Cloud VPN with TCP Load Balancer

0
votes

I'm trying to set up a Cloud VPN in GCP network with 5 VMs, which one of these VMs is in a instance group behind an TCP Load Balancer, proxying the instance groups ports to the internet, and the VPN tunnel itself is working well, because It's established and I can ping these VMs from my on-premise network.

But, after I've configured the VPN tunnel, I cannot access the external Load Balancer IP anymore!

I've checked firewall rules and it's all okay. If I delete the VPN tunnels and routes, I can access the IP normally. This behaviour is expected? I really can't access a Load Balancer IP if I have a Cloud VPN in the same network?

BTW, all the VMs doesn't have external IP, just internal. One of them, as I said before, is behind the LB to get internet access.

I expect to connect to the VMs in the instance group behind the TCP Load Balancer from my on-premise network having a Cloud VPN established in this network. I can only access the internal IPs, but not the LB external one.

1
google-cloud-platformgoogle-cloud-networkinggoogle-cloud-vpngoogle-cloud-load-balancer
you say "I cannot access the external Load Balancer IP anymore". Where are you testing this from (external to GCP VPC or inside the VPC)? Look at your route tables from where you are testing. Do you have a route to the public Internet?John Hanley

1 Answers

0
votes

Let me summarize,

Important points are:

- TCP Load balancer (LB) - Regional-Network LB
- VPN Tunnel from on-prem to GCP
- 5 VM instances, 1 instance into an instance group to use the LB, all VMs have only internal IPs.
- Lost access using the IP Frontend of Load Balancer after VPN Tunnel configured
- Firewall rules seems to be OK
- If you delete VPN Tunnel and "routes" you recover access using IP Frontend

Responding your direct question:
-This behaviour is expected?

Answer:
-No,that behavior is not expected, you can use TCP Load Balancer to access to your VM instances and a VPN tunnel to get access to the same VM instances from another (on-prem) network at the same time.


Regarding TCP LB (External - regional) non-proxied, you need to consider the options and choose the best for your needs [1], I would like to know, what kind of service are you using(at backend) and what port do you need, since TCP Load Balancer performs a passthrough, so the request reachs the backend intact from the Frontend (External IP) to the backend (VM instance) preserving the same port to access to your services. However is not clear if you are using a TCP LB or TCP proxy LB. How are you testing the Frontend IP? (ping, nmap, etc)

What firewall rules are you checking and configuring? since LB and Cloud VPN needs specific Firewall rules [2] [3].
Calls my attention that you need to delete routes, can you explain more about this routes [4], are they generated by GCP or by yourself, what is the purpose for this routes?

Where are your Load Balancer and VPN created? (Zone-Region) considering that both resources you are using are regional [5] [6]

Over the links you will find information that will be helpful to find a possible point of failure.


[1] https://cloud.google.com/load-balancing/docs/choosing-load-balancer#deciding_on_a_load_balancer
[2] https://cloud.google.com/load-balancing/docs/network/setting-up-network#create_a_firewall_rule_to_allow_external_traffic_to_these_vm_instances
[3] https://cloud.google.com/vpn/docs/how-to/configuring-firewall-rules
[4] https://cloud.google.com/vpc/docs/routes
[5] https://cloud.google.com/load-balancing/docs/network/
[6] https://cloud.google.com/vpn/docs/concepts/overview#ha-vpn