Private Cluster Control Plane — Private Endpoint, Cloud NAT, Node → Control-Plane Access

Private Cluster Architecture

Public Internet (No access)
    ✗
    
GKE Private Cluster:
├─ Control Plane: Private endpoint (no public IP)
├─ Nodes: Private (no public IPs)
└─ All communication: Via VPC/Private Service Connect

---

Private Endpoint

Standard Cluster:
  Control Plane: 35.238.123.45 (public IP)
  Access: Any internet connection

Private Cluster:
  Control Plane: 10.0.0.5 (private IP)
  Access: Via VPC only

---

Node to Control Plane Access

Without Cloud NAT (Private Nodes)

Problem: Private nodes need reach private control plane
Solution: VPC routing handles automatically
                    ↓
Node (10.0.2.10) → Control Plane (10.0.0.5)
Via: VPC internal routing

Admin Access to Private Cluster

Admin laptop (public internet)
     ↓
Cannot directly reach private control plane
     ↓
Solution: Use kubectl port-forward via bastion
  OR: Use Identity-Aware Proxy (IAP)
  OR: Jump host inside VPC

---

Cloud NAT for Egress

Private nodes need outbound access (e.g., pull images from registry):

Node (private IP)
     ↓
Need access to external service
     ↓
Cloud NAT translates:
  - Source: private IP → public IP
  - Routing: Via public gateway
  - Response: Translated back → node

---

Security Benefits

Private Control Plane:
├─ Not exposed to internet
├─ Reduced DDoS surface
├─ Firewall rules restrict access
└─ Compliance (data residency)

---

Reference Documentation

• GKE Private Clusters

---

Summary

• Private endpoint: Control plane not accessible from internet
• VPC routing: Node-to-control-plane automatic
• Admin access: Requires bastion, IAP, or port-forward
• NAT outbound: Cloud NAT for external access
• Security: Reduced attack surface, compliance benefit