0

I'm trying to set up a Cloud VPN in GCP network with 5 VMs, which one of these VMs is in a instance group behind an TCP Load Balancer, proxying the instance groups ports to the internet, and the VPN tunnel itself is working well, because It's established and I can ping these VMs from my on-premise network.

But, after I've configured the VPN tunnel, I cannot access the external Load Balancer IP anymore!

I've checked firewall rules and it's all okay. If I delete the VPN tunnels and routes, I can access the IP normally. This behaviour is expected? I really can't access a Load Balancer IP if I have a Cloud VPN in the same network?

BTW, all the VMs doesn't have external IP, just internal. One of them, as I said before, is behind the LB to get internet access.

I expect to connect to the VMs in the instance group behind the TCP Load Balancer from my on-premise network having a Cloud VPN established in this network. I can only access the internal IPs, but not the LB external one.

Noohone
  • 694
  • 5
  • 12
Hugo Marques
  • 5
  • 3
  • you say "I cannot access the external Load Balancer IP anymore". Where are you testing this from (external to GCP VPC or inside the VPC)? Look at your route tables from where you are testing. Do you have a route to the public Internet? – John Hanley Jul 05 '19 at 00:29

1 Answers1

0

Let me summarize,

Important points are:

- TCP Load balancer (LB) - Regional-Network LB
- VPN Tunnel from on-prem to GCP
- 5 VM instances, 1 instance into an instance group to use the LB, all VMs have only internal IPs.
- Lost access using the IP Frontend of Load Balancer after VPN Tunnel configured
- Firewall rules seems to be OK
- If you delete VPN Tunnel and "routes" you recover access using IP Frontend

Responding your direct question:
-This behaviour is expected?

Answer:
-No,that behavior is not expected, you can use TCP Load Balancer to access to your VM instances and a VPN tunnel to get access to the same VM instances from another (on-prem) network at the same time.


Regarding TCP LB (External - regional) non-proxied, you need to consider the options and choose the best for your needs [1], I would like to know, what kind of service are you using(at backend) and what port do you need, since TCP Load Balancer performs a passthrough, so the request reachs the backend intact from the Frontend (External IP) to the backend (VM instance) preserving the same port to access to your services. However is not clear if you are using a TCP LB or TCP proxy LB. How are you testing the Frontend IP? (ping, nmap, etc)

What firewall rules are you checking and configuring? since LB and Cloud VPN needs specific Firewall rules [2] [3].
Calls my attention that you need to delete routes, can you explain more about this routes [4], are they generated by GCP or by yourself, what is the purpose for this routes?

Where are your Load Balancer and VPN created? (Zone-Region) considering that both resources you are using are regional [5] [6]

Over the links you will find information that will be helpful to find a possible point of failure.


[1] https://cloud.google.com/load-balancing/docs/choosing-load-balancer#deciding_on_a_load_balancer
[2] https://cloud.google.com/load-balancing/docs/network/setting-up-network#create_a_firewall_rule_to_allow_external_traffic_to_these_vm_instances
[3] https://cloud.google.com/vpn/docs/how-to/configuring-firewall-rules
[4] https://cloud.google.com/vpc/docs/routes
[5] https://cloud.google.com/load-balancing/docs/network/
[6] https://cloud.google.com/vpn/docs/concepts/overview#ha-vpn

Alejandro M
  • 21
  • 2
  • Hi, I'm using telnet do the port 8181 of my application, which goes well without VPN configured in the project. It's a TCP Network LB, not TCP Proxy. About firewall, I just open TCP inbound connection to port 8181 from 0.0.0.0/0, and externally the connection works well. Even with VPN, with 0.0.0.0/0 it should work, right? The routes I've mentioned were the auto-created routes for VPN. Both VPN and LB are on southamerica-east1. I'm also investigating with Google Support, and they've suggested to use Internal LB, but in that way I cannot connect from internet I think. – Hugo Marques Jul 10 '19 at 15:04
  • Hello Hugo, I see, port 8181 using telnet and only failing using/configuring VPN. TCP Network Load balancer is ok however, would be good to know the frontend configuration since port 8181 is not available during the configuration of a TCP Load Balancer. I'm aware that you mentioned that is working properly, is just to know the details. Internal Google Load Balancer is not useful if you want to have multiple access to your VM instances (from VPN using internal IP addresses and External using internet). – Alejandro M Jul 11 '19 at 19:13
  • What is the error/output you are getting when you use telnet to port 8181? please share the command and the output. At your on-premises network, are you using a Firewall? if the answer is positive. How are you managing the exits? You need to allow the connection to port 8181 from your local subnet to the GCP subnet that you receive from the VPN tunnel, have you consider this before?. Please keep in mind that over the VPN you are only allowing internal private IP addresses. – Alejandro M Jul 11 '19 at 19:14
  • Also would be great to know: -What type of Google VPN you are using? (Policy based, route based, BGP) -How the routes are changing the Internet gateway? Do you have multiple priorities? Please do the next tests before and after you configure the VPN, standing at your on-prem network (install nmap): `nmap -Pn -p 8181 (Try with internal "VM" and external "GLB" IP address) traceroute (If you try aiming to internal GCP IP address you must see the VPN tunnel path, and if you try with External IP you should see a longest path going through Internet)` – Alejandro M Jul 11 '19 at 19:26
  • With this tests we can see if you have a routing issue or if the problem is due to a firewall issue, please share the commands and the outputs. Share your results with me, output text/error or any other detail you consider helpful. – Alejandro M Jul 11 '19 at 19:34
  • Hello Alejandro, sorry for the delay. I've found the root cause of this issue. It was a misconfiguration. We were using the same external IP from Load Balancer in the VPN Gateway. Thank you so much for the help in troubleshooting. Maybe GCP should advice or block to not use the same IP on different resources xD – Hugo Marques Jul 17 '19 at 11:00
  • Hello Hugo, I'm glad to know that you find a solution, thank you for your reply. About GCP information, yeah make sense, sometimes documentation needs to be improved. – Alejandro M Jul 17 '19 at 17:05