How to setup VPN from on-premises to Google Cloud VPC

Question

We want to be able to connect to my on-premise database from our google cloud kubernetes.

We are currently attempting to do so by using "Create a VPN connection" from within the google console.

In the field IP address, I am forced to create (or pick from existing) "External IP Addresses".

I am able to link a single VM-instance to this External IP Address. But I want my VPN connection/tunnel to be between my on-premises network and EVERYTHING within my Google cloud network.

This IP should not just work as External IP Addr. for a single instance. I need to make it a gateway to the network as a whole. What am I missing?

Thanks in advance.

Another way to frame the question: How do I find the IP Address of the gateway to my Google cloud network (VPC) and how do I supply that IP to the VPN Connection creation ?

have you resolved this already? – suren Jun 14 '18 at 20:41 — suren, Jun 14 '18 at 20:41

score 2 · Answer 1 · answered Jun 14 '18 at 18:45

The Cloud VPN connects your on-premises to the VPC, that means every Instance, Cluster or other products that use Google Cloud Engine (GCE).

As mentioned in a previous answer from avinoam-meir the VPN has at least two components: Gateway and Tunnel but I will add a third one: Type of routing.

a) Gateway: This is where you can add an existing or reserve any static IP address (from the Google Pool of External IP Addresses).

b) Tunnel: Where the encapsulated and encrypted traffic will flow to reach the Local IP ranges.

c) Type of routing: Cloud VPN has three possibilities:

Depending on the type you choose, the routing happens in a different way but in general terms, it will propagate your subnetwork(s) to your on-premises network and receive the routes from it.

Important: Remember to open your firewall on your GCP VPC to receive traffic from your on-premises IP Ranges as the default and implied rule for Ingress will block it.

The implied allow egress rule: An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination.
The implied deny ingress rule: An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming traffic to them.

score 2 · Accepted Answer · answered Jun 19 '18 at 10:41

The answer was simpler than I thought.

My question was:

How do I find the IP Address of the gateway to my Google cloud network (VPC) and how do I supply that IP to the VPN Connection creation ?

The answer is simply to fill out the "Create a VPN connection" page. It automatically sets up whatever IP you get/choose in the "IP Address" field as the gateway. I did NOT need to configure this IP address to work as a gateway. Simply getting it assigned in this step is enough. Google does the rest behind the scenes.

@Nixon, would like to know if you need to configure anything at your onPrem network so that it recognize incoming Google VPN Gateway request ? — jlim, Sep 26 '20 at 01:29

score 1 · Answer 3 · answered Jun 03 '18 at 11:35

1

You need to distinguish between gateway IP address and local IP range of the VPN tunnel

The gateway IP address is the IP of the gateway where all the packets from your on-premises arrive encapsulated and encrypted.

The local IP range of the VPN tunnel is the range of IPs that can be reached through the VPN tunnel. By default this is all the private IP addresses of your GCP network

answered Jun 03 '18 at 11:35

Avinoam Meir

497
2
9

I am having issues "finding" my gateway IP address. Can I just create ANY external IP address, in the setup for VPN connection and that IP will then work as gateway to MY internal GCP network? – Nixxon Jun 04 '18 at 08:08
Yes, this is the point. You create an IP address and attach it to the gateway as its external IP address – Avinoam Meir Jun 04 '18 at 11:52
Correct. Google cloud handles the rest. Create a Google VPN connection with whatever IP Address that it creates for you. Simpler than I imagined. – Nixxon Jun 05 '18 at 13:09

score -1 · Answer 4 · answered May 30 '18 at 15:37

-1

Create a NAT gateway [1] with Kubernetes Engine and Compute Engine Network Routes to route outbound traffic from an existing GKE cluster through the NAT Gateway instance.

Use that NAT gateway IP address to create a VPN connection to remote peer gateway.

[1] https://cloud.google.com/solutions/using-a-nat-gateway-with-kubernetes-engine

answered May 30 '18 at 15:37

Ariv

183
7

NAT IPs cannot be used for ingress, nor sending traffic to the cloud router so that it ends up establishing a connection with a VPN gateway. Cloud NAT is now the recommended setup for NAT gateways, which the original question does not mention or pertain to. – jbielick Jan 08 '20 at 23:37

How to setup VPN from on-premises to Google Cloud VPC

4 Answers4