Advanced Clusters > Setting up Google Cloud > Step 3. Create the VPC and subnets (optional)

Step 3. Create the VPC and subnets (optional)

If you create your own VPC and subnets to host an advanced cluster, prepare the VPC network and subnets according to cluster requirements.

To prepare the network and subnets, complete the following tasks after you create a VPC:

1Create a subnet that supports enough IP addresses for the nodes in the advanced cluster.
2Create a Google Cloud NAT gateway.
3Create firewall rules in the VPC network to allow TCP traffic.

Create a subnet with enough IP addresses

Create a subnet that supports enough IP addresses for all the nodes in the advanced cluster within your VPC network.

Calculate the number of required IP addresses according to the following guidelines:

•Add one IP address for the master node.
•Add IP addresses equal to the maximum number of worker nodes.

For example, if the advanced cluster can have a maximum of 10 worker nodes, each subnet must support at least 11 IP addresses.

Create a Google Cloud NAT gateway

If you need to connect to the internet from private nodes that do not have external IP addresses, create a Google Cloud Network Address Translator (NAT) gateway.

In Google Cloud NAT, create a NAT gateway in the VPC network with the following configuration:

•Use the same region as the subnet.
•Use a Cloud Router that uses the default settings.
•Use the default value for the NAT mapping source.
•Manually create a new static public IP address to use for the NAT IP address.

Ensure that the NAT gateway is running before you run an advanced job.

The following image shows an example NAT gateway configuration in the Google Cloud Console:

In the Google Cloud Console, under Network Services, the Cloud NAT tab is selected and the configuration for a new NAT gateway is open. Annotations highlight the settings for Region, Cloud Router, Source (internal), and NAT IP addresses.

Create firewall rules in the VPC network

Create a firewall rule for the VPC network to allow TCP traffic from the IP addresses of the Secure Agent machine and the NAT gateway.

In Google Cloud, create a firewall rule for the VPC network with the following configuration:

•Set the direction of traffic to ingress traffic.
•Allow matches.
•Add the following target tag: k8s-infa-resource
•Set the primary source filter to filter by IP ranges. Use CIDR notation to set the source IP ranges to the static IP addresses of the Secure Agent machine and the NAT gateway created in step 2.
•Set the secondary source filter to filter by source tags. Add the following source tag: k8s-infa-resource
• Specify the following protocols and ports:

- TCP ports: 22, 80, 178-180, 6443, 2379-2380, 10250, 10251, 10252, 10257, 10259, 30000-32767
- Other protocols: ipip

The following image shows how the firewall rule might appear in the Google Cloud Console: In the Google Cloud Console, under VPC Network, the Firewall tab is selected and the details of a firewall rule are open. Annotations highlight the settings for Direction, Action on match, Targets, Source filters, and Protocols and ports.

In the Google Cloud Console, under VPC Network, the Firewall tab is selected and the details of a firewall rule are open. Annotations highlight the settings for Direction, Action on match, Targets, Source filters, and Protocols and ports.