This page describes the ingress allow VPC firewall rules that Google Kubernetes Engine (GKE) by default creates automatically in Google Cloud.
Applicable firewalls and egress firewalls
GKE uses Virtual Private Cloud (VPC) firewall rules to control incoming and outgoing traffic to your Pods and nodes. By default, GKE automatically creates and manages certain firewall rules to allow essential traffic, such as communication between nodes and Pods, and traffic to your Kubernetes control plane. While GKE automatically creates ingress allow VPC firewall rules for LoadBalancer Services by default, you can disable this behavior to manage firewall rules or policies manually or utilize advanced firewall features.
Ingress allow firewall rules created by GKE aren't the only applicable firewall rules that apply to nodes in a cluster. The complete set of applicable firewall rules for ingress and egress is defined from rules in hierarchical firewall policies , global network firewall policies , regional network firewall policies , and other VPC firewall rules.
Plan and design the configuration for your cluster, workloads and Services with your organization's Network administrators and Security engineers, and understand the firewall policy and rule evaluation order so you know which firewall rules take precedence.
GKE only creates ingress VPC firewall rules because GKE relies on the implied allowed egress lowest-priority firewall rule .
If you've configured egress deny firewall rules in your cluster's
VPC network, you might have to create egress allow rules to
permit communication between nodes, Pods, and the cluster's control plane.
For example, if you've created an egress deny firewall rule for all protocols
and ports and all destination IP addresses, you must create egress allow
firewall rules in addition to the ingress rules that GKE
creates automatically. Connectivity to control plane endpoints always uses
TCP destination port 443
, but connectivity among nodes and Pods of the
cluster can use any protocol and destination port.
The following tools are useful to determine which firewall rules allow or deny traffic:
Firewall rules
GKE by default creates firewall rules automatically when creating the following resources:
- GKE clusters
- GKE Services
- GKE Gateways and HTTPRoutes
- GKE Ingresses
Unless otherwise specified, the priority for all automatically created firewall rules is 1000, which is the default value for firewall rules . If you would like more control over firewall behavior, you can create firewall rules with a higher priority . Firewall rules with a higher priority are applied before automatically created firewall rules.
GKE cluster firewall rules
GKE creates the following ingress firewall rules when creating a cluster:
gke-[cluster-name]-[cluster-hash]-master
gke-[cluster-name]-[cluster-hash]-vms
Used for intra-cluster communication required by the Kubernetes networking model . Allows software running on nodes to send packets, with sources matching node IP addresses, to destination Pod IP and node IP addresses in the cluster. For example, traffic allowed by this rule includes:
- Packets sent from system daemons, such as kubelet, to node and Pod IP address destinations of the cluster.
- Packets sent from software running in Pods with
hostNetwork:trueto node and Pod IP address destinations of the cluster.
- For auto mode VPC networks
,
GKE uses the
10.128.0.0/9CIDR because that range includes all current and future subnet primary IPv4 address ranges for the automatically created subnetworks. - For custom mode VPC networks , GKE uses the primary IPv4 address range of the cluster's subnet.
gke-[cluster-name]-[cluster-hash]-all
Pod CIDR
For clusters with discontiguous multi-Pod CIDR enabled, all Pod CIDR blocks used by the cluster.
gke-[cluster-hash]-ipv6-all
Same IP address range allocated in subnetIpv6CidrBlock
.
gke-[cluster-name]-[cluster-hash]-inkubelet
Internal Pod CIDRs and Node CIDRs.
gke-[cluster-name]-[cluster-hash]-exkubelet
0.0.0.0/0
GKE Service firewall rules
GKE creates the following ingress firewall rules when creating a Service . You can prevent some of these firewall rules from being created by managing VPC firewall rules creation .
k8s-fw-[loadbalancer-hash]
spec.loadBalancerSourceRanges
. Defaults to 0.0.0.0/0
if spec.loadBalancerSourceRanges
is omitted. For more details, see Firewall rules and source IP address allowlist .
k8s-[cluster-id]-node-http-hc
externalTrafficPolicy
is set to Cluster
.-
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22
k8s-[loadbalancer-hash]-http-hc
externalTrafficPolicy
is set to Local
.-
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22
spec.healthCheckNodePort
. If unspecified, the Kubernetes control plane assigns a health check port from the node port range. For more details, see Health check port .
k8s-[cluster-id]-node-hc
externalTrafficPolicy
is set to Cluster
.-
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22
[loadbalancer-hash]-hc
externalTrafficPolicy
is set to Local
.-
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22
spec.healthCheckNodePort
. If unspecified, the Kubernetes control plane assigns a health check port from the node port range. For more details, see Health check port .
k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]
spec.loadBalancerSourceRanges
. Defaults to 0.0.0.0/0
if spec.loadBalancerSourceRanges
is omitted. For more details, see Firewall rules and source IP address allowlist .
k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]-fw
externalTrafficPolicy
is set to Local
and any of the following are enabled: -
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22
spec.healthCheckNodePort
. If unspecified, the Kubernetes control plane assigns a health check port from the node port range. For more details, see Health check port .
k8s2-[cluster-id]-l4-shared-hc-fw
externalTrafficPolicy
is set to Cluster
and any of the following are enabled: -
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22
gke-[cluster-name]-[cluster-hash]-mcsd
GKE Gateway firewall rules
GKE creates the following Gateway firewall rules when creating a Gateway and HTTPRoute resources:
-
gkegw1-l7-[network]-[region/global] -
gkemcg1-l7-[network]-[region/global]
Permits health checks of a network endpoint group (NEG) .
The Gateway controller creates this rule when the first Gateway resource is created. The Gateway controller can update this rule if more Gateway resources are created.
-
35.191.0.0/16 -
130.211.0.0/22 - User defined proxy-only subnet ranges (for internal Application Load Balancers)
GKE Ingress firewall rules
GKE creates the following Ingress firewall rules when creating an Ingress resource:
k8s-fw-l7-[random-hash]
Permits health checks
of a NodePort
Service or network endpoint group (NEG)
.
The Ingress controller creates this rule when the first Ingress resource is created. The Ingress controller can update this rule if more Ingress resources are created.
-
35.191.0.0/16 -
130.211.0.0/22 -
209.85.152.0/22 -
209.85.204.0/22 - User defined proxy-only subnet ranges (for internal Application Load Balancers)
-
35.191.0.0/16 -
130.211.0.0/22 - User-defined proxy-only subnet ranges (for internal Application Load Balancers)
Manage VPC firewall rules creation
By default, GKE automatically creates ingress allow VPC firewall rules for all LoadBalancer Services. If you want to manage firewall rules for LoadBalancer Services yourself, you must disable the automatic creation of VPC firewall rules.
Disabling the automatic creation of VPC firewall rules for LoadBalancer Services only applies to the following:
- Internal LoadBalancer Services using GKE subsetting
- Backend service-based external LoadBalancer Services
For information on how to disable firewall rules, see User-managed firewall rules for GKE LoadBalancer Services .
Shared VPC
If you're using Ingress or LoadBalancer Services, and you have a cluster that is located in a Shared VPC using a Shared VPC network, the GKE service account in the service project can't create and update ingress allow firewall rules in the host project. You can grant the GKE service account in a service project permissions to create and manage the firewall resources. For more information, see Shared VPC .
Required firewall rule for expanded subnet
If you expand the primary IPv4 range of the cluster's subnet
,
GKE does not automatically update the source range of the gke-[cluster-name]-[cluster-hash]-vms
firewall rule. Because nodes in the
cluster can receive IPv4 addresses from the expanded portion of the subnet's
primary IPv4 range, you must manually create a firewall rule to allow
communication between nodes of the cluster.
The ingress firewall rule you must create must allow TCP and ICMP packets from the expanded primary subnet IPv4 source range , and it must at least apply to all nodes in the cluster.
To create an ingress firewall rule that only applies to the cluster's nodes,
set the firewall rule's target to the same target tag used by your cluster's
automatically-created gke-[cluster-name]-[cluster-hash]-vms
firewall rule.
What's next
- Read an overview of networking in GKE .
- Learn about Configuring network policies for applications .
- Learn about other Pre-populated firewall rules in Google Cloud.
- Learn more about Creating firewall rules in projects that use Shared VPC.
