问题
We are creating a Console to administer, view logs and metrics, create resources on Kubernetes in a multicloud environment.
The Console ( a web app ) is deployed on GKE in GCP, but we can't figure out how we can connect and reach K8S Api-Servers in multiple VPC with overlapping IPs, without exposing them on public IP.
I draw a little diagram to expose the problem.
Are there some products or best practice to perform this securely?
Product vendors for example Mongo Atlas or Confluent Cloud seems to have solved this issue, they can create infrastructure in multiple cloud and administer them.
回答1:
It's not possible to connect two overlapping networks with VPN even if they're in different clouds (GCP & AWS).
I'd suggest to use NAT translation on both sides and connect networks using VPN. Here's some documentation that may help you. Unfortunatelly it's quite a bit of reading and setting up. Not the easiest solution but it has the benefit of being reliable and it's a quite old and tested approach.
General docs
- Configure NAT to Enable Communication Between Overlapping Networks
- Using NAT in Overlapping Networks
GCP side
- Cloud NAT overview
- Using Cloud NAT
AWS side
- NAT instances
- Comparison of NAT instances and NAT gateways
You second option is to split the original networks in smaller chunks so they wold not overlap but that's not always possible (due to network being small enough already and many IP's are used up...).
回答2:
It depends on couple factors in the environments. To access an overlapping network you need some form of gateway. it can be some kind of proxy socks/http/other or a router/gw(with nat..). If you can access the 192.168.23.0/24 or any other subnet that can connect to the aws 192.168.2.0/24 subnet from gcp then you can use either one of the solutions. I assume that aws and gcp can provide the tunnel between the gw/proxy network. If you don't need security layer for the tunnel you can use a vxlan tunnel and secure the tcp/other app protocol.
回答3:
Using Google Cloud VPN with AWS Virtual Private Gateway you can accomplish such a thing. A detailed description by Google is given in this documentation.
It describes two VPN topologies:
- A site-to-site Route-based IPsec VPN tunnel configuration.
- A site-to-site IPsec VPN tunnel configuration using Google Cloud Router and dynamic routing with the BGP protocol.
Additionally, when CIDR-ranges overlap. You would need to create a new VPC/CIDR ranges that are non-overlapping. Otherwise, you could never connect to instances that have IP-addresses in both AWS and GCP.
来源:https://stackoverflow.com/questions/64441644/how-to-connect-multiple-cloud-with-overlapping-vpc