I have 2 services, let's call them Service 1 and Service 2.
Service 1 is a Kubernetes Cluster, while Service 2 has been deployed on a single VM. Both services have separate Global Load Balancers set up.
Now, I would like to set up IAP for the service deployed on Kubernetes cluster (service 1), but there are hooks from service 2 that are not able to connect to service 1 behind IAP.
The idea is to set up Internal Load Balancers for each Service and add DNS entry with this internal IP address, to allow those hooks to work.
However I am thinking if there are any other possible ways to do it?
TLDR: Service 1 should be behind IAP, however Service 2 can't talk to Service 1 behind IAP, so there is a need for a workaround to omit IAP for this one connection only.
CodePudding user response:
There is no way to implement this the way you described it. When a service is frontended with IAP, all calls (from outside and inside the vpc) have to be authenticated with IAP.
The solution is to deploy a set of Internal LoadBalancers in front of Service1 and use those from Service2 (via Cloud DNS to resolve the LB IP for example).
And anyway this solution is better, as having Service2 call Service1 via IAP (AKA via External LoadBalancer) means you will pay for egress traffic because you are technically sending traffic to the internet even if both apps are on Google Cloud! So with Internal LoadBalancer you only pay for Zonal traffic or nothing if both services are in the same zone. And also you have lower latency!