Replace GCP_LOCATION with the Google Cloud region in
which your GKE Enterprise cluster resides. Specify us-west1 or another
supported region.
VPC Endpoints
VPC endpoints let resources in private subnets access AWS services without
public internet access.
The following table lists the AWS services that GKE on AWS
requires VPC endpoints for, along with the type of endpoint and the
Security Groups that require access
to the endpoint.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Firewall rules and VPC endpoints\n\nThis page lists firewall requirements and VPC endpoint requirements for\nGKE on AWS.\n\nFirewall requirements\n---------------------\n\nTo use GKE on AWS, you must allow your cluster access to the\nfollowing domains. \n\n .gcr.io\n cloudresourcemanager.googleapis.com\n container.googleapis.com\n gkeconnect.googleapis.com\n gkehub.googleapis.com\n oauth2.googleapis.com\n securetoken.googleapis.com\n storage.googleapis.com\n sts.googleapis.com\n www.googleapis.com\n servicecontrol.googleapis.com\n logging.googleapis.com\n monitoring.googleapis.com\n opsconfigmonitoring.googleapis.com\n \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nf\"\u003eGCP_LOCATION\u003c/span\u003e\u003c/var\u003e-gkemulticloud.googleapis.com\n\nReplace \u003cvar translate=\"no\"\u003eGCP_LOCATION\u003c/var\u003e with the Google Cloud region in\nwhich your GKE Enterprise cluster resides. Specify `us-west1` or another\n[supported region](/kubernetes-engine/multi-cloud/docs/aws/reference/supported-regions).\n\nVPC Endpoints\n-------------\n\nVPC endpoints let resources in private subnets access AWS services without\npublic internet access.\n\nThe following table lists the AWS services that GKE on AWS\nrequires VPC endpoints for, along with the type of endpoint and the\n[Security Groups](/kubernetes-engine/multi-cloud/docs/aws/reference/security-groups) that require access\nto the endpoint.\n\n| **Important:** You must enable [Private DNS](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns) (also called **Enable DNS name** on the AWS console) on interface endpoints.\n\nYou can create endpoints from the AWS\n[VPC Console](https://console.aws.amazon.com/vpc/home). The\noptions you set when creating VPC endpoints depend on your VPC configuration.\n\nWhat's next\n-----------\n\n- [Use a proxy](/kubernetes-engine/multi-cloud/docs/aws/how-to/use-a-proxy) for your GKE clusters."]]
