GCP Adding Private Service Connection IP range to master authorized network throws error

AMMJ

7/23/23, 3:08 PM

I followed this this GCP guide to be able to reach a Kubernetes Cluster private endpoint with Cloud Build jobs. I have set up everything (using Terraform). The final step in the guide is adding the (cloud build) private pool network range to the authorized networks of the cluster as such:

gcloud container clusters update PRIVATE_CLUSTER_NAME \
--enable-master-authorized-networks \
--region=REGION \
--master-authorized-networks=PRIVATE_POOL_NETWORK/PRIVATE_POOL_PREFIX

I have a private pool set up with an internal IP range of 192.170.0.0/16.

NAME: cloud-build-private-pool
ADDRESS/RANGE: 192.170.0.0/16
TYPE: INTERNAL
PURPOSE: VPC_PEERING
NETWORK: cb-runner-network
REGION:
SUBNET:
STATUS: RESERVED

But when I add the CIDR to the master authorized networks I get this error:

Invalid master authorized networks: network "192.170.0.0/16" is not a reserved network, which is required for private endpoints.

I tried everything but cant think of a reason why the allocated IP range cant be added. Help would be much appreciated.

0 + 0

google

google-cloud-platform

google-kubernetes-engine

Ron Maupin

7/23/23, 3:24 PM

That IPv4 address range actually belongs to someone else. It is not in one of the IPv4 Private address ranges.

AMMJ

7/23/23, 3:27 PM

Could you clarify your answer? The linked GCP guide suggests that adding the private pool network range to the control plane authorized networks should work

Ron Maupin

7/23/23, 3:42 PM

Notice in the document you have, it uses IPv4 Private addressing. You are trying to use a public address range that is assigned to other companies. For example, HP owns the `192.170.0.0/24` network that is part of the network you are trying to use. You cannot simply grab IP networks for your own use.

AMMJ

7/23/23, 3:48 PM

192.170.0.0/16 is an internal IP range though, not a public one.

Ron Maupin

7/23/23, 3:57 PM

`192.170.0.0/16` does not belong to you, and your are not authorized to use it. Even trying to use it internally means that you will not be able to contact any of the companies authorized to use it on the public Internet. You use addresses from the three IPv4 Private address ranges for internal addressing because that is the specific reason for those address ranges.

AMMJ

7/23/23, 4:24 PM

Ah thank you! That explains everything. Problem solved.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: GCP Adding Private Service Connection IP range to master authorized network throws error

TH: GCP การเพิ่มช่วง IP ของการเชื่อมต่อบริการส่วนตัวให้กับเครือข่ายหลักที่ได้รับอนุญาตเกิดข้อผิดพลาด

RO: GCP Adăugarea intervalului IP de conexiune la serviciu privat la rețeaua autorizată principală generează o eroare

RU: GCP при добавлении диапазона IP-адресов подключения частной службы к основной авторизованной сети выдает ошибку

VI: GCP Thêm phạm vi IP của kết nối dịch vụ riêng vào mạng chính được ủy quyền ném lỗi

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.