Create Alias IPs for the node network CIDR range in order to subsequently configure IP-based policies and firewalling for pods. A cluster that uses Alias IPs is called a 'VPC-native' cluster. Rationale: Using Alias IPs has several benefits: Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources. The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs. Firewall controls for Pods can be applied separately from their nodes. Alias IPs allow Pods to directly access hosted services without using a NAT gateway.
Solution
Use of Alias IPs cannot be enabled on an existing cluster. To create a new cluster using Alias IPs, follow the instructions below. Using Google Cloud Console Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Click CREATE CLUSTER Configure your cluster as desired. Then, click 'Availability, networking, security, and additional features' In the 'VPC-native' section, leave 'Enable VPC-native (using alias IP)' selected Click CREATE. Using Command Line To enable Alias IP on a new cluster, run the following command: gcloud container clusters create [CLUSTER_NAME] \ --zone [COMPUTE_ZONE] \ --enable-ip-alias Impact: You cannot currently migrate an existing cluster that uses routes for Pod routing to a cluster that uses Alias IPs. Cluster IPs for internal services remain only available from within the cluster. If you want to access a Kubernetes Service from within the VPC, but from outside of the cluster, use an internal load balancer. Default Value: By default, VPC-native (using alias IP) is enabled when you create a new cluster in the Google Cloud Console, however this is disabled when creating a new cluster using the gcloud CLI, unless the --enable-ip-alias argument is specified.