This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

On premises to GCP connectivity via Cloud VPN for GCE and GKE Workloads

Posted on 11-03-2023 12:30 PM
dheerajpanyam
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

Hello,

I have a requirement to setup onprem to GCP connectivity using Cloud VPN. On the GCP side there are GCE VMs and a GKE Cluster. My question is can a single VPN tunnel be shared between GCE and GKE workloads or is there any extra configuration for GKE Clusters like Cloud NAT , IP Whitelisting etc?

1 3 1,204
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @dheerajpanyam,

A single VPN tunnel, when utilizing Cloud VPN, should suffice for connecting your on-premises network with both GCE and GKE workloads. However, if you opt for a High Availability (HA) VPN, you'll need at least two tunnels to ensure redundancy and meet the requirements for the 99.99% availability SLA [1].

In terms of GKE configurations, it's important to verify proper routing and firewall settings. Ensure that there are no overlapping subnets between your on-premises network and the GKE subnets, as this can cause routing conflicts. Additionally, you may need to configure IP whitelisting to secure access to your GKE resources.

If you're using private clusters in GKE, also consider setting up Private Google Access to allow your clusters to reach Google services without assigning public IP addresses to the nodes.

Additionally, you should also check this documentation for the best practices regarding hybrid topologies.

I hope this helps. Thank you.

[1]. https://cloud.google.com/network-connectivity/docs/vpn/concepts/topologies#configurations_that_suppo...

Posted on --/--/---- --:-- AM
dheerajpanyam
Silver 4
Silver 4
In response to lawrencenelson
Reply posted on --/--/---- --:-- AM

Thanks @lawrencenelson . I am confused about overlapping subnets. Does it matter since Cloud VPN uses public internet? I thought it matters only with Cloud Interconnect options.

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
In response to dheerajpanyam
Reply posted on --/--/---- --:-- AM

Hi @dheerajpanyam, I'll quote mebius99's answer from ServerFault here [1].

You can't use Cloud VPN with overlapping subnets. The Cloud VPN documentation claims that you actually may connect client's infrastructure but routing will not work as you need.

Since another NIC can't be added to the existing VM instance, VLAN compliant with the IEEE 802.1q standard could be a solution. VLAN Attachments are supported for Dedicated Interconnect and Partner Interconnect.

If you prefer to stick with Cloud VPN, using static NAT for the whole subnet could be considered to shift it to another address range.

[1]. https://serverfault.com/questions/989268/overlapping-subnetworks-with-google-cloud-ipsec-vpn

 

Top Labels in this Space
Top Solution Authors
View all