-1

I'd like to use Cloud VPN to connect my GCP world with multiple different on premise networks. For this purpose I use classic Cloud VPN tunnels which works fine. Obviously, all these VPN Gateways (on cloud side) use their own VPC. Now I want to make these VPCs available to a single Compute Instance such that the Instance is able to use the VPN tunnels.

In this context, I stumbled across Network Peering and Shared VPCs. Network Peering does not work for us due to the 25 Peers limit, so I wanted to go for Shared VPCs. The problem with this approach is, that one service project can only be attached to a single host project. Hence the Compute Instance could not be a service project to multiple host projects (The VPN Tunnel Projects). I thought about creating a "Backbone VPC" which lives within the host project, and assign the Backbone VPC to the VPN Gatways each living in a different service Project. This however does not work as VPCs of different Projects cannot be assigned to the Gateway.

I am using terraform to create the cloud Infrastructure

Any ideas how to handle this situation?

Teosch
  • 49
  • 4
  • With the Shared VPC approach, is there a reason you would not just create all of your VPN tunnels in the host project? – Gari Singh Feb 23 '23 at 11:10
  • Thanks for your comment @GariSingh. I need to isolate the VPN tunnels from each other. Would that still be possible with all of them in a single project? With this approach, I would make the VPN Project the host project, and the compute instance would be the service project, correct? How would I assign different subnetworks to the VPN tunnels? – Teosch Feb 23 '23 at 11:19

1 Answers1

0

One possible solution for your scenario is by using hub-and-spoke network topology with a dedicated VPC acting as a hub. Set the VPC gateways in each service project to connect to the hub VPC and then create a custom route in the hub VPC to route traffic to the appropriate spoke VPC based on the destination IP address.

You need to use a shared VPC with the hub VPC which should be dedicated to the project only then the Compute Instance can be attached to the hub VPC and it can access and also you can use Terraform automation scripts to create and configure hub-and-spoke topology.

Steps:

  • You need to create a dedicated project for the hub VPC.
  • Create a shared VPC and attach it to the hub VPC.
  • You need to create a custom subnet in the hub VPC and create VPN gateways in each service project and connect them to the hub VPC.
  • Configure custom routes in the hub VPC and route the traffic to the appropriate spoke VPC based on the destination IP address and attach Compute Instance to the hub VPC.

In this way you can connect multiple on-premises networks to GCP using a cloud VPN.

Check the official documentation of Hub-and-spoke network and Cloud VPN overview for further reference. There could be subscription limits as well; please have a look at them based on your needs.

Abhijith Chitrapu
  • 493
  • 3
  • 11