Aprivate cluster is a Virtual Private Cloud (VPC)-native cluster that onlydepends oninternal IP addresses.This means that nodes and pods are isolated from the internet by default. Thispage explains how to use Cloud Code to connect to privateclusters with and without public endpoint access and permit private clusters toaccess resources from outside Google Cloud.

For information about private clusters, seePrivate clusters.For steps to configure private clusters, seeCreating a private cluster.

Add a private GKE cluster to your KubeConfig

Adding a private cluster in Cloud Code has the following behavior:

• For clusters that have the public endpoint enabled, adding the cluster setsthe cluster address in the KubeConfig to the external IP.

• For clusters that have the public endpoint turned off, adding the cluster setsthe cluster address in the KubeConfig to be the internal VPC IP of thecluster.

To add an authorized network to an existing cluster, make sure you are connectedto an authorized network, as this cluster hasauthorized networks enabled.

To learn more about connecting to VMs without external IP addresses, seeSecurely connecting to VM instances.To manage/delete the instances that you created, seeVM instances.

To successfully connect to the private cluster, Cloud Code must berunning on a machine in the cluster's network or be able to access the cluster'snetwork, such as by using a proxy server, Cloud Interconnect, orCloud VPN.

For steps to create GKE clusters in Cloud Codeand add existing GKE clusters to Cloud Code, seecreate and configure a GKE cluster.Cloud Code opens the Google Cloud console to create your cluster.

After you create the cluster,configure Cloud NATto enable outbound internet connections from your cluster if this was not set upduring cluster creation. To manage/delete the networks that you created, seeVPC networks.

Troubleshoot issues connecting to private clusters

If your dev environment isn't configured correctly to access a private cluster,recommendations about how to resolve the issue appear in the following contexts:

• In the expandedKubernetes section, clusters thatCloud Code can't connect to appear with an error icon next tothe cluster name. To view possible workarounds and a longer explanation of thepotential issue, click the cluster name.

• When you try to run operations on a cluster that's inaccessible because ofpotential issues with the private cluster's configuration, a notificationdisplays an error message with a longer explanation of the potential issue andpotential workarounds.

Configure a proxy server for a cluster

If thecontrol plane APIisn't available publicly, such as in a GKE cluster with publicendpoint turned off, you can configure Cloud Code to proxyrequests to the control plane through a proxy server on the same network or VPCas the cluster:

1. Configure a proxy server on the same network as your cluster if you haven'talready. For steps to set up a Compute Engine VM as a basic proxyserver, seeRemotely access a private cluster using a bastion host.For additional details, seeCreating Google Kubernetes Engine private clusters with network proxies for controller access.
2. Right-click the name of a cluster you'veadded to Cloud Code and then clickSet up Kubectl Proxying for cluster. Follow the prompts to enter thename of your proxy server, which is stored in the cluster'sproxy-urlfield. The Kubernetes view reloads to display the connected cluster.

Cancel Kubernetes proxying

Right-click the name of a cluster you've configured for Kubernetes proxying andthen clickCancel Kubectl Proxying for cluster. Cloud Codestops proxying requests for the cluster by unsetting theproxy-url fieldin the KubeConfig.

Access resources outside Google Cloud from clusters

All configurations of GKE private clusters don't provide nodeswith internet access. As a result, clusters can't reach APIs on the publicinternet. Clusters are automatically configured withPrivate Google Access,which, for example, permits clusters to pull images from Artifact Registry. APIs andimage registries outside of Google Cloud are inaccessible withoutadditional configuration to allow outbound internet connections from the nodes.To provide these connections, you can set upCloud NAT on your VPC fromCloud Code:

1. Run theGrant private GKE nodes outbound internet access command, eitherby right-clicking a cluster or from the command palette(pressCtrl/Cmd+Shift+P or clickView >Command Palette).
2. In the terminal, edit thegcloud compute routers createandgcloud beta compute routers nats createcommands to specify the values for your application.
3. To run the commands, pressEnter.
4. To manage/delete the routers that you created, seeCloud Routers.

What's next

• Learn aboutShared Virtual Private Cloud networks.

Get Support

To send feedback, report issues onGitHub,or ask a question onStack Overflow.