If you create your own VPC and subnets to host an advanced cluster, prepare the VPC network and subnets according to cluster requirements.
To prepare the network and subnets, complete the following tasks after you create a VPC:
1Create a subnet that supports enough IP addresses for the nodes in the advanced cluster.
2Create a Google Cloud NAT gateway.
3Create firewall rules in the VPC network to allow TCP traffic.
Create a subnet with enough IP addresses
Create a subnet that supports enough IP addresses for all the nodes in the advanced cluster within your VPC network.
Calculate the number of required IP addresses according to the following guidelines:
•Add one IP address for the master node.
•Add IP addresses equal to the maximum number of worker nodes.
For example, if the advanced cluster can have a maximum of 10 worker nodes, each subnet must support at least 11 IP addresses.
Create a Google Cloud NAT gateway
If you need to connect to the internet from private nodes that do not have external IP addresses, create a Google Cloud Network Address Translator (NAT) gateway.
In Google Cloud NAT, create a NAT gateway in the VPC network with the following configuration:
•Use the same region as the subnet.
•Use a Cloud Router that uses the default settings.
•Use the default value for the NAT mapping source.
•Manually create a new static public IP address to use for the NAT IP address.
Ensure that the NAT gateway is running before you run an advanced job.
The following image shows an example NAT gateway configuration in the Google Cloud Console:
Create firewall rules in the VPC network
Create a firewall rule for the VPC network to allow TCP traffic from the IP addresses of the Secure Agent machine and the NAT gateway.
In Google Cloud, create a firewall rule for the VPC network with the following configuration:
•Set the direction of traffic to ingress traffic.
•Allow matches.
•Add the following target tag: k8s-infa-resource
•Set the primary source filter to filter by IP ranges. Use CIDR notation to set the source IP ranges to the static IP addresses of the Secure Agent machine and the NAT gateway created in step 2.
•Set the secondary source filter to filter by source tags. Add the following source tag: k8s-infa-resource