Control Plane Connectivity — DNS-Based vs IP-Based Endpoint, Authorized Networks

Endpoint Types

DNS-Based Endpoint (Traditional)

GKE Cluster: my-cluster
Region: us-central1

Endpoint: my-cluster-xxxxx.us-central1.gke.io

kubelet connects using DNS name

Advantage: IP can change, DNS resolves to latest IP

Disadvantage: DNS lookup latency, caching issues

IP-Based Endpoint (Modern)

GKE Cluster: my-cluster
Region: us-central1

Endpoint: 35.238.123.45 (direct IP)

kubelet connects using IP directly

Advantage: No DNS lookup, direct connection

Disadvantage: IP fixed (if changes, must update kubeconfig)

Authorized Networks

GKE allows restrict control plane access by IP:

yaml

# authorizedNetworks security policy
authorizedNetworks:
- name: "office"
  cidrBlock: "203.0.113.0/24"
- name: "vpn"
  cidrBlock: "198.51.100.0/24"

Effect: Only specified IPs can reach control plane

Node to Control Plane

Node (kubelet) needs reach control plane
                    ↓
Via authorized network:
  ├─ If private cluster: Cloud NAT egress IP
  ├─ If standard: node external IP
  └─ Must match authorizedNetworks list

Reference Documentation

GKE Authorized Networks

Summary

DNS-based: Dynamic, lookup latency
IP-based: Direct, fixed IP
Authorized networks: Firewall-level restriction
Node connectivity: Must be authorized

Control Plane Connectivity — DNS-Based vs IP-Based Endpoint, Authorized Networks ​

Endpoint Types ​

DNS-Based Endpoint (Traditional) ​

IP-Based Endpoint (Modern) ​

Authorized Networks ​

Node to Control Plane ​

Reference Documentation ​

Summary ​