Remotely access a private cluster using a bastion host

Warning: This page isarchived and is not actively maintained. The commands on this page might not work and could cause disruptions to your cluster. We recommend that you create your cluster in version 1.29 and later for customizable and simplified access to the control plane and cluster network. To learn more see,Customize your network isolation in GKE.

This tutorial shows you how to access aprivate cluster in Google Kubernetes Engine (GKE)over the internet by using abastion host.

You can create GKE private clusters withno client access to the public endpoint.This access option improves the cluster security by preventing all internetaccess to the control plane. However, disabling access to the public endpointprevents you from interacting with your cluster remotely, unless you add the IPaddress of your remote client as anauthorized network.

This tutorial shows you how to set up abastion host, which is a special-purposehost machine designed to withstand attack. The bastion host usesTinyproxy toforward client traffic to the cluster. You useIdentity-Aware Proxy (IAP) tosecurely access the bastion host from your remote client.

Note: This tutorial provides instructions for working with this app: Tinyproxy. The instructions might not represent newer versions of the app. For more information, see the documentation:Tinyproxy.

Objectives

  • Create a private cluster with no access to the public endpoint.
  • Deploy a Compute Engine virtual machine (VM) to act as a bastion hostin the cluster subnet.
  • Use IAP to connect a remote client to the cluster overthe internet.

Costs

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use thepricing calculator.

New Google Cloud users might be eligible for afree trial.

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, seeClean up.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the GKE, Compute Engine, Identity-Aware Proxy APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  5. Install the Google Cloud CLI.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  8. After initializing the gcloud CLI, update it and install the required components:

    gcloudcomponentsupdategcloudcomponentsinstallalpha beta

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  10. Verify that billing is enabled for your Google Cloud project.

  11. Enable the GKE, Compute Engine, Identity-Aware Proxy APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  12. Install the Google Cloud CLI.

  13. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  14. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  15. After initializing the gcloud CLI, update it and install the required components:

    gcloudcomponentsupdategcloudcomponentsinstallalpha beta

Create a private cluster

Create a new private cluster with no client access to the public endpoint. Placethe cluster in its own subnet. You can do this using the Google Cloud CLI orthe Google Cloud console.

gcloud

Run the following command:

gcloudcontainerclusterscreate-autoCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--create-subnetwork=name=SUBNET_NAME\--enable-master-authorized-networks\--enable-private-nodes\--enable-private-endpoint

Replace the following:

  • CLUSTER_NAME: the name of the new cluster.
  • CONTROL_PLANE_LOCATION: the Compute Engineregion of the control plane of yourcluster.
  • SUBNET_NAME: the name of the new subnetwork in whichyou want to place the cluster.

Console

Create a Virtual Private Cloud subnetwork

  1. Go to theVPC networks page in the Google Cloud console.

    Go to VPC networks

  2. Click thedefault network.

  3. In theSubnets section, clickAdd subnet.

  4. On theAdd a subnet dialog, specify the following:

    1. Name: A name for the new subnet.
    2. Region: A region for the subnet. This must be the same as thecluster region.
    3. IP address range: Specify10.2.204.0/22 or another range thatdoesn't conflict with other ranges in the VPC network.
    4. ForPrivate Google Access, select theOn option.

  5. ClickAdd.

Create a private cluster

  1. Go to theGoogle Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. ClickCreate.

  3. ClickConfigure forGKE Autopilot.

  4. Specify aName andRegion for the new cluster. The region must bethe same as the subnet.

  5. In theNetworking section, select thePrivate cluster option.

  6. Clear theAccess control plane using its external IP address checkbox.

  7. From theNode subnet drop-down list, select the subnet you created.

  8. Optionally, configure other settings for the cluster.

  9. ClickCreate.

You can also use a GKE Standard cluster with the--master-ipv4-cidr flagspecified.

Create a bastion host VM

Create a Compute Engine VM within the private cluster internal networkto act as a bastion host that can manage the cluster.

gcloud

Create a Compute Engine VM:

gcloudcomputeinstancescreateINSTANCE_NAME\--zone=COMPUTE_ZONE\--machine-type=e2-micro\--network-interface=no-address,network-tier=PREMIUM,subnet=SUBNET_NAME

Replace the following:

Console

  1. Go to theVM instances page in the Google Cloud console.

    Go to VM instances

  2. ClickCreate instance.

  3. Specify the following:

    1. Name: the name of your VM.
    2. Region andZone: the region and zone of your VM. Use the sameregion as your cluster.
    3. Machine type: a machine type. Choose a small machine type, suchase2-micro.
    4. ForNetwork interfaces, select the same VPC networkand subnet as the cluster.
    5. Optionally, configure other settings for the instance.

  4. ClickCreate.

Note: Create the VM in the same VPC subnet as the cluster.If you create the VM in a different subnet, add the VM IP address rangeas anauthorized networkfor the cluster.
Note: You should automate bastion host setup and upgrades using a tool likeTerraform.

Create firewall rule

To allow IAP to connect to your bastion host VM,create a firewall rule.

Deploy the proxy

Note: Some commands in this section require administrator privileges.

With the bastion host and the private cluster configured, you must deploya proxy daemon in the host to forward traffic to the cluster control plane.For this tutorial, you installTinyproxy.

  1. Start a session into your VM:

    gcloudcomputesshINSTANCE_NAME--tunnel-through-iap--project=PROJECT_ID

  2. Install Tinyproxy:

    sudoaptinstalltinyproxy

  3. Open the Tinyproxy configuration file:

    sudovi/etc/tinyproxy/tinyproxy.conf

  4. In the file, do the following:

    1. Verify that the port is8888.

    2. Search for theAllow section:

        /Allow 127

    3. Add the following line to theAllow section:

        Allow localhost

  5. Save the file and restart Tinyproxy:

    sudoservicetinyproxyrestart

  6. Exit the session:

    exit

Connect to your cluster from the remote client

After configuring Tinyproxy, you must set up the remote client with clustercredentials and specify the proxy. Do the following on the remote client:

  1. Get credentials for the cluster:

    gcloudcontainerclustersget-credentialsCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--project=PROJECT_ID

    Replace the following:

    • CLUSTER_NAME: the name of the private cluster.
    • CONTROL_PLANE_LOCATION: the Compute Enginelocation of the control plane of yourcluster. Provide a region for regional clusters, or a zone for zonal clusters.
    • PROJECT_ID: the ID of the Google Cloud projectof the cluster.

  2. Tunnel to the bastion host using IAP:

    gcloudcomputesshINSTANCE_NAME\--tunnel-through-iap\--project=PROJECT_ID\--zone=COMPUTE_ZONE\--ssh-flag="-4 -L8888:localhost:8888 -N -q -f"

  3. Specify the proxy:

    exportHTTPS_PROXY=localhost:8888kubectlgetns

    The output is a list of namespaces in the private cluster.

Stop listening on the remote client

If you want to revert the change on the remote client at any time,you should end the listener process on TCP port 8888. The command to do thisis different depending on the client operating system.

netstat-lnpt|grep8888|awk'{print $7}'|grep-o'[0-9]\+'|sort-u|xargssudokill

Troubleshooting

Firewall restrictions in enterprise networks

If you're on an enterprise network with a strict firewall, you might not be ableto complete this tutorial without requesting an exception. If you request anexception, the source IP range for the bastion host is35.235.240.0/20 bydefault.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

    Caution: Deleting a project has the following effects:
    • Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
    • Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

    If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

  1. In the Google Cloud console, go to theManage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then clickDelete.
  3. In the dialog, type the project ID, and then clickShut down to delete the project.

Delete individual resources

  1. Delete the bastion host that you deployed in this tutorial:

    gcloudcomputeinstancesdeleteINSTANCE_NAME\--zone=COMPUTE_ZONE

  2. Delete the cluster:

    gcloudcontainerclustersdeleteCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION

  3. Delete the subnet:

    gcloudcomputenetworkssubnetsdeleteSUBNET_NAME\--region=CONTROL_PLANE_LOCATION

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.