How to route traffic in the same VPC but different subnets to a node(VM) first?

This is my simple architecture diagram. I want the traffic between VM1 and VM2 to be inspected by Node(VM) before reaching the destination.
However, the default route will allow vm1 and vm2 to communicate directly without going through the node. Is there any setting that can satisfy this part?

And I tried to add the static route, here is my setting:
Destination IPv4 range : 10.2.0.0/24
Next hop : Node IP 10.1.0.5
Priority : 0

It will show the error message:
Creating route “subnet1-to-gateway” failed. Error: Operation type [insert] failed with message “10.2.0.0/24 hides the address space of the network (10.2.0.0/24). Cannot change the routing of packets destined for the network.”

It means these ip are overridden by the default route?

unnamed.png822×614 21.2 KB

It’s not possible to route traffic directly between two VMs. To act as a mediator, place a node VM between them, assuming that inspection functions similarly to a firewall. In this setup, you’ll need to position an internal load balancer behind the node VM, which acts as a firewall, and the node VM functions as an L4 router.

Hi, thanks for your reply.

I still new for Google Cloud, you mean create a internal load balancer and backend choose the node VM? Or create a internal load balancer and backend choose two VM(VM1 and VM2)?
Could you explain it more specifically?

Thanks a lot!

Hi @playz0826 ,

By the looks of it, I can say that you’re trying to set up a custom route, based from what you’ve mentioned and based from the diagram, this is to direct the traffic between VM1 and VM2 through a designated node (VM) prior to reaching the destination.

Also, based from the error below, indicates a problem with the routing config.

I suggest you double-check the destination IP range of your custom route (10.2.0.0/24) and make sure it does not overlap with any existing routes in your network. Also, verify if IP forwarding is enabled on the Node VM. IP forwarding is required for the Node VM to handle traffic between VM1 and VM2.

Also a helpful tip, it is very necessary to consider if firewall rules are in place to allow traffic between VM1, VM2, and the Node VM. Check if there are firewall rules blocking the traffic.

Let me know if this helps.

In addition,

You may find this community discussion helpful as it somehow related to your concern.

Hi, Thanks for reply.

I already turn on ip forwarding on node VM, but still see the traffic of between VM1 and VM2 go straight to each other.

Does any setting I missing?

Thanks.

1. VM1 === add a tag
2. VM2 === add a tag
3. Create a custom route which forces traffic with the tag to go through the NODE VM.
   YOU HAVE A PROBLEM == How or why would NODE-VM be able to talk to both subnets? Are you dual-homing a VM? You cannot dual home because that requires multiple NICs. GCP will only let you have 1 nic in 1 VPC. Two subnets but still 1 VPC means you cannot have 2 NICs.
   If you dont have 2 NICs why do you think that NODE can communicate?
   And if NODE can communicate then the VMs can too, they just need to reomve their TAG.

So, do you mean by your answer the Custom Route with TAG can override the Subnet Route?