Network Component
The Network component creates the VPC foundation for all other infrastructure, including subnets, firewall rules, Cloud Router, and NAT gateway.
Architecture
Resources Created
| Resource | Name | Purpose |
|---|---|---|
| VPC Network | serko-northsky-vpc | Main network |
| GKE Subnet | serko-northsky-gke-subnet | GKE nodes and pods |
| Private Subnet | serko-northsky-private-subnet | Databases and caches |
| Private IP Range | serko-northsky-private-ip-range | Private service access |
| VPC Peering | serko-northsky-private-vpc-connection | Connect to managed services |
| Cloud Router | serko-northsky-router | Regional routing |
| Cloud NAT | serko-northsky-nat | Outbound internet for private nodes |
Firewall Rules
| Rule | Direction | Ports | Purpose |
|---|---|---|---|
allow-internal | Ingress | All | Internal VPC communication |
allow-iap-ssh | Ingress | 22 | SSH via IAP |
allow-health-checks | Ingress | All | GCP health check ranges |
allow-gke-master | Ingress | 443, 10250 | GKE control plane access |
Configuration
# Pulumi.dev.yaml
config:
serko-northsky:gkeSubnetCidr: "10.0.1.0/24"
serko-northsky:privateSubnetCidr: "10.0.2.0/24"
serko-northsky:podCidr: "10.1.0.0/16"
serko-northsky:serviceCidr: "10.2.0.0/16"
IP Address Planning
| CIDR Block | Purpose | Usable IPs |
|---|---|---|
10.0.1.0/24 | GKE nodes | 254 |
10.0.2.0/24 | Private services | 254 |
10.1.0.0/16 | Kubernetes pods | 65,534 |
10.2.0.0/16 | Kubernetes services | 65,534 |
Outputs
interface NetworkOutputs {
vpcId: string;
vpcName: string;
gkeSubnetId: string;
gkeSubnetName: string;
privateSubnetId: string;
privateSubnetName: string;
}
Usage in Other Components
The network is passed to dependent components:
const network = new Network('network', {
projectId,
region,
gkeSubnetCidr: '10.0.1.0/24',
privateSubnetCidr: '10.0.2.0/24',
podCidr: '10.1.0.0/16',
serviceCidr: '10.2.0.0/16',
});
// GKE uses the network
const gke = new GkeCluster('gke', {
network: network.vpc,
subnet: network.gkeSubnet,
// ...
});
// AlloyDB uses the private VPC connection
const alloydb = new AlloyDb('alloydb', {
network: network.vpc,
// ...
}, { dependsOn: [network.privateVpcConnection] });
Private Service Access
The network configures Private Service Access for managed services like AlloyDB:
- IP Range Allocation: Reserves
/20range for Google services - VPC Peering: Creates peering to
servicenetworking.googleapis.com - Private Connectivity: Databases accessible only within VPC