Google Cloud: Configuring VPC Network Peering

Share At:

VPC network peering allows you to build SaaS (Software as a service) ecosystems in Google Cloud, which makes services available privately across different VPC networks within and across organizations. This allows workloads to communicate in private RFC 1918 space.

VPC network peering gives you several advantages over using external IP addresses or VPNs to connect networks, including:

  • Network Latency: Public IP networking results in higher latency than private networking.
  • Network Security: Service owners do not need to have their services exposed to the public internet and deal with its associated risks.
  • Network Cost: Google Cloud charges egress bandwidth pricing for networks using external IPs to communicate, even if the traffic is within the same zone. If, however, the networks are peered, they can use internal IPs to communicate and save on those egress costs. Regular network pricing still applies to all traffic.

In this lab, we learn how to perform the following tasks:

  • Explore connectivity between non-peered VPC networks
  • Configure VPC network peering
  • Verify private communication between peered VPC networks
  • Delete VPC network peering

Task 1. Explore connectivity between non-peered VPC networks

Each Google Cloud project starts with the default network. In addition, mynetworkprivatenet, and managementnet have been created for you along with firewall rules to allow ICMP-SSH-RDP traffic and four VM instances.

Verify VPC network peering requirements

In a peered VPC network, no subnet IP range can overlap with another subnet IP range. Therefore, verify that the CIDR blocks of the subnets of mynetwork and privatenet are non-overlapping.

  1. In the Cloud Console, on the Navigation menu > click VPC network > VPC networks.
  2. Examine the IP addresses ranges for the subnets of mynetwork.

The subnets of mynetwork fit within the 10.128.0.0/9 CIDR block. As new Google Cloud regions become available, new subnets in those regions are automatically added to this auto mode network using an IP range from that block.

3. Examine the IP address ranges for the subnets of privatenet.

The subnets of privatenet fit within the 172.16.0.0/24 and 172.20.0.0/24 CIDR blocks. They do not overlap with the 10.128.0.0/9 CIDR block of mynetwork.

You can configure VPC network peering between mynetwork and privatenet because their subnets’ CIDR blocks are non-overlapping.

Explore the connectivity between “mynetwork” and “privatenet”

Before configuring VPC network peering, explore the current connectivity between mynetwork and privatenet.

  1. On the Navigation menu > click VPC network > VPC network peering. Notice that there is no peering connection.

You will return to this page to configure the VPC network peering connections.

2. On the Navigation menu, click VPC network > Routes. Notice that none of the routes have a peering connection as the Next hop.

You will return to this page after configuring the VPC network peering connection.

3. On the Navigation menu, click VPC network > Firewall. Notice the allow SSH and ICMP firewall rules for mynetwork and privatenet.

These firewall rules have been created for you.

4. On the Navigation menu, click Compute Engine > VM instances. Notice the mynet-eu-vmmynet-us-vmprivatenet-us-vm, and managementnet-us-vm instances.

These VM instances have been created for us by Qwiklabs.

5. Note the internal and external IP addresses for privatenet-us-vm.

6. For mynet-us-vm, click SSH to launch a terminal and connect.

7. To test connectivity to privatenet-us-vm’s external IP, run the following command, replacing privatenet-us-vm’s external IP:

ping -c 3 <Enter privatenet-us-vm’s external IP here>

This should work!

8. To test connectivity to privatenet-us-vm’s internal IP, run the following command, replacing privatenet-us-vm’s internal IP:

ping -c 3 <Enter privatenet-us-vm’s internal IP here>

This should not work, as indicated by a 100% packet loss!

9. On the VM instances page, click Columns and then select Network.

The mynet-us-vm and privatenet-us-vm instances are in the same zone (us-central1-a) but in different VPC networks (mynetwork and privatenet). Because VPC network peering has not been configured between those networks, private communication fails between the instances of those networks.

10. Close the SSH terminal to mynet-us-vm.

Task 2. Configure VPC network peering

VPC network peering can be configured for different VPC networks within and across organizations. Configure the following peering connections in this project:

  • peering-1–2: Peer mynetwork with privatenet
  • peering-2–1: Peer privatenet with mynetwork

Each side of a peering association is set up independently. Peering is active only when the configuration from both sides matches.

Create peering 1–2

Peer mynetwork with privatenet.

  1. In the Cloud Console, on the Navigation menu > click VPC network > VPC network peering.
  2. Click Create connection.

3. Read through the requirements.

You won’t need the project ID because you are connecting to a VPC network within the same project.

4. Click Continue.

5. Specify the following, and leave the remaining settings as their defaults:

6. Click Create.

Note: At this point, the peering status remains INACTIVE because the other side has not been configured, the networks are not yet peered.

Create peering 2–1

Peer privatenet with mynetwork.

  1. In the Cloud Console, return to the VPC network peering page.
  2. Click Create peering connection.
  3. Click Continue.
  4. Specify the following, and leave the remaining settings as their defaults:

5. Click Create.

Task 3. Verify private communication between peered VPC networks

Verify private RFC 1918 connectivity across mynetwork and privatenet.

Verify routes between networks

Verify that routes have been established between mynetwork and privatenet.

  • In the Cloud Console, on the Navigation menu > VPC network > Routes. Notice that there is a route for each subnet in mynetwork with peering-1–2 as the Next hop. Similarly, notice that there is a route for each subnet in privatenet with peering-2–1 as the Next hop.

These routes were automatically created with the VPC peering connection.

Note User-configured routes are not propagated across peered networks. If you configure a route in a network to a destination in a VPC network, that destination will not be reachable from a peered network.

Ping from mynetwork to privatenet

Try to ping the internal IP of privatenet-us-vm from mynet-us-vm.

  1. On the Navigation menu, click Compute Engine > VM instances.
  2. Note the internal IP address for privatenet-us-vm.
  3. For mynet-us-vm, click SSH to launch a terminal and connect.
  4. To test connectivity to privatenet-us-vm’s internal IP, run the following command, replacing privatenet-us-vm’s internal IP:

ping -c 3 <Enter privatenet-us-vm’s internal IP here>

This should work because of the route that was established by the peering connection.

5. Close the SSH terminal to mynet-us-vm

Ping from privatenet to mynetwork

Similarly, try to ping the internal IP of mynet-us-vm from privatenet-us-vm.

  1. Note the internal IP address for mynet-us-vm.
  2. For privatenet-us-vm, click SSH to launch a terminal and connect.
  3. To test connectivity to mynet-us-vm’s internal IP, run the following command, replacing mynet-us-vm’s internal IP:

ping -c 3 <Enter mynet-us-vm’s internal IP here>

This should also work because of the route that was established by the peering connection.

4. To test Compute Engine DNS across peered networks, run the following command:

ping -c 3 mynet-us-vm

The output should look like this:

Compute Engine internal DNS names created in a network are not accessible to peered networks. The IP address of the VM should be used to reach the VM instances in peered network.

5. Close the SSH terminal to privatenet-us-vm

Task 4. Delete the VPC Peering Connection

Delete the VPC Peering connection and verify the deletion.

Delete the peering connection

Delete the peering-1–2 connection.

  1. On the Navigation menu, click VPC network > VPC network peering.
  2. Select the peering-1–2 connection.
  3. Click Delete.

5. Click Delete to confirm the deletion. When the connection is deleted, notice the INACTIVE status for peering-2–1.

Verify the peering deletion

Verify that routes no longer exist for the peering connection and that there is no private RFC 1918 connectivity across mynetwork and privatenet.

  1. On the Navigation menu, click VPC network > Routes. Notice that the VPC Peering routes have disappeared.

2. On the Navigation menu, click Compute Engine > VM instances.

3. Note the internal IP address for privatenet-us-vm.

4. For mynet-us-vm, click SSH to launch a terminal and connect.

5. To test connectivity to privatenet-us-vm’s internal IP, run the following command, replacing privatenet-us-vm’s internal IP:

ping -c 3 <Enter privatenet-us-vm’s internal IP here>

6. Close the SSH terminal to mynet-us-vm.

This Concludes our Lab for VPC Peering.

Happy Learning !!!


Share At:
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Back To Top

Contact Us