Demo Creating a private cluster with limited public endpoint access

In this hands-on tutorial, you will:

• Provision a private Google Kubernetes Engine (GKE) cluster with no external node IPs
• Explore how private endpoints restrict API access
• Attempt to authorize an external IP and observe the limitation
• Create a public-endpoint cluster with Master Authorized Networks for controlled external access

Prerequisites

• A Google Cloud project (set via gcloud config set project [PROJECT_ID])
• Cloud Shell
• gcloud CLI installed

Verify your active project:

gcloud config set project clgcporg8-037

1. Set Your Compute Zone

Configure your default zone to us-west1-a:

gcloud config set compute/zone us-west1-a

2. Create a Private-Endpoint Cluster

We’ll build a VPC-native cluster called gke-deep-dive with:

gcloud container clusters create gke-deep-dive \
  --num-nodes=1 \
  --disk-type=pd-standard \
  --disk-size=10 \
  --create-subnetwork name=gke-deep-dive-subnet \
  --enable-ip-alias \
  --enable-private-nodes \
  --enable-private-endpoint \
  --master-ipv4-cidr=172.16.0.32/28 \
  --zone=us-west1-a

3. Verify the Private Cluster Configuration

Inspect the cluster to confirm private nodes and endpoint settings:

gcloud container clusters describe gke-deep-dive --zone=us-west1-a

Look for:

privateClusterConfig:
  enablePrivateNodes: true
  masterIpv4CidrBlock: 172.16.0.32/28
  privateEndpoint: true
  publicEndpoint: false

GKE still creates a public endpoint for Google-managed operations, but by default it is not accessible from outside the VPC.

4. Try Authorizing an External IP

Fetch your Cloud Shell VM’s public IP and attempt to whitelist it:

MY_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
echo $MY_IP/32

gcloud container clusters update gke-deep-dive \
  --zone=us-west1-a \
  --enable-master-authorized-networks \
  --master-authorized-networks $MY_IP/32

You will receive:

ERROR: (gcloud.container.clusters.update) ...
Invalid master authorized networks: network "35.247.165.143/32" is not a reserved network,
which is required for private endpoints.

5. Create a Public-Endpoint Cluster with Master Authorized Networks

To allow restricted external API access, we’ll spin up gke-deep-dive-public:

gcloud container clusters create gke-deep-dive-public \
  --num-nodes=1 \
  --disk-type=pd-standard \
  --disk-size=10 \
  --subnetwork=gke-deep-dive-subnet \
  --enable-ip-alias \
  --enable-private-nodes \
  --master-ipv4-cidr=172.16.0.16/28 \
  --zone=us-west1-a

5.1 Authorize Your External IP

Retrieve your IP again and whitelist it for the new cluster:

MY_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
gcloud container clusters update gke-deep-dive-public \
  --zone=us-west1-a \
  --enable-master-authorized-networks \
  --master-authorized-networks $MY_IP/32

5.2 Confirm Master Authorized Networks

Run:

gcloud container clusters describe gke-deep-dive-public --zone=us-west1-a

You should see:

masterAuthorizedNetworkConfig:
  cidrBlocks:
  - cidrBlock: 35.247.165.143/32
    enabled: true
privateClusterConfig:
  enablePrivateNodes: true
  masterIpv4CidrBlock: 172.16.0.16/28
  privateEndpoint: false
  publicEndpoint: true

6. Access Your Public-Endpoint Cluster

Configure kubectl and list nodes:

gcloud container clusters get-credentials gke-deep-dive-public --zone=us-west1-a
kubectl get nodes

You should see one node in the READY state.

7. Compare Your Clusters

List all clusters in the zone:

gcloud container clusters list --zone=us-west1-a

References

• GKE Private Clusters
• Master Authorized Networks
• VPC-native Clusters & IP Aliasing