[SOLVED] GCP - private GKE cluster and connection from another project

GCP - private GKE cluster and connection from another project

I have the following situation:

project A as hub-spoke project B with workload, created a private GKE cluster with Internal endpoint in a private subnet

VPC peering is established between project A and B and between B and A.
At the firewall level, entire IP ranges with all ports allowed.
IP Range from the subnet from project A set as "Control plane authorized networks" in GKE (project B)

As part of the tests, I set up a VM in project A and project B and I am able to connect between them which means that traffic is allowed and peering works fine. Unfortunately, when I want to connect to the private GKE endpoint in project B from VM in project A, I get a timeout.

Have I missed something or is it not possible to connect to a private GKE cluster via VPC peering? (between projects)

opened all ports for an entire range
tested connection between VMs

Solution

You peering issue is normal. It's the case with many managed product in GCP. Let me explain.

When you have a managed product like GKE, the control plane is hosted on a google managed project and all the installation, update, monitoring is done for you. The principle of managed service

To let you the access to this managed resource, Google create a peering with its own VPC and yours.

That being said, you also have to know that there is a major limitation in the VPC peering: the non-transitivity. It means that if A -> B and B -> C, then A can't reach C

In your case you have:

Google managed GKE -> Project A VPC
Project A VPC -> Project B VPC
So, Google Managed GKE can't reach project B

Google is deploying PSC (Private service connect) on several services. Not yet on GKE control plane.

The solution here can be one on them:

Create a shared VPC across all your projects
Create a VPN between Project A and Project B VPCs