GCP Alias IP Not reachable

Question

I have an alias IP range is 10.7.0.0/16

Configured VPC-native cluster with secondary range, so my pods/service can have the alias IP range

In GKE, there is a service that is using an alias IP range

❯ k get svc
NAME             TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
hasura-service   NodePort   10.7.165.27   <none>        80:30891/TCP   2d21h

---
apiVersion: v1
kind: Service
metadata:
  name: sura-service
  namespace: sura
  annotations:
    cloud.google.com/neg: '{"ingress": true}'
spec:
  selector:
    app: sura
  ports:
  - port: 80
    targetPort: 8080
  type: NodePort

The other instances in Project are not able to communicate with 10.7.165.27:80, Those instances are in the same subnetwork 10.152.0.0/20

Do I need to configure anything else to be able to use connect with an alias range from VPC itself?

Answer 1

---
apiVersion: v1
kind: Service
metadata:
  name: sura-service
  namespace: sura
  annotations:
    cloud.google.com/neg: '{"ingress": true}'
spec:
  selector:
    app: sura
  ports:
  - protocol: "TCP"
    port: 80
    targetPort: 8080
  type: ClusterIP

This will create a Service, with a secondary alias range, still not accessible from VPC.

The Create an Internal Load Balancer with proxy only subnet - https://cloud.google.com/load-balancing/docs/l7-internal/proxy-only-subnets

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: sura-ingress
  namespace: sura
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
spec:
  backend:
    serviceName: sura-service
    servicePort: 80

This is Packet Flow