TL;DR Link to heading A private GKE cluster’s outbound traffic to *.googleapis.com and *.pkg.dev flows through Cloud NAT by default and pays $0.0385/GB data processing on every byte, in both directions. The GCP UI says “Private Google Access is in effect” for the subnet, which makes it sound like that traffic already bypasses NAT. It does not. To bypass NAT for Google API traffic, I added a private Cloud DNS zone resolving the Google API hostnames to the restricted.googleapis.com VIP range (199.36.153.4/30) and a VPC route sending that /30 via the default internet gateway. After that, the traffic stays on Google’s backbone and skips the NAT gateway.
No comments yet. Log in to reply on the Fediverse. Comments will appear here.