问题
These are the steps:
- In "Project A" I have a "network A" with postgresql private IP in it.
- Can access postgresql from VM existing in same "network A" through private IP.
- Create a new "network B" in same "Project A"
- Create a "VPC network peer" between "network A" and "network B"
- Fully open firewall
- Can't reach postgresql from "network B", though can ping VM existing on "network A"
Why i can't reach postgresql? Is it because SQL Private IP is in Beta mode, or i'm missing smth here?
回答1:
Cloud SQL Private IP access is setup through peering so network A is peered with network Z, which contains your Cloud SQL instance. When you peer A with B, B does not have access to network Z.
回答2:
Yes, a proxy is the way to go as mentioned in earlier response, because peering is not transitive.
It will be straightforward to access an SQL proxy in network "A" from peered network "B" VM.
As for access from Kubernetes cluster in network "B", there is one possible pitfall. By default, Kubernetes will not SNAT traffic destined to 10.0.0.0/8 and will try to keep it local. So you will need to change iptables
rules on host instances to reach outside.
A permanent solution is to set up DaemonSet
, but you can test this theory by manual changes on host first. For example:
iptables -A POSTROUTING -d 10.11.0.0/24 \
-m addrtype ! --dst-type LOCAL -j MASQUERADE -t nat
Here is a link to an excellent, simple guide https://blog.mrtrustor.net/post/iptables-kubernetes/.
来源:https://stackoverflow.com/questions/52756065/cant-access-google-cloud-sql-with-private-ip-from-peered-vpc-network