private nodes enhances security as nodes don't have direct external IPs. Cloud NAT provides managed network address translation for these private nodes to access the internet. By configuring Cloud NAT with a static allocation of external IP addresses, all egress traffic from the private GKE nodes will appear to originate from this stable, predictable set of IPs. This set can be given to the vendor for allowlisting without worrying about node IP changes due to scaling or maintenance.
This approach decouples the application's egress IP from the individual nodes, providing stability and adhering to the principle of least privilege (private nodes).
[References:, , Cloud NAT Overview: "Cloud NAT lets certain resources without external IP addresses create outbound connections to the internet." - https://cloud.google.com/nat/docs/overview, Cloud NAT IP Addresses: "When you configure a NAT gateway... You can configure the NAT gateway to automatically allocate regional external IP addresses... Alternatively, you can manually assign a fixed number of static external IP addresses to the gateway." - https://cloud.google.com/nat/docs/overview#ip-addresses, GKE and Cloud NAT: "Configure Cloud NAT with GKE... Use Case: You want a GKE pod to deterministically egress traffic from a static set of IP addresses that you control." - https://cloud.google.com/nat/docs/gke-example, Private Clusters: "Private nodes do not have endpoint-accessible external IP addresses." - https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters , , , ]
