Prevent Exposing GKE Node IP to the World with NAT

Raju Dawadi
2 min readApr 22, 2018


Two cases I would like to consider here:

  1. Hide Kubernetes node ip address from the internet
  2. Sending egress traffic from pod with single IP

When the services running on pods needs to call any other services outside, it utilizes the ip address of the node where its being scheduled. This makes the ip address of nodes in the cluster spread over to the internet or at least is seen by the external service. That could be a security concern. Also, at time there might be need to filter traffic from the Kubernetes cluster.

Second: At Pagevamp, we use third party DNS service of OpenSRS which allows us to whitelist only 5 ip addresses from where we can call their service. As we are moving to Kubernetes, limiting ourself to 5 nodes could never happen. And as we have autoscaling node which has ephemeral ip, this leaves no option. So, we need some way so that all the traffic that goes from our Kubernetes cluster on Google Cloud reaches OpenSRS from one(or few) IPs.

NAT Gateway is Savior

Luckily, NAT Gateway solved the problem by creating an instance through NAT gateway managed-instance group which then is utilized for sending all outbound traffic from the Kubernetes Engine nodes based on the label on the nodes which is same for all the nodes in the specific Cluster.

The official github repo for implementing NAT Gateway uses Terraform module performs following operations:

Create nat gateway instance group based on the template with startup script to install squid proxy server

  1. Create a new nat instance server with static ip on the region specified
  2. Compute route and firewall to send traffic from the nodes in Kubernetes cluster to the internet from the nat instance. The selection of node is based on the network tag which is same for all the nodes in the cluster

This way we can configure exgress route from the GKE nodes.



Raju Dawadi