(internal) Packet capture in a google cloud VPC network?

I have a VPC network set up in google cloud with a few instances running. One of these instances serves as a VPN machine, allowing me to interact with the instances from the internet.

I want to capture traffic:

1. From the internet to the VPC network. For this I simply use tcpdump on the vpn machine.
2. Internally, i.e. packets between the instances. And that I don't know how to do. I cannot rely on my instances (using tcpdump directly in them isn't an option in my case). Instead, because in VPCs there is no "real" network layer 2 as it is virtualized, I was hoping that it would be possible to somehow tap into the cloud router and capture all packets from there, but it doesn't seem to be possible. Or is it?

Does anybody have an idea on what I could do here? Would be much appreciated. Thanks!

Assuming you are using a Debian image from Google you can install and use tcpdump to capture traffic.

$ sudo apt update
$ sudo apt install -y tcpdump
$ sudo tcpdump -i eth0

You can enable VPC Flow Logs. This Logs each VM's TCP and UDP flows, inbound and outbound.These flows can be between a VM and another VM in the same VPC. You also need to consider limiting the number of logs generated to reduce your stackdriver costs.