Google Cloud Platform VPN and multiple projects

Question

Is it possible, and does it make sense, to route traffic for multiple GCP projects through a single project back to my head office over VPN? Before I get too far down the rabbit hole the idea was to peer a given project's VPC network with the "VPN project" VPC network, and handle all routing there.

Project A/B/C VPC (10.10.[1|2|3].0/24) peered to
    -> VPN Project VPC (10.10.0.0/24) with VPN cxn to
        -> Head office (10.0.0.0/8)

I've seen somewhat related search results that mention using shared VPCs might make this easier, but even in that scenario I would have separate prod and non-prod VPCs so I think the question still stands.

Sounds like you'd end up with a single VPN tunnel becoming a single point of failure for a lot of things. — kasperd, Oct 16 '18 at 16:09
I believe the GCP VPN service provides redundant tunnels, though relying on a single project for VPN access does make the project a SPOF. That said, I'm not yet at the point of considering more complicated solutions! I'm trying to avoid every project (that needs VPN) having its own VPN connection, but I have no idea if that is the best way to go. — drumboots, Oct 16 '18 at 17:44
You can configure redundant VPN tunnels to GCP. But your question sounds like you were planning on having only a single. If you are indeed planning on redundancy across more than one tunnel, then that's one less reason for concern. — kasperd, Oct 16 '18 at 18:42
Thanks. Definitely redundant tunnels, at least for our production envs. — drumboots, Oct 16 '18 at 19:16
Currently peered networks on GCP do not have access to VPN. see https://cloud.google.com/vpc/docs/using-vpc-peering#vpns_not_reachable_across_peered_networks — Avinoam Meir, Oct 18 '18 at 00:04

score 0 · Answer 1 · answered Oct 30 '18 at 14:07

After much digging it appears there is no way to do this at present. As mentioned, VPC peering does not work. As well, App Engine environments cannot used Shared VPC at this time, though apparently that feature is coming which should allow shared VPNs. In the meantime, it looks like every individual project must have its own VPN.

score -1 · Answer 2 · answered Oct 18 '18 at 22:35

Avinoam Meir had directly denied the possibility of using VPC peering with VPN. However, I do strongly suggest you post your question on Google Groups, as it is a discussion forum where questions like these can be discussed openly & answered in different ways, giving you different options to implement the VPN.

Google Cloud Platform VPN and multiple projects

2 Answers2