Network Component
The Network component creates the VPC foundation for all other infrastructure, including subnets, firewall rules, Cloud Router, and NAT gateway.
Architecture
Resources Created
| Resource | Name | Purpose |
|---|---|---|
| VPC Network | serko-northsky-vpc | Main network |
| GKE Subnet | serko-northsky-gke-subnet | GKE nodes and pods |
| Private Subnet | serko-northsky-private-subnet | Databases and caches |
| Private IP Range | serko-northsky-private-ip-range | Private service access |
| VPC Peering | serko-northsky-private-vpc-connection | Connect to managed services |
| Cloud Router | serko-northsky-router | Regional routing |
| Cloud NAT | serko-northsky-nat | Outbound internet for private nodes |
| Static IP | serko-northsky-{env}-k8s-ip | GKE Ingress load balancer IP |
| SSL Certificate | serko-northsky-{env}-ssl-cert-v2 | Google-managed SSL certificate |
Firewall Rules
| Rule | Direction | Ports | Purpose |
|---|---|---|---|
allow-internal | Ingress | All | Internal VPC communication |
allow-iap-ssh | Ingress | 22 | SSH via IAP |
allow-health-checks | Ingress | All | GCP health check ranges |
allow-gke-master | Ingress | 443, 10250 | GKE control plane access |
Configuration
# Pulumi.dev.yaml
config:
serko-northsky:gkeSubnetCidr: "10.0.1.0/24"
serko-northsky:privateSubnetCidr: "10.0.2.0/24"
serko-northsky:podCidr: "10.1.0.0/16"
serko-northsky:serviceCidr: "10.2.0.0/16"
IP Address Planning
| CIDR Block | Purpose | Usable IPs |
|---|---|---|
10.0.1.0/24 | GKE nodes | 254 |
10.0.2.0/24 | Private services | 254 |
10.1.0.0/16 | Kubernetes pods | 65,534 |
10.2.0.0/16 | Kubernetes services | 65,534 |
Outputs
interface NetworkOutputs {
vpcId: string;
vpcName: string;
gkeSubnetId: string;
gkeSubnetName: string;
privateSubnetId: string;
privateSubnetName: string;
k8sIngressIpAddress: string;
sslCertificateName: string;
}
Usage in Other Components
The network is passed to dependent components:
const network = new Network('network', {
projectId,
region,
gkeSubnetCidr: '10.0.1.0/24',
privateSubnetCidr: '10.0.2.0/24',
podCidr: '10.1.0.0/16',
serviceCidr: '10.2.0.0/16',
});
// GKE uses the network
const gke = new GkeCluster('gke', {
network: network.vpc,
subnet: network.gkeSubnet,
// ...
});
// Cloud SQL uses the private VPC connection
const mainDb = new MainDB('main-db', {
vpcSelfLink: network.vpc.selfLink,
privateVpcConnection: network.privateVpcConnection,
// ...
}, { dependsOn: [network] });
Private Service Access
The network configures Private Service Access for managed services like Cloud SQL:
- IP Range Allocation: Reserves
/16range for Google services - VPC Peering: Creates peering to
servicenetworking.googleapis.com - Private Connectivity: Databases accessible only within VPC
Static IP for Ingress
A global static IP address is reserved for the GKE Ingress load balancer:
this.k8sIngressIp = new gcp.compute.GlobalAddress(
`${name}-k8s-ingress-ip`,
{
name: `serko-northsky-${config.environment}-k8s-ip`,
project: config.projectId,
addressType: "EXTERNAL",
description: "Static IP for Kubernetes Ingress load balancer",
}
);
DNS Configuration
Point your DNS records to the static IP:
| Domain | Record Type | Value |
|---|---|---|
app.{env}.serko-northsky.com | A | Static IP from Pulumi output |
langfuse.{env}.serko-northsky.com | A | Static IP from Pulumi output |
tools.{env}.serko-northsky.com | A | Static IP from Pulumi output |
docs.{env}.serko-northsky.com | A | Static IP from Pulumi output |
Get the static IP:
pulumi stack output k8sIngressIpAddress
SSL/TLS Certificate
A Google-managed SSL certificate is provisioned for HTTPS:
this.sslCertificate = new gcp.compute.ManagedSslCertificate(
`${name}-ssl-cert`,
{
name: `serko-northsky-${config.environment}-ssl-cert-v2`,
project: config.projectId,
managed: {
domains: [
`app.${config.environment}.serko-northsky.com`,
`langfuse.${config.environment}.serko-northsky.com`,
`tools.${config.environment}.serko-northsky.com`,
`docs.${config.environment}.serko-northsky.com`,
],
},
}
);
Certificate Provisioning
The certificate goes through these stages:
- PROVISIONING: Initial state, waiting for DNS validation
- ACTIVE: Certificate is valid and serving traffic
Check certificate status:
gcloud compute ssl-certificates list --project=PROJECT_ID
gcloud compute ssl-certificates describe serko-northsky-{env}-ssl-cert-v2 --project=PROJECT_ID
note
DNS records must be configured and propagated before the certificate becomes ACTIVE. This can take up to 24 hours.