There are various ways you can connect GKE on-prem clusters, running in your on-premises data center, to Google's network. Possibilities include:
- Regular internet connection
- Cloud VPN with static routes
- Cloud VPN with Cloud Router
- Partner Interconnect
- Dedicated Interconnect
Regular internet connection
In certain scenarios, you can use the internet as the connection between Google and your on-premises data center. For example:
Your GKE on-prem deployment is self contained on your premises, and your on-premises components seldom communicate with Google's network. You use the connection primarily for cluster management. The speed, reliability, and security of the connection are not critical.
Your on-prem cluster is self-contained, except for access to a Google service like Cloud SQL. Traffic between your on-prem cluster and the Google service uses public IP addresses. You configure firewall rules to provide security.
Cloud VPN with static routes
With Cloud VPN, traffic between Google and your on-premises data center traverses the public internet, but is encrypted. On-prem components can communicate with cloud components using private IP addresses. With static routes, you must manually configure routes between your Google Cloud networks and your on-premises network. Use Cloud VPN if security is important, but speed is less of a concern.
Cloud VPN with Cloud Router
With Cloud VPN and Cloud Router, traffic between Google and your on-premises data center traverses the public internet, but is encrypted. On-prem components can communicate with cloud components using private IP addresses. Cloud Router dynamically exchanges routes between your Google Cloud networks and your on-prem network. Dynamic routing is especially benneficial as your network expands and changes, because it ensures that the correct routing state is propagated to your on-premises data center.
Partner Interconnect provides connectivity between your on-premises network and Google's network through a supported service provider. Traffic between Google and your on-premises data center does not traverse the public internet. On-prem components can communicate with cloud components using private IP addresses. Your connection to Google is fast, secure, and reliable.
Dedicated Interconnect provides a direct physical connection between your on-premises network and Google's network. This can be cost-effective if you have high bandwidth needs. Traffic between Google and your on-premises data center does not traverse the public internet. On-prem components can communicate with cloud components using private IP addresses. Your connection to Google is secure and reliable, and is even faster than a connection using Partner Interconnect.
Choosing a connection type
For additional guidance on choosing a connection type, see:
Regardless of how you establish a fundamental connection to Google, you can benefit from insights provided by network logging and monitoring. For more information, see Logging and monitoring for GKE on-prem.
Enhancing your fundamental connection
After your fundamental connection is in place, you can add features that enhance access, security, and visibility. For example, you could enable Private Google Access, VPC Service Controls, or Connect.
The remainder of the guidance in this topic assumes you are using one of the following options for your fundamental connection to Google:
Private Google Access
Private Google Access enables VMs that have only private IP addresses to reach the IP addresses of Google APIs and services. This includes the case where your GKE on-prem cluster nodes have only private IP addresses. You enable Private Google Access at the subnet level.
With Private Google Access, requests from your on-premises data center to Google services traverse your Cloud Interconnect or Cloud VPN connection instead of traversing the public internet.
Use Private Google Access in these situations:
Your on-premises VMs without public IP addresses need to connect to Google services like BigQuery, Pub/Sub, or Container Registry.
You want to connect to Google services without traversing the public internet.
For a list of services that support Google Private Access from on-premises VMs, see Supported services. For information about using Private Google Access from on-premises VMs, see Configuring Private Google Access for on-premises hosts.
Services that don't require Google Private Access
In some cases, you don't need Private Google Access to reach a service from a VM that has only a private IP address. For example:
You create a Cloud SQL instance that has both a public IP address and a private IP address. Then your on-premises components can access the Cloud SQL instance using its private IP address. You don't need Private Google Access in this case, because you don't need to reach the public IP address of a Google service. This works only if Cloud Router advertizes the private IP address of the Cloud SQL instance to your on-premises network.
You have a GKE cluster in Google's cloud, and the cluster nodes have private IP addresses. Your on-premises components can access a NodePort Service or an internal load balancer Service in the cloud GKE cluster.
VPC Service Controls
If you want added protection against exfiltration, you can use VPC Service Controls. With VPC Service Controls, you can configure security perimeters around the resources of your Google-managed services and control the movement of data across the perimeter boundary.
Connect enables you to view and manage your on-prem user clusters from Google Cloud Console.