Networking across Google Cloud projects

Question

Is it possible to route/forward all tcp traffic for a specific port originating from one instances group to that tcp port for a specific instance in a 2nd project? In a single project this is not difficult, but without static IP's (auto-scaling instance group with hundreds of instances) it is not clear how to route across proejcts.

Answer 1

Use Shared VPC. It allows you to share a VPC network across projects in the same organization.

Answer 2

I found these answers in need of further details or perhaps outdated? First, for those who don't know, a VPC is a Virtual Private Cloud network. Yes, you need a VPC, but not necessarily a shared one that requires an organization configuration. An easy solution is to use VPC Network Peering.

When you create a compute engine instance, you are assigned to a VPC, the "default" VPC. If you have instances in more than 1 project and you want to communicate between them, then you need to create another VPC that doesn't share the same subnet as the default VPC, but only if the two projects have the same default subnet.

One VPC might have 10.142.0.0/20 for its network and another might have 10.143.0.0/20 for its network. This would be fine, but if they both have 10.142.0.0/20, that won't work and you'd need to create a new VPC.

Now, you go to VPC network menu option in the console and add a new VPC, if needed. If you do that, then you need to set up firewall and routing similar to that of the default VPC. If you don't, then traffic on the same VPC, between compute engines, will not be possible.

Now, go to the VPC network peering option and create an entry in one project that points to the VPC of the other project. It will tell you that it is waiting to connect. Now go to the other project and create a network peering entry that has the opposite configuration. For example, in project A, with VPC AA and project B with VPC BB, you create an entry in project A that uses AA and points to BB. In project B, you create an entry that uses BB and points to AA. After some validation, the connection, if valid, will connect. Once connected, it creates all of the routes necessary to get between the two project VPCs.

Now, if your firewall settings are correct, you should be able to send and receive traffic between projects.