Google Cloud routing with VPCs peered in a partially connected mesh topology

we are dividing our Google Cloud infrastructure into multiple projects, each with it's own VPC. We have one central VPC, let's call it vpcA, to which we connect via pritunl VPN and site-to-site tunnel from the outside.

We've also connected vpcA to multiple different other projects B with vpcB and C with vpcC using VPC peering. This works great in that everything can see the contents of vpcA, and vpcA can see the contents of vpcB and vpcC. Everything has unique 10.0.0.0 IPs. Each vpc has it's own unique CIDR range (eg. 10.96.0.0/16 for vpcA, 10.97.0.0/16 for vpcB, etc). All subnets are located in the same region.

Our problem now is that vpcB can not see anything in vpcC. The VPC peering only routes between the local vpc networks, and not the peered networks of that vpc (eg. from vpcB to vpcA only the 10.96.0.0/16 range is routed). There seems to be no way to modify this to route all other traffic as well.

While we can directly interconnect vpcB and vpcC using a separate peering, that quickly becomes complex as the number of vpcs increases. Also, and this is really the breaker right now, when we connect our on-premise infrastructure with vpcA using a Google Cloud VPN Gateway/Tunnel, it also only sees vpcA's content. Creating a direct VPN Tunnel to every single of our VPCs would create a lot of overhead, and a lot of additional cost (with 10 VPCs that would be $360/month without any traffic, just to peer).

Now, the question is, are we missing anything? Is there some way to create a partially connected mesh topology with VPCs on Google Cloud?

Thanks, Volker


According to the GCP documentation, it is not possible for vpcB and vpcC to communicate:

Only directly peered networks can communicate. Transitive peering is not supported. In other words, if VPC network N1 is peered with N2 and N3, but N2 and N3 are not also directly connected, VPC network N2 cannot communicate with VPC network N3 over the peering.

Also, VPN connections are not exported to peered VPCs:

The following types of endpoints/resources are NOT propagated to directly peered networks: Static routes, VPNs