0

I have a private GKE cluster running in a single subnet and region. The nodes in the cluster utilize the subnet's CIDR of 10.60.0.0/16. The cluster has two secondary CIDR ranges for its pods and services (172.24.0.0/19 and 172.24.32.0/20 respectively).

On-prem I have a Meraki router with an established IKEv1 VPN tunnel to the single subnet. The router does not support IKEv2 and I currently cannot configure BGP (however I think this may be a possibility and am reaching out to our rep). I believe the Meraki expects to handle this situation by specifying multiple traffic selectors, however GCP does not support this for static routing as it goes against the standard. I am able to connect to the nodes using their internal IPs in the subnet, but I cannot connect to any of the pods or services running in the secondary CIDRs from on-prem.

I am very inexperienced with this area so I apologize for any inconsistencies, but here is what I've tried so far and what I'm thinking may work:

  1. I've tried a second VPN connection specifically for the GKE service CIDR. I can get the tunnel connected but still cannot connect to the services. I created this using a terraform module[1] that I also used for my other VPN. Not sure if there may be some firewall rules I need to add?

  2. If I can get my router to support BGP then that may work from what I can see in Google's guides[2]. Can you even use BGP over IKEv1?

  3. Using single VPN, create an internal load balancer running in the subnet. However this would have some drawbacks and would increase complexity I think.

  4. If I cannot get my router to support BGP, and this is the only way to make this work, I could spin up a separate VPN server on-prem if I had to. I would prefer not to do this though.

References:

  1. https://registry.terraform.io/modules/terraform-google-modules/vpn/google/0.3.0

  2. https://cloud.google.com/vpc/docs/alias-ip#example_configuring_containers_with_alias_ip_ranges

Ryan Smith
  • 101
  • 1

1 Answers1

0

Which VPN tunnel option are you using? Have you tried route based VPN?

Multiple traffic selectors are supported in GCP only for IKEv2 .As you are using IKEv1 I suggest you to configure a route based VPN. Take in mind that maybe there is a missing firewall rule to allow communication from you on-prem to GCP, you can add firewall rules in GCP to allow ingress traffic from your on-prem tu reach primary and secondary CIDR ranges from GKE.

If you create a Policy based or Route based VPN and you want to edit any traffic selector after you've created it. You need to delete the VPN tunnel and then re-create it, please check the next link about considerations for traffic selectors.

Regarding your question about BGP in a VPN tunnel with IKEv1. GCP supports BGP with IKEv1 but IKEv2 is preferred.

If you still having issues reaching the pods, I suggest you to check BGP option in your VPN tunnel. As you mentioned, Alias IP (primary and secondary CIDR ranges) addresses can be announced by Cloud Router to an on-premises network connected via VPN. If Cloud Router is configured with Cloud VPN, it will automatically advertise the secondary subnet ranges 172.24.0.0/19 and 172.24.32.0/20 to your on-premises VPN device.

Daniel Emiliano
  • 36
  • 3
  • Thank you Daniel. I believe my firewall rules were correct, but I will give them another look. If that doesn't work I'm going to try out BGP, but unfortunately I need to wait for my Meraki representative to enable it on my router. – Ryan Smith Mar 29 '19 at 12:46