I want some of my GKE deployments to use a public static IP for egress traffic to the internet.
Here is what I already know is possible:
I'd like to avoid either and just assign a reserved global IP to a GKE deployment/pod (like I can assign a reserved IP to an ingress). Is this at all possible?
I want outbound traffic from some pods (deployments) to use the same static public IP, but for most deployments I don't want to NAT their traffic at all.
I also can't use the underlying node's public IPs because I autoscale and the node's IP could change - you can't use reserved IPs for nodes as far as I know.
EDIT: Azure seems to support what I'm looking for with azure-egress https://learn.microsoft.com/en-us/azure/aks/egress. So I can see at least one provider has an official solution for this. I am wondering if GKE has something similar.
You should go with the 2nd option - Create a GCE instance that will serve as a NAT instance.
Then, you can assign different network tags for different node pools in your cluster, so only one of your node pools will route its public traffic to the NAT instance you created.
You then can use Node Taints and Tolerations, to make sure only the deployments you want to route to that NAT instance will be allocated to the nodes in your special node pool.
For example, configure this taint: traffic=nat:NoExecute and add the following toleration to your deployment:
tolerations:
- effect: NoExecute
key: traffic
value: "nat"