Questions about external IP addresses on managed instance group nodes, and "Cloud NAT"

[James Lampert]

(Cross-posted to Server Fault)

I've been worrying (and posting, here and elsewhere) about calls from instance group nodes to web services carrying the external IP address of the individual node (which makes it problematical to restrict the web services by calling IP).

Then I saw something called "Cloud NAT."

If I've got Cloud NAT set up, do web service calls from my instance group show the IP address set in the NAT?

And that brings up another question that's been fermenting in my mind for a few days now: our instance group nodes are currently set to have ephemeral external IP addresses. Is there any real reason why they should have external IP addresses at all? Can I, for example, still get a terminal session through the web-to-ssh portal if there's no external IP address? Can I likewise use "gcloud compute scp"? I think possibly my original reason for having external IP addresses had to do accessing them from the ssh and scp on my Mac (which is more trouble than it's worth in most cases anyway).

[Mohibul (Google Cloud Support)]

Hello,

Seems like you have two questions here: 

(1) Accessing VMs that don't have external IPs (SSH ingress to the VM) 

(2) Ways that VMs can send egress traffic to external IPs

Let's first talk about accessing the VMs via SSH. The SSH button in the Cloud Console only works if the VM has an external IP address. That address can be either a static external IP address or an ephemeral one.

Accessing the VMs via command-line SSH and SCP, such as gcloud compute ssh or gcloud compute scp works like this: By default, these commands attempt to contact the VM using its external IP address. Again, that external IP address can be either static or ephemeral. If the VM does not have an external IP address, then you cannot connect to it directly with command line SSH.

However, if your VPC network is connected to an on-premises network via Cloud VPN or Cloud Interconnect, and routing and firewalls permit, you can connect to VMs using gcloud compute ssh with the --internal-ip flag. Also you can SSH into a VM that does have an external IP, then connect to one that does not. You could find public documentation here[1]. Now, let's talk about egress traffic from VMs to "web services." It is not clear what web services they are asking. Specifically, are you trying to access Google APIs and services?

In general, if "web services" means any IP address on the Internet, the VM needs Internet access. The requirements for Internet access are here[2]. If Cloud NAT is used to route a request to an Internet address, the source IP of that request will be one of the external IPs used by the NAT.

Now, if we are talking about Google APIs and services, we have some ways that VMs can reach the external IPs for Google APIs and services, even if those VMs don't otherwise have Internet access. Private Google Access permits VMs that do not have external IPs to be able to access the select ranges of external IPs for Google's APIs and services.

Please find documentation[3] on Private Google Access and link[4] on how to Configuring Private Google Access.

[1]:https://cloud.google.com/solutions/connecting-securely#connecting_to_instances_without_external_ip_addresses

[2]:https://cloud.google.com/vpc/docs/vpc#internet_access_reqs

[3]:https://cloud.google.com/vpc/docs/private-access-options#pga

[4]:https://cloud.google.com/vpc/docs/configure-private-google-access