We are setting up a tunnel between our on-prem VMware environment (with a Cisco firewall) and GCP using a Classic VPN tunnel. On the GCP side, we also have a GCVE private cloud, which is connected to the Customer VPC via VPC Peering.
Currently, a subnet in the Customer VPC is included in both the on-prem tunnel configuration and the Classic VPN tunnel configuration. This allows on-prem and the Customer VPC to communicate with each other.
The question is:
-
How can on-prem and GCVE communicate with each other since transitive peering is not allowed ?
-
Do I need to explicitly include the GCVE network IP ranges in the tunnel configurations on both the on-prem side and the GCP Classic VPN side?
Or, since GCVE is already peered with the Customer VPC, can VMs in GCVE directly communicate with on-prem over the existing VPN tunnel without needing to add the GCVE IP ranges?
please find basic topology as well :
The subnet ranges are hypothetical; these are there for just understanding.
1 Like
Hi @Anup_Dudhe,
Yes, you must include the GCVE network IP ranges in your VPN tunnel configuration on both side, on-prem and Classic VPN, to allow routing of traffic from on-prem to Customer VPC to GCVE.
- On the on-prem side, configure the peer-to-peer VPN tunnel to include both the Customer VPC and GCVE CIDR blocks as remote networks.
- On the GCP / Classic VPN side, GCVE network IP ranges must be included in the tunnel configuration so that traffic is accepted and routed correctly.
End-to-end connectivity and routing considerations:
When you use Cloud VPN for on-premises connection to the VPC network, you must add VMware Engine networks to the Cloud VPN tunnel.
- Base on the above documentation for networking documentation, when using Cloud VPN to connect on-prem to Customer VPC, and VPC peering to connect to GCVE, Import/Export of custom routes must be enabled on the VPC peering connection so that routes from on-prem are properly propagated into GCVE, and vice versa.
You may also find this documentation helpful, it has detailed explanation about Transit network with multiple peerings with the sample diagram provided below:
Because VPC Network Peering isn’t transitive, VM instances in network-a and network-c can’t communicate with each other unless you also connect networks network-a and network-c using VPC Network Peering:
If firewalls are configured correctly, the following connectivity scenarios are possible:
- VM instances in network-a can reach other VMs in network-b and on-premises systems.
- VM instances in network-c can reach other VMs in network-b and on-premises systems.
- VM instances in network-b can reach other VMs in both network-a and network-c, as well as systems in the on-premises network.
The peering connections from network-b to network-a and from network-b to network-c are configured with the --export-custom-routes flag. The peering connections from network-a to network-b and from network-c to network-b are configured with the --import-custom-routes flag.
