Google Cloud routing with VPCs peered in a partially connected mesh topology
we are dividing our Google Cloud infrastructure into multiple projects, each with it's own VPC. We have one central VPC, let's call it vpcA
, to which we connect via pritunl VPN and site-to-site tunnel from the outside.
We've also connected vpcA
to multiple different other projects B with vpcB
and C with vpcC
using VPC peering. This works great in that everything can see the contents of vpcA
, and vpcA
can see the contents of vpcB
and vpcC
. Everything has unique 10.0.0.0 IPs. Each vpc has it's own unique CIDR range (eg. 10.96.0.0/16 for vpcA
, 10.97.0.0/16 for vpcB
, etc). All subnets are located in the same region.
Our problem now is that vpcB
can not see anything in vpcC
. The VPC peering only routes between the local vpc networks, and not the peered networks of that vpc (eg. from vpcB
to vpcA
only the 10.96.0.0/16 range is routed). There seems to be no way to modify this to route all other traffic as well.
While we can directly interconnect vpcB
and vpcC
using a separate peering, that quickly becomes complex as the number of vpcs increases. Also, and this is really the breaker right now, when we connect our on-premise infrastructure with vpcA
using a Google Cloud VPN Gateway/Tunnel, it also only sees vpcA
's content. Creating a direct VPN Tunnel to every single of our VPCs would create a lot of overhead, and a lot of additional cost (with 10 VPCs that would be $360/month without any traffic, just to peer).
Now, the question is, are we missing anything? Is there some way to create a partially connected mesh topology with VPCs on Google Cloud?
Thanks, Volker
According to the GCP documentation, it is not possible for vpcB
and vpcC
to communicate:
Only directly peered networks can communicate. Transitive peering is not supported. In other words, if VPC network N1 is peered with N2 and N3, but N2 and N3 are not also directly connected, VPC network N2 cannot communicate with VPC network N3 over the peering.
Also, VPN connections are not exported to peered VPCs:
The following types of endpoints/resources are NOT propagated to directly peered networks: Static routes, VPNs