Forwarding rule's subnetwork must have purpose=PRIVATE

[arlando]

Hello!

When I try to use the ingress-gce to create an internal cloud native HTTP load balancer I get an error the load balancer cannot be created because the purpose of the subnetwork's purpose is not PRIVATE.

I've followed the steps as per the docs https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress#console but I can't tell what I'm missing.

First, I created a subnetwork an INTERNAL HTTPS LOAD BALANCER in terraform v1.0.3 and the latest google provider:

resource "google_compute_subnetwork" "ilb_network" {
  provider   = google-beta
  name          = "test-network"
  ip_cidr_range = "10.39.0.0/23"
  region        = "us-east4"
  purpose       = "INTERNAL_HTTPS_LOAD_BALANCER"
  role          = "ACTIVE"
  network       = "fuzz-vpc"
}

Next, I created a firewall rule to allow traffic from the proxy only subnetwork to my GKE cluster. Finally, I created a static IP within the subnet.

$ kubectl describe ing
Name:             cool-website
Labels:           <none>
Namespace:        default
Address:
Ingress Class:    <none>
Default backend:  cool-website:80 (<IP>:3000)
Rules:
  Host        Path  Backends
  ----        ----  --------
  *           *     cool-website:80 (*:3000)
Annotations:  kubernetes.io/ingress.class: gce-internal
              kubernetes.io/ingress.regional-static-ip-name: staticip
Events:
  Type     Reason  Age                   From                     Message
  ----     ------  ----                  ----                     -------
  Normal   Sync    7m16s (x9 over 67m)   loadbalancer-controller  Scheduled for sync
  Warning  Sync    6m59s (x13 over 65m)  loadbalancer-controller  Error syncing to GCP: error running load balancer syncing routine: loadbalancer 7pc1f-default-cool-website-a1lva1 does not exist: googleapi: Error 400: Invalid value for field 'resource.subnetwork': 'https://www.googleapis.com/compute/v1/projects/<REDACTED>/regions/us-east4/subnetworks/test-network'. Forwarding rule's subnetwork must have purpose=PRIVATE., invalid

Any reason why this is happening? Note the 7pc1x9ef-default-cool-website-a185lva1 is never created AFAIK. There is no way for me to create a subnetwork with a PRIVATE purpose unless I am misunderstanding something. I've doubled checked and my GKE cluster seems to be created correctly with the right configuration variables. Any advise would be appreciated.

[spencerhance]

Hi @arlando !

I think the issue here is that your static IP is in the wrong subnet. Can you try creating it in any other subnet besides the proxy-only one?

The IP address must be from a subnet in the same region as the GKE cluster. You can use any available private subnet within the region (with the exception of the [proxy-only subnet](https://cloud.google.com/load-balancing/docs/l7-internal/setting-up-l7-internal#configure-a-network)). Different Ingress resources can also have addresses from different subnets.

https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balance-ingress#static_ip_addressing

[arlando]

Thank you @spencerhance! That worked!