This page lists firewall requirements and VPC endpoint requirements for GKE on AWS.
Firewall requirements
To use GKE on AWS, you must allow your cluster access to the following domains.
.gcr.io
cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
oauth2.googleapis.com
securetoken.googleapis.com
storage.googleapis.com
sts.googleapis.com
www.googleapis.com
servicecontrol.googleapis.com
logging.googleapis.com
monitoring.googleapis.com
opsconfigmonitoring.googleapis.com
GCP_LOCATION-gkemulticloud.googleapis.com
Replace GCP_LOCATION with the Google Cloud region in
which your GKE on AWS cluster resides. Specify us-west1 or another
supported region.
VPC Endpoints
VPC endpoints let resources in private subnets access AWS services without public internet access.
The following table lists the AWS services that GKE on AWS requires VPC endpoints for, along with the type of endpoint and the Security Groups that require access to the endpoint.
| Service | Endpoint type | Security groups | 
|---|---|---|
| Auto Scaling | Interface | Control plane, node pools | 
| EC2 | Interface | Control plane, node pools | 
| EFS | Interface | Control plane | 
| Load Balancing | Interface | Control plane, node pools | 
| Key Management Service | Interface | Control plane, node pools | 
| S3 | Gateway | Control plane, node pools | 
| Secrets Manager | Interface | Control plane, node pools | 
| Security Token Service (STS) | Interface | Control plane, node pools | 
You can create endpoints from the AWS VPC Console. The options you set when creating VPC endpoints depend on your VPC configuration.
What's next
- Use a proxy for your GKE clusters.