How to troubleshoot network flows across peered VPC

I'm trying to accomplish this: https://cloud.google.com/vpc/docs/vpc-peering#global and it isn't working. Specifically, i'm trying to access an external server via a VPN on a peered network.

My question is what tools are available for troubleshooting this? Are there any tricks to get insight into what is going on?

I've enabled flow logs, and i can see the SRC logs in the source VPC, but they have no dest information. I can see no logs in the peered network at all.

I'm new to google VPCs and networking generally, so i could be missing something simple. I've checked the routes and firewall rules they look correct on both VPCs.


Solution 1:

VPC flow logs is a great tool to debug network connection issues. However, In your case, I would recommend to go through the following troubleshooting steps:

1-In your scenario you need to make sure that the vpn connection is working and that you are able to reach the external server on-prem from a vm in Network-b using cloud vpn.

2-Make sure the vpc peering is working and that vms in Network-a are able to reach vms in Network-b.

3-Make sure you add Cloud Router custom route advertisements in your VPC network(Network-b) to announce peered network subnets to your on-premises network.

EDIT to address the additional comment

There are many tools and different approaches to troubleshoot networking issue between GCP and On-prem servers, you can use the following troubleshooting steps to help you in the future:

1- running a packet capture using wireshark or tcpdump on the GCP VM and the on-prem server to see the ingress/egress traffic.

2- Check firewall rules on GCP and the on-prem firewall to make sure you are allowing ingress/egress traffic from the VPN gateways on both sides.

3-Check the routing table of the on-prem firewall/router and see if there is a route to the VPC subnet and that the peer VPN gateway(cloud VPN) is the next hop.

4-Check routes on GCP and see if there is a route to the VPC subnet and that the remote peer VPN gateway(on-prem router/firewall) is the next hop. This is created automatically on the GCP side once you create a vpn tunnel.