This chapter covers GKE Private Clusters, a critical security feature for running Kubernetes workloads in isolation from the public internet. Understanding private clusters is essential for the ACE exam, particularly under Domain 5: Security Compliance, Objective 5.2. Approximately 5-10% of exam questions touch on private cluster configuration, networking, and IAM integration. This chapter provides the deep technical knowledge needed to design, deploy, and troubleshoot private clusters in Google Cloud.
Jump to a section
Imagine a gated community with a security booth at the entrance. Residents (pods) live in houses inside the community and have private addresses (RFC 1918 IPs). The community has its own internal roads (VPC network) and a private clubhouse (control plane) that only residents can access directly. To get mail or packages from the outside world, residents must go through a secure mailroom (NAT gateway) that translates their private address to a public one. The community also has a delivery service (Cloud NAT) that allows residents to send outgoing packages but blocks any unsolicited deliveries from outside. The security booth (firewall rules) controls who can enter and exit. The community manager (GKE) ensures that all residents have the necessary permits (IAM roles) and that the mailroom is properly configured. In a public cluster, the clubhouse would be on the main street with a public address, and anyone could walk up to it. In a private cluster, the clubhouse is inside the gated community, accessible only to residents. This isolation ensures that the control plane is not exposed to the public internet, reducing the attack surface. The mailroom (NAT) allows residents to reach the internet for updates or external APIs, but no one can initiate a connection from the outside to a resident's home directly. Firewall rules can be used to allow specific external services, like a trusted delivery truck (Cloud Load Balancing) that is given a temporary pass (authorized networks).
What is a GKE Private Cluster?
A GKE private cluster is a Google Kubernetes Engine cluster where the control plane (master) and nodes communicate over internal VPC network IP addresses, not over the public internet. The control plane is assigned a private IP address within your VPC, and nodes are deployed in subnetworks that use private IP addresses (RFC 1918). This means that the control plane is not directly reachable from the internet, and nodes do not have public IP addresses by default. Private clusters are a key security measure to reduce the attack surface of your Kubernetes environment.
Why Use Private Clusters?
Organizations use private clusters to comply with security policies that require workloads to run in isolated environments without direct internet exposure. Common use cases include:
Financial services: sensitive transaction processing must not be accessible from the public internet.
Healthcare: patient data (PHI) must be protected per HIPAA regulations.
Internal applications: corporate applications that should only be accessible within the corporate network.
Multi-tier applications: where backend services should not be directly exposed.
How Private Clusters Work: Internal Mechanism
The key difference between a public and private cluster lies in the control plane endpoint. In a public cluster, the control plane has a public IP address and is accessible via kubectl from anywhere (with proper authentication). In a private cluster, the control plane is assigned a private IP address from your VPC subnet. The control plane is still a Google-managed service, but it is deployed with an internal load balancer (ILB) that provides a private IP address reachable only from within your VPC network.
Control Plane Access: - The control plane endpoint is a private IP address (e.g., 10.0.0.1) that is accessible from nodes and authorized networks within the VPC. - To access the control plane from outside the VPC (e.g., from a corporate network or the internet), you must use either: - Private Google Access: Allows on-premises networks connected via Cloud VPN or Cloud Interconnect to reach the control plane private IP. - Authorized Networks: You can enable a public endpoint for the control plane but restrict access to specific IP ranges. This is a hybrid approach where the control plane has both a private and public IP, but the public IP is firewalled. - Cloud IAP TCP Forwarding: Use Identity-Aware Proxy (IAP) to tunnel to the control plane without exposing it to the internet.
Node Networking: - Nodes are created in a subnet that has private IP addresses. By default, nodes do not have public IP addresses. However, you can optionally assign public IPs to nodes if needed (not recommended for security). - Nodes communicate with the control plane via the private IP address. The control plane initiates connections to nodes for health checks and pod scheduling, and nodes connect to the control plane for API requests.
Outbound Internet Access: - Since nodes do not have public IPs, they cannot directly reach the internet. To allow outbound internet access (e.g., for pulling container images from Docker Hub or accessing external APIs), you must configure one of the following: - Cloud NAT: A managed NAT service that provides outbound connectivity for private instances. Cloud NAT translates private IPs to a specific public IP range (or ephemeral IPs). - Private Google Access: Allows nodes to reach Google APIs and services (e.g., Container Registry, Cloud Storage) over Google's private network without needing a public IP. This is enabled at the subnet level. - Instance-level public IP: Assign a public IP to each node (not recommended due to security and management overhead).
Firewall Rules: - GKE automatically creates firewall rules for private clusters, but you may need to add custom rules: - Control plane to nodes: Allow traffic on port 10250 (kubelet) and 443 (HTTPS) from the control plane's private IP range to nodes. - Nodes to control plane: Allow traffic on port 443 from nodes to the control plane's private IP. - Health checks: Allow Google Cloud health check probes (from specific IP ranges) to nodes if using load balancers. - Pod communication: By default, all pods can communicate within the cluster. You can use Network Policies to restrict traffic.
Defaults and Important Values
Default subnet: When you create a private cluster without specifying a subnet, GKE creates a subnet with a /28 CIDR (16 IPs) for the control plane and a /22 CIDR (1024 IPs) for nodes.
Control plane private IP: Assigned from the subnet's secondary IP range for pods? No, the control plane IP is from the primary IP range of the subnet you specify (or the default subnet).
Node IPs: Assigned from the primary IP range of the node subnet.
Pod IPs: Assigned from a secondary IP range (alias IP range) that you specify or GKE creates.
Service IPs: Assigned from another secondary IP range.
Cloud NAT: Not automatically created; you must create it separately.
Private Google Access: Must be enabled on the subnet before creating the cluster or after (if you recreate nodes).
Configuration Commands
Creating a Private Cluster using gcloud:
gcloud container clusters create private-cluster \
--private-cluster \
--master-ipv4-cidr 172.16.0.0/28 \
--network my-vpc \
--subnet my-subnet \
--zone us-central1-a \
--enable-private-nodes \
--enable-ip-alias--private-cluster: Enables private cluster mode.
--master-ipv4-cidr: Specifies the /28 CIDR block for the control plane (must be non-overlapping with other ranges).
--enable-private-nodes: Ensures nodes do not have public IPs.
--enable-ip-alias: Required for VPC-native clusters (recommended).
Authorizing Access to the Control Plane:
To access the control plane from a specific network (e.g., your corporate VPN), you can enable the public endpoint with authorized networks:
gcloud container clusters update private-cluster \
--enable-master-authorized-networks \
--master-authorized-networks 203.0.113.0/24,198.51.100.0/24Creating Cloud NAT for Outbound Access:
gcloud compute routers create nat-router \
--network my-vpc \
--region us-central1
gcloud compute routers nats create nat-config \
--router nat-router \
--region us-central1 \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-rangesInteraction with Related Technologies
Cloud NAT: Essential for private clusters to reach the internet. Without it, pods cannot pull images from external registries (unless using Private Google Access for GCR).
Private Google Access: Allows nodes to reach Google APIs (like Container Registry, Cloud Storage, BigQuery) without public IPs. Must be enabled on the subnet.
VPC Network Peering: If you need to connect a private cluster to another VPC (e.g., for on-premises access via VPN), you must ensure the control plane's private IP is reachable. You may need to set up Cloud VPN or Interconnect and configure routing.
Cloud IAP: Provides secure access to the control plane from the internet without exposing it. You can use IAP TCP forwarding to tunnel kubectl commands through HTTPS.
Service Directory: Can be used to register services for discovery across VPCs.
Cloud DNS: Private zones can resolve internal hostnames for services.
Step-by-Step: How a Private Cluster Handles a Pod's Outbound Request
A pod in the private cluster makes an HTTP request to https://example.com.
The pod's source IP is a private IP from the pod secondary range (e.g., 10.0.1.2).
The packet leaves the pod, hits the node, and is forwarded to the default gateway (the VPC router).
Since the node has no public IP, the packet is sent to Cloud NAT (if configured).
Cloud NAT translates the source IP to a public IP (e.g., 35.1.2.3) and records the mapping in its state table.
The packet is sent to the internet. The response returns to the public IP of Cloud NAT.
Cloud NAT looks up the mapping and forwards the response to the pod's private IP.
The pod receives the response.
Without Cloud NAT, step 4 would fail because the packet has no route to the internet. Private Google Access only works for Google APIs, not arbitrary internet destinations.
Limitations and Considerations
Control plane size: The control plane is managed by Google and auto-scales, but the private IP CIDR must be /28 (16 IPs). This is fixed.
Subnet IP exhaustion: Ensure your node subnet has enough IPs for nodes and pods (secondary ranges).
Regional vs. zonal clusters: Private clusters can be regional or zonal. Regional clusters have multiple control planes across zones, each with a private IP.
Upgrades: When upgrading the control plane, the private IP may change. You must update firewall rules and authorized networks accordingly.
Monitoring: Use VPC Flow Logs and Cloud Monitoring to observe traffic patterns and troubleshoot connectivity issues.
Exam Tips
The ACE exam often tests the difference between private and public clusters, especially regarding control plane accessibility.
Know that private clusters require Cloud NAT for outbound internet access unless using Private Google Access for Google APIs.
Understand that --enable-private-nodes is separate from --private-cluster. The latter makes the control plane private; the former makes nodes private.
Remember that authorized networks can be used to allow specific IP ranges to access the control plane even if it has a public endpoint.
Be aware that IAP TCP forwarding is a secure way to access private control planes without public exposure.
Common Exam Scenarios
Scenario 1: A company wants to run a Kubernetes cluster that is not accessible from the internet. They create a private cluster with private nodes. They need to pull images from Google Container Registry. Solution: Enable Private Google Access on the subnet.
Scenario 2: A developer cannot run kubectl commands from their laptop to a private cluster. The cluster has no public endpoint. Solution: Use IAP TCP forwarding or set up a bastion host in the VPC.
Scenario 3: Pods in a private cluster need to access an external API. Solution: Configure Cloud NAT.
Conclusion
GKE Private Clusters provide a secure, isolated environment for Kubernetes workloads. By understanding the networking components, configuration options, and integration with other Google Cloud services, you can design and manage private clusters effectively. This knowledge is critical for the ACE exam and real-world deployments.
Plan VPC and Subnet
Before creating a private cluster, you must plan the VPC network and subnet. The subnet must have sufficient IP addresses for nodes and pods. You need to decide on secondary IP ranges for pods and services. The control plane requires a /28 CIDR block that does not overlap with other ranges. Ensure Private Google Access is enabled on the subnet if you want nodes to reach Google APIs without public IPs. Also, consider whether you need Cloud NAT for outbound internet access. In production, you typically create a dedicated VPC for the cluster with non-overlapping CIDRs.
Create Private Cluster
Use gcloud or Cloud Console to create the cluster with the `--private-cluster` flag. Specify the `--master-ipv4-cidr` for the control plane. Use `--enable-private-nodes` to ensure nodes have no public IPs. Enable VPC-native (alias IP) with `--enable-ip-alias`. Choose a zone or region. During creation, GKE automatically sets up internal load balancing for the control plane and creates necessary firewall rules. The control plane private IP is assigned from the specified CIDR.
Configure Control Plane Access
After creation, you need to ensure you can access the control plane. If you are within the VPC (e.g., from a bastion host), you can use the private IP directly. For external access, you can either enable the public endpoint with authorized networks or use IAP TCP forwarding. To enable authorized networks, run `gcloud container clusters update` with `--enable-master-authorized-networks` and specify allowed IP ranges. For IAP, you need to enable the IAP API and grant the `roles/iap.tunnelResourceAccessor` role to users.
Set Up Outbound Connectivity
Since private nodes have no public IPs, you must configure outbound internet access if needed. For Google APIs, ensure Private Google Access is enabled on the subnet (this is a subnet-level setting). For general internet access, create a Cloud NAT router and NAT configuration. The NAT will translate private IPs to public IPs for outbound traffic. Verify that firewall rules allow egress traffic from nodes to the internet (default allow egress, but you may have custom deny rules).
Verify and Test Connectivity
Test that you can access the control plane using `kubectl` from an authorized source. Deploy a test pod and verify it can reach the internet if needed. Check that pods can pull images from GCR (if using Private Google Access) or external registries (if using Cloud NAT). Use `kubectl exec` to run `curl` or `ping` from a pod. Also verify that the control plane can communicate with nodes by checking node status with `kubectl get nodes`. Monitor VPC Flow Logs to ensure traffic is flowing correctly.
Enterprise Scenario 1: Financial Services Compliance
A large bank needs to run a Kubernetes cluster for processing credit card transactions. The security policy mandates that the cluster must not have any public IP addresses, and the control plane must not be accessible from the internet. They deploy a GKE private cluster in a dedicated VPC with Private Google Access enabled for pulling images from Container Registry. The cluster uses Cloud NAT for outbound access to external fraud detection APIs. The operations team accesses the control plane via a bastion host (a Compute Engine VM with a public IP) that is locked down with IAP and firewall rules. They use VPC Service Controls to further restrict data exfiltration. The cluster is regional for high availability, with nodes spread across three zones. Performance is monitored using Cloud Monitoring, and they have set up alerts for NAT gateway usage spikes.
Enterprise Scenario 2: Healthcare Application with HIPAA Compliance
A healthcare startup deploys a GKE private cluster to host a patient portal that processes PHI. They require that no traffic goes over the public internet. They use Private Google Access for access to Cloud SQL and Cloud Storage. They have a Cloud VPN connection to their on-premises data center for legacy system integration. The control plane is accessed via IAP TCP forwarding, eliminating the need for a bastion host. They use Cloud Audit Logs to monitor access. A common misconfiguration is forgetting to enable Private Google Access on the subnet, causing pods to fail pulling images. They also learned the hard way that Cloud NAT must be configured if they need to access external APIs (e.g., for prescription verification). They use Network Policies to restrict pod-to-pod communication based on namespaces.
Enterprise Scenario 3: E-commerce Platform with Multi-region Deployment
A global e-commerce company runs its microservices on GKE private clusters in multiple regions. Each cluster is in a separate VPC with VPC Network Peering between them for inter-service communication. They use Cloud NAT with static IPs for outbound traffic to partner APIs. The control planes are accessed via authorized networks that include the corporate VPN CIDR. They use Cloud DNS private zones for service discovery. A common issue they faced was IP exhaustion in the pod secondary range due to rapid scaling; they now use larger CIDR blocks (/16) for pods. They also use GKE Sandbox for untrusted workloads. The operations team uses Config Connector to manage GKE resources declaratively. They have automated cluster creation with Terraform, ensuring consistent configuration across regions.
ACE Exam Focus on GKE Private Clusters
The ACE exam tests your understanding of GKE Private Clusters under Domain 5: Security Compliance, Objective 5.2: Configuring network security. Key areas include:
Differentiating between private and public clusters.
Understanding control plane accessibility options (private only, public with authorized networks, IAP).
Knowing how to provide outbound internet access (Cloud NAT, Private Google Access).
Identifying required firewall rules.
Recognizing when to use private clusters for compliance.
Common Wrong Answers and Why They Are Wrong
1. "Private clusters automatically provide outbound internet access." - Why wrong: Private nodes have no public IPs. Without Cloud NAT or Private Google Access, they cannot reach the internet. The exam expects you to know that you must explicitly configure outbound access.
2. "The control plane in a private cluster has no public endpoint at all." - Why wrong: You can optionally enable a public endpoint with authorized networks. The private cluster only means the control plane has a private IP; the public endpoint can be enabled for management access.
3. "Private Google Access allows outbound access to any internet destination." - Why wrong: Private Google Access only works for Google APIs and services (e.g., GCR, Cloud Storage). For general internet access, you need Cloud NAT.
4. "You cannot use Cloud NAT with a private cluster." - Why wrong: Cloud NAT is commonly used with private clusters. It is the recommended way to provide outbound internet access.
Specific Numbers and Terms
Control plane CIDR must be /28.
Default node subnet CIDR is /22.
Private Google Access is a subnet-level setting.
IAP TCP forwarding uses port 22 or 3389 for SSH/RDP, but for GKE it uses HTTPS (port 443).
Authorized networks can specify up to 50 CIDR blocks.
Edge Cases the Exam Tests
Regional private clusters: The control plane in each zone has a separate private IP. You must authorize access to all of them.
Upgrading a private cluster: The control plane IP may change. Firewall rules and authorized networks must be updated.
Using Cloud NAT with static IPs: For whitelisting, you can reserve static IPs for NAT.
VPC-native vs. routes-based: The exam assumes VPC-native (alias IP) is used. Routes-based clusters are legacy.
How to Eliminate Wrong Answers
If a question mentions "outbound internet access" for a private cluster, look for Cloud NAT or Private Google Access in the answer choices. If neither is present, the answer is likely wrong.
If a question asks how to access the control plane from the internet, look for "authorized networks" or "IAP". Do not choose "public endpoint" without restrictions.
If a question asks about pulling images from GCR, look for "Private Google Access" or "Cloud NAT" (if external registry).
Remember that private clusters can have public nodes if --enable-private-nodes is not used. The exam may test this nuance.
A private cluster means the control plane has a private IP address; nodes can be private or public.
To make nodes private, use the --enable-private-nodes flag.
Private clusters require Cloud NAT for outbound internet access to non-Google services.
Private Google Access (subnet-level) allows access to Google APIs without public IPs.
Control plane access from outside the VPC can be achieved via authorized networks (public endpoint) or IAP TCP forwarding.
The control plane CIDR must be /28 and must not overlap with other VPC ranges.
Firewall rules must allow traffic on ports 443 and 10250 between control plane and nodes.
Regional private clusters have a control plane private IP per zone.
These come up on the exam all the time. Here's how to tell them apart.
Public Cluster
Control plane has a public IP address accessible from the internet.
Nodes can have public IPs by default.
No additional configuration needed for outbound internet access.
Less secure; control plane exposed to internet.
Simpler to set up for development environments.
Private Cluster
Control plane has a private IP accessible only within the VPC.
Nodes have private IPs only (if --enable-private-nodes is used).
Requires Cloud NAT or Private Google Access for outbound internet.
More secure; control plane not exposed to internet.
More complex; requires additional networking setup.
Mistake
Private clusters do not need any firewall rules because GKE manages them automatically.
Correct
GKE creates default firewall rules for control plane-to-node and node-to-control plane communication, but you may need additional rules for load balancer health checks, pod-to-pod across nodes, or custom traffic. Misconfiguring firewall rules can break cluster functionality.
Mistake
Private Google Access allows pods to reach any internet service.
Correct
Private Google Access only provides connectivity to Google APIs and services (e.g., Cloud Storage, BigQuery, Container Registry). For general internet access (e.g., Docker Hub, external APIs), you must configure Cloud NAT.
Mistake
You cannot use a public endpoint with a private cluster.
Correct
You can enable a public endpoint for the control plane and restrict access using authorized networks. This is a common hybrid approach for management access from corporate networks.
Mistake
Private clusters automatically have Cloud NAT configured.
Correct
Cloud NAT is not automatically created. You must explicitly create a Cloud NAT router and configuration. Without it, private nodes cannot reach the internet.
Mistake
The control plane in a private cluster is deployed in your VPC as a VM.
Correct
The control plane is a Google-managed service that runs in a Google-owned project. It is only assigned a private IP from your VPC via internal load balancing. You do not manage the control plane infrastructure.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You can access the control plane by either enabling a public endpoint with authorized networks (allowing your laptop's public IP) or using IAP TCP forwarding. For IAP, install the IAP Desktop or use `gcloud compute start-iap-tunnel` to create a tunnel to a bastion host in the VPC, then run `kubectl` commands through that tunnel. Alternatively, set up a bastion host (Compute Engine VM) with a public IP in the same VPC, SSH into it, and run `kubectl` from there.
No, you do not need Cloud NAT if you only need to pull images from Google Container Registry (GCR) or access other Google APIs. Enable Private Google Access on the subnet where nodes are located. This allows nodes to reach GCR and other Google services over Google's private network without public IPs. However, if you need to pull images from Docker Hub or any external registry, you must configure Cloud NAT.
No, you cannot directly convert an existing public cluster to a private cluster. You must create a new private cluster and migrate your workloads. However, you can update a private cluster to enable or disable the public endpoint for the control plane using `gcloud container clusters update` with `--enable-master-authorized-networks` or `--no-enable-master-authorized-networks`.
GKE automatically creates firewall rules that allow: (1) Inbound traffic from the control plane's private IP range to nodes on TCP ports 443 (HTTPS) and 10250 (kubelet). (2) Inbound traffic from nodes to the control plane on TCP port 443. (3) Inbound traffic from Google Cloud health check ranges to nodes for load balancing. (4) Outbound traffic from nodes to the control plane. You may need to add custom rules for pod-to-pod communication across nodes or for external load balancers.
`--private-cluster` makes the control plane private (assigns it a private IP). `--enable-private-nodes` ensures that the nodes do not have public IPs. You can have a private cluster with public nodes (by omitting `--enable-private-nodes`), but the reverse (public cluster with private nodes) is not possible. For a fully private cluster, use both flags.
IAP TCP forwarding allows you to establish a secure tunnel from your local machine to a VM instance (bastion) in the VPC that has the IAP role. You then use `kubectl` to connect to the control plane's private IP through that tunnel. The tunnel uses HTTPS and is authenticated via Google Cloud IAM. This avoids exposing the control plane to the internet. To use it, enable the IAP API, grant the `roles/iap.tunnelResourceAccessor` role to your user, and use `gcloud compute start-iap-tunnel` to create the tunnel.
Yes, you can use Cloud Load Balancing (HTTP(S), TCP/UDP) with a private cluster. The load balancer will have a public or internal IP depending on the type. For internal load balancing, the load balancer IP is within your VPC. For external load balancing, the load balancer has a public IP and forwards traffic to your private nodes via the VPC. Ensure firewall rules allow health check probes from Google's health check ranges.
You've just covered GKE Private Clusters — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?