How to setup VPN from on-premises to Google Cloud VPC

Question

We want to be able to connect to my on-premise database from our google cloud kubernetes.

We are currently attempting to do so by using "Create a VPN connection" from within the google console.

In the field IP address, I am forced to create (or pick from existing) "External IP Addresses".

I am able to link a single VM-instance to this External IP Address. But I want my VPN connection/tunnel to be between my on-premises network and EVERYTHING within my Google cloud network.

This IP should not just work as External IP Addr. for a single instance. I need to make it a gateway to the network as a whole. What am I missing?

Thanks in advance.

Another way to frame the question: How do I find the IP Address of the gateway to my Google cloud network (VPC) and how do I supply that IP to the VPN Connection creation ?

Answer 1

The answer was simpler than I thought.

My question was:

How do I find the IP Address of the gateway to my Google cloud network (VPC) and how do I supply that IP to the VPN Connection creation ?

The answer is simply to fill out the "Create a VPN connection" page. It automatically sets up whatever IP you get/choose in the "IP Address" field as the gateway. I did NOT need to configure this IP address to work as a gateway. Simply getting it assigned in this step is enough. Google does the rest behind the scenes.

Answer 2

The Cloud VPN connects your on-premises to the VPC, that means every Instance, Cluster or other products that use Google Cloud Engine (GCE).

As mentioned in a previous answer from avinoam-meir the VPN has at least two components: Gateway and Tunnel but I will add a third one: Type of routing.

a) Gateway: This is where you can add an existing or reserve any static IP address (from the Google Pool of External IP Addresses).

b) Tunnel: Where the encapsulated and encrypted traffic will flow to reach the Local IP ranges.

c) Type of routing: Cloud VPN has three possibilities:

• Tunnel using Dynamic Routing
• Route Based VPN
• Policy based VPN

Depending on the type you choose, the routing happens in a different way but in general terms, it will propagate your subnetwork(s) to your on-premises network and receive the routes from it.

Important: Remember to open your firewall on your GCP VPC to receive traffic from your on-premises IP Ranges as the default and implied rule for Ingress will block it.

• The implied allow egress rule: An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination.
• The implied deny ingress rule: An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming traffic to them.