Note: Since writing this post, I joined Google. We have released a feature called IP Aliases that addresses the problem described in this article, and much more. Activating IP Aliases requires creating a new cluster. If you can’t do that, then you can now change the configuration of the ip-masquerade-agent as described here. This gives the same end-result as the solution described in this article, but is much cleaner.