Authorized Networks for GKE Cluster Master Access
Start course
1h 20m

This Course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.

After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.

You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.

If you have any feedback related to this Course, feel free to contact us at

Learning Objectives

  • Get a foundational understanding of virtual private clouds on GCP
  • Learn about VPC peering and sharing
  • Learn about VPC flow logs and how to configure them
  • Learn about routing in GCP and how to configure a static route
  • Understand the pros and cons of VPC-native GKE clusters
  • Learn about cluster network policies
  • Understand how to configure and manage firewall rules in GPC

Intended Audience

This Course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.


To get the most from this Course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.


Hello, and welcome to Authorized Networks for GKE Cluster Master Access. In this brief lesson, we’ll take a look at how to grant authorized networks access to cluster masters in Google Kubernetes Engine.

An authorized network allows you to define specific CIDR ranges that consist of IP addresses that are allowed to access a cluster control plane endpoint via HTTPS. These authorized networks are supported for all clusters. Essentially, what an authorized network does is block access to the cluster for untrusted IP addresses from outside of Google Cloud. They are not used to block access from addresses that exist inside Google Cloud.

Leveraging authorized networks allows you to securely administer your GKE cluster over the internet from virtually anywhere. The TLS and authentication that GKE uses ensures the security of your connection.

I should mention that, since private clusters, by default, don’t allow access via public IPs over the internet to the control plane endpoint, when you use an authorized network in a private cluster, it makes its control plane reachable only by allowed CIDRS, by nodes and pods within the cluster’s VPC, and by Google’s internal management of the control plane.

The image on your screen shows how to add an authorized network to an existing cluster, via the console.

Join me in the next lesson, where we’ll dive into firewall rules.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.