Google Cloud routing with VPCs peered in a partially connected mesh topology

google-cloud-platform vpc-peering

we are dividing our Google Cloud infrastructure into multiple projects, each with it's own VPC. We have one central VPC, let's call it vpcA, to which we connect via pritunl VPN and site-to-site tunnel from the outside.

We've also connected vpcA to multiple different other projects B with vpcB and C with vpcC using VPC peering. This works great in that everything can see the contents of vpcA, and vpcA can see the contents of vpcB and vpcC. Everything has unique 10.0.0.0 IPs. Each vpc has it's own unique CIDR range (eg. 10.96.0.0/16 for vpcA, 10.97.0.0/16 for vpcB, etc). All subnets are located in the same region.

Our problem now is that vpcB can not see anything in vpcC. The VPC peering only routes between the local vpc networks, and not the peered networks of that vpc (eg. from vpcB to vpcA only the 10.96.0.0/16 range is routed). There seems to be no way to modify this to route all other traffic as well.

While we can directly interconnect vpcB and vpcC using a separate peering, that quickly becomes complex as the number of vpcs increases. Also, and this is really the breaker right now, when we connect our on-premise infrastructure with vpcA using a Google Cloud VPN Gateway/Tunnel, it also only sees vpcA's content. Creating a direct VPN Tunnel to every single of our VPCs would create a lot of overhead, and a lot of additional cost (with 10 VPCs that would be $360/month without any traffic, just to peer).

Now, the question is, are we missing anything? Is there some way to create a partially connected mesh topology with VPCs on Google Cloud?

Thanks, Volker


According to the GCP documentation, it is not possible for vpcB and vpcC to communicate:

Only directly peered networks can communicate. Transitive peering is not supported. In other words, if VPC network N1 is peered with N2 and N3, but N2 and N3 are not also directly connected, VPC network N2 cannot communicate with VPC network N3 over the peering.

Also, VPN connections are not exported to peered VPCs:

The following types of endpoints/resources are NOT propagated to directly peered networks: Static routes, VPNs

Related

arch linux on zfs root cannot configure grub on bios
Can I tail the log on a Cisco Router?
Change permissions for named volumes in Docker
Alias to SQLEXPRESS
rsync - report only uploaded files [closed]
Apache Tomcat chokes after 300 connections
No tun device in lxc guest for openvpn
How to fix "unable to qualify my own domain name (myhost) -- using short name"?
How to find the service principal assigned to a newly created AKS cluster?
Using Linux IPTables, How to block torrents or any P2P protocols?
Returning "200 OK" in Apache on HTTP OPTIONS requests
S3fs performance improvements or alternative?