From 2da08af756e9e33ee2932df32e59a955f5eca80d Mon Sep 17 00:00:00 2001
From: Daniel Goldstein <danielgold95@gmail.com>
Date: Thu, 11 May 2023 12:09:16 -0400
Subject: [PATCH] [batch] Allow private job network traffic to internal IPs
 (#13036)

---
 batch/batch/cloud/gcp/driver/create_instance.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/batch/batch/cloud/gcp/driver/create_instance.py b/batch/batch/cloud/gcp/driver/create_instance.py
index 55e567e5788..2843f8c6286 100644
--- a/batch/batch/cloud/gcp/driver/create_instance.py
+++ b/batch/batch/cloud/gcp/driver/create_instance.py
@@ -268,10 +268,14 @@ def scheduling() -> dict:
 iptables --append FORWARD --destination $INTERNAL_GATEWAY_IP --jump ACCEPT
 # And this worker
 iptables --append FORWARD --destination $IP_ADDRESS --jump ACCEPT
-# Forbid outgoing requests to cluster-internal IP addresses
+# Allow traffic going to the internet
 INTERNET_INTERFACE=$(ip link list | grep ens | awk -F": " '{{ print $2 }}')
 iptables --append FORWARD --out-interface $INTERNET_INTERFACE ! --destination 10.128.0.0/16 --jump ACCEPT
 
+# [private]
+# Allow all traffic from the private job network
+iptables --append FORWARD --source 172.20.0.0/16 --jump ACCEPT
+
 {make_global_config_str}
 
 # retry once