My usecase is onprem VMWARE migration to GCVE. As a pre-requisite I have setup a Classic VPN tunnel between GCP and on-premises. Cloud VPN status is showing error with “failed with first handshake”. I want to configure VPC Flow logs to troubleshoot this connectivity issue more so because of its new metadata addition which introduces components like VPN gateway (both GCP and on-premises) from what i watched in this video. Once i have configured VPC Flow logs I would like to use the VPC Flow analyzer to see traffic path taken by a test from a GCVE VM to an on-premises VM to understand where exactly the packet is getting dropped.
My question is to understand VPC Flow log configuration. I see that VPC Flow logs can be configured at VPC, subnet and cloud vpn levels. Do I need to configure flow logs at all these levels just because a typical packet would touch all these services or is it enough if i enable flow logs for Cloud VPN only? Also would like to understand the FLOW LOGS analyzer query to fetch the traffic path.
You’re correct that VPC Flow Logs can be configured at the VPC, subnet, and Cloud VPN levels, and you don’t need to configure all of them for troubleshooting. In your scenario, it would be best to start by configuring VPC Flow Logs at the subnet level. Enabling them on the subnet of your GCVE and the test VM in GCP will provide a more detailed view of the traffic flow.
VPC Flow Logs primarily capture network interface traffic, even though the Cloud VPN gateway is part of the traffic path. Information about the VPN gateway, such as its ID and other relevant details, is added to the flow logs originating from the subnet when traffic passes through the VPN. You do not configure flow logs directly on the VPN gateway. Instead, this VPN gateway information is automatically included in the existing flow logs from your subnets.