akkornel
commented
3 years ago Right now we can't do this. Packer is running in Cloud Build, which runs in its own VPC. We don't have any way to connect to the Cloud Build VPC, so the only way Packer can connect to the temporary instance is to go through the temporary instance's public IP.
Right now the Packer temporary instances run in a VPC that allows outbound traffic, and with instances that have an ephemeral public IP address.
We need the outbound connectivity, because the temporary instance is downloading software & updating packages. It's a core need that Packer be able to connect out to the outside world.
But, the traffic is all outbound, not inbound. So we could use a NAT. Instead of using a public IP, all outbound traffic would go through the NAT, making things a little more secure: It would require the use of IAP for SSH, it would insulate us from messed-up firewall rules, and it would mean any bad code that gets onto the instance wouldn't be able to allow inbound connections.
On the other hand, there is a cost to running everything through a NAT, both a per-instance-per-minute cost and a per-GB cost. And Packer downloads a lot of data each time it runs, so that would be a notable cost.
So, should we switch Packer to use a NAT?