Setup NAT for API cluster (#1272)

jakubno · web-flow · commit 1578cca62eb9 · 2025-10-09T07:04:35.000-07:00
diff --git a/iac/provider-gcp/Makefile b/iac/provider-gcp/Makefile
@@ -20,6 +20,8 @@ tf_vars := 	TF_VAR_environment=$(TERRAFORM_ENVIRONMENT) \
 	$(call tfvar, CLIENT_CLUSTER_CACHE_DISK_SIZE_GB) \
 	$(call tfvar, API_MACHINE_TYPE) \
 	$(call tfvar, API_CLUSTER_SIZE) \
+	$(call tfvar, API_USE_NAT) \
+	$(call tfvar, API_NAT_IPS) \
 	$(call tfvar, BUILD_MACHINE_TYPE) \
 	$(call tfvar, BUILD_CLUSTER_SIZE) \
 	$(call tfvar, BUILD_CLUSTER_ROOT_DISK_SIZE_GB) \
diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf
@@ -105,6 +105,9 @@ module "cluster" {
   loki_node_pool         = var.loki_node_pool
   orchestrator_node_pool = var.orchestrator_node_pool
 
+  api_use_nat = var.api_use_nat
+  api_nat_ips = var.api_nat_ips
+
   logs_health_proxy_port = var.logs_health_proxy_port
   logs_proxy_port        = var.logs_proxy_port
 
diff --git a/iac/provider-gcp/nomad-cluster/main.tf b/iac/provider-gcp/nomad-cluster/main.tf
@@ -91,6 +91,10 @@ module "network" {
   cloudflare_api_token_secret_name = var.cloudflare_api_token_secret_name
 
   gcp_project_id = var.gcp_project_id
+  gcp_region     = var.gcp_region
+
+  api_use_nat = var.api_use_nat
+  api_nat_ips = var.api_nat_ips
 
   api_port                  = var.api_port
   docker_reverse_proxy_port = var.docker_reverse_proxy_port
diff --git a/iac/provider-gcp/nomad-cluster/network/main.tf b/iac/provider-gcp/nomad-cluster/network/main.tf
@@ -792,3 +792,37 @@ resource "google_compute_security_policy" "disable-bots-log-collector" {
     }
   }
 }
+
+# Cloud Router for NAT
+resource "google_compute_router" "nat_router" {
+  count   = var.api_use_nat ? 1 : 0
+  name    = "${var.prefix}nat-router"
+  network = var.network_name
+  region  = var.gcp_region
+}
+
+# Static IP addresses for NAT (only created if explicit IPs not provided)
+resource "google_compute_address" "nat_ips" {
+  count  = var.api_use_nat && length(var.api_nat_ips) == 0 ? 2 : 0
+  name   = "${var.prefix}nat-ip-${count.index + 1}"
+  region = var.gcp_region
+}
+
+# Cloud NAT for API nodes
+resource "google_compute_router_nat" "api_nat" {
+  count                              = var.api_use_nat ? 1 : 0
+  name                               = "${var.prefix}api-nat"
+  router                             = google_compute_router.nat_router[0].name
+  nat_ip_allocate_option             = "MANUAL_ONLY"
+  nat_ips                            = length(var.api_nat_ips) > 0 ? var.api_nat_ips : google_compute_address.nat_ips[*].self_link
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+
+  log_config {
+    enable = true
+    filter = "ERRORS_ONLY"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/iac/provider-gcp/nomad-cluster/network/variables.tf b/iac/provider-gcp/nomad-cluster/network/variables.tf
@@ -27,6 +27,17 @@ variable "gcp_project_id" {
   type = string
 }
 
+variable "gcp_region" {
+  type = string
+}
+
+variable "api_use_nat" {
+  type = bool
+}
+
+variable "api_nat_ips" {
+  type = list(string)
+}
 
 variable "cloudflare_api_token_secret_name" {
   type = string
diff --git a/iac/provider-gcp/nomad-cluster/nodepool-api.tf b/iac/provider-gcp/nomad-cluster/nodepool-api.tf
@@ -146,7 +146,7 @@ resource "google_compute_instance_template" "api" {
     network = var.network_name
 
     dynamic "access_config" {
-      for_each = ["public_ip"]
+      for_each = var.api_use_nat ? [] : ["public_ip"]
       content {}
     }
   }
diff --git a/iac/provider-gcp/nomad-cluster/variables.tf b/iac/provider-gcp/nomad-cluster/variables.tf
@@ -325,3 +325,13 @@ variable "orchestrator_base_hugepages_percentage" {
   description = "The percentage of memory to use for preallocated hugepages."
   type        = number
 }
+
+variable "api_use_nat" {
+  description = "Whether API nodes should use NAT with dedicated external IPs."
+  type        = bool
+}
+
+variable "api_nat_ips" {
+  type        = list(string)
+  description = "List of names for static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically."
+}
diff --git a/iac/provider-gcp/variables.tf b/iac/provider-gcp/variables.tf
@@ -47,6 +47,18 @@ variable "api_node_pool" {
   default = "api"
 }
 
+variable "api_use_nat" {
+  type        = bool
+  description = "Whether API nodes should use NAT with dedicated external IPs."
+  default     = false
+}
+
+variable "api_nat_ips" {
+  type        = list(string)
+  description = "List of names for static IP addresses to use for NAT. If empty and api_use_nat is true, IPs will be created automatically."
+  default     = []
+}
+
 variable "api_resources_cpu_count" {
   type    = number
   default = 2

Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ resource "google_compute_instance_template" "api" {`
`146`	`146`	`network = var.network_name`
`147`	`147`
`148`	`148`	`dynamic "access_config" {`
`149`		`- for_each = ["public_ip"]`
	`149`	`+ for_each = var.api_use_nat ? [] : ["public_ip"]`
`150`	`150`	`content {}`
`151`	`151`	`}`
`152`	`152`	`}`