This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GCP routing

Posted on 01-18-2024 02:07 PM
lucafound
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello everyone, I need help with a rather complicated situation. I'll try to explain it in the simplest way possible:

I have an on-premise environment that communicates through a cloud VPN with Google Cloud Platform (GCP). I've created another project with a Linux VM that needs to send and receive traffic from the on-premise environment, passing through a firewall located in another VPC. So, I need the flow: onprem --> vpn --> firewall --> vm, and the reverse flow as well.

Currently, I have the following routes:

  • In the VPN VPC, I have a route with the destination 10.0.0.0/8 and the next hop as the VPN tunnel.
  • In the firewall VPC, I have a route with the destination 0.0.0.0/0 and the next hop as the firewall.
  • I've created peering between the VPN VPC and the firewall VPC.
  • I've created peering between the VPC of the new VM and the firewall VPC.

Now, I'm having difficulty creating routes from the VM's VPC to the firewall's VPC because when I set the next hop as the firewall's IP address, I get an error because it is not part of the subnet of the VPC where I'm trying to create the rule.

I should mention that during the peering creation, I didn't enable the export of rules flag because it would conflict with existing rules and create problems in other currently operational environments in my infrastructure.

One last thing, once I reach the firewall, I'll handle the routing from within the firewall. What do you recommend?

1 1 1,286
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @lucafound ,

Based from the information that you have provided, you are setting up a complex network setup involving a VPN connection to GCP, a firewall VPC, and a VM in a separate VPC. 

First, consider routes from VM's VPC to Firewall's VPC:

1. Since you've connected your VM's network with the firewall's network using peering, you can set up routes in the VM's network to reach the firewall. However, you can't directly use the firewall's IP as the next stop due to subnet limitations.  A practical way to handle this is by creating a custom route. Specify the next stop as the internal IP address of a Google Cloud Load Balancer within the firewall's network. This Load Balancer serves as a go-between, allowing communication.

2. Alternatively, you can use the peering connection itself. Add routes in the VM's network, directing traffic to the firewall's CIDR (IP range), using the peering connection as the next stop. This helps establish a path through the peering connection.

Exporting Routes:

1. If enabling route export while setting up peering is causing problems, carefully check your existing routing rules to avoid unintended issues when turning it on. Exporting routes is essential for smooth communication between VPCs through peering.

2. If you can't enable route export due to conflicts with existing rules, you may need to review and potentially adjust your existing routing setup to make it work with the new requirements.

0 Likes
Top Labels in this Space
Top Solution Authors
View all