0
votes

Assuming I have a custom VPC with IP ranges 10.148.0.0/20 This custom VPC has firewall rules to allow-internal so the service inside those IP ranges can communicate to each other. After the system grows I need to connect to some on-premises network by using Classic Cloud VPN, already create Cloud VPN (the on-premises side configuration already configured by someone) and the VPN Tunnel already established (with green checkmarks).

I also can ping to on-premises IP right now (let's say ping to 10.xxx.xxx.xxx where this is not GCP internal/private IP but on-premises private IP) using compute engine created on custom VPC network.

The problem is all the compute engine instance spawn in custom VPC network can't communicate to the internet now (like doing sudo apt update) or even communicate to google cloud storage (using gsutil), but they can communicate using private IP. I also can't spawn dataproc cluster on that custom VPC (I guess because it can't connect to GCS, since dataproc needs GCS for staging buckets).

Since I do not really know about networking stuff and relatively new to GCP, how to be able to connect to the internet on instances that I created inside custom VPC?

1
Most likely your route table is sending all traffic down the VPN to your datacenter. This can be a good thing or not depending on your design/security goals (for example on-prem DNS, Active Directory, Firewalls). Your datacenter can then route the traffic to the Internet or you can configure routes in your VPC to the Internet. Edit your question with details on how your VPC, VPN, and Routes are configured. If you are at the point of configuring VPNs then you need to know networking very well. Small mistakes can cause big problems.John Hanley
As @JohnHanley, I think there is a routing issue. Can you share your configuration?guillaume blaquiere

1 Answers

3
votes

After checking more in-depth about my custom VPC and Cloud VPN I realize there's misconfiguration when I establish the Cloud VPN, I've chosen route-based in routing option and input 0.0.0.0/0 in Remote network IP ranges. I guess this routes sending all traffic to VPN as @John Hanley said.

Solved it by using policy-based in routing option and only add specific IP in Remote network IP ranges. Thank you @John Hanley and @guillaume blaquiere for pointing this out