on-premise to GCloud compute engine VPN using on-premise range IP
49 views
Skip to first unread message
Gabriel Aberasturi
Mar 4, 2020, 8:40:22 AM3/4/20
to Google App Engine
Hello,
I have a compute engine with a service on it. This compute engine has an internal IP (10.208.0.X) and external IP and I can reach the service through external IP.
Now I want to create a VPN from on-premise to GCloud but I want that when I call the service from on-premise use and IP from on-premise range (172.30.XX) and be route to the compute engine.
I have configure the VPN between on-premise and gcloud using the next link:
https://cloud.google.com/vpn/docs/how-to/creating-static-vpns
- Created an VPC net and subnet using range 172.30.X.X
- Created an Classic VPN IKEv2 with Policy-based routing using the VPC net and subnet.
- Attached network tag to Compute engine and create a firewall rule allowing incoming trafic from on-premise.
The VPN gateway and tunnel is up and running but I'm not able to reach compute engine neither using on-premise range (172.30.x.x) nor internal ip (10.208.0.X).
Any help would be appreciated.
Regards
I have a compute engine with a service on it. This compute engine has an internal IP (10.208.0.X) and external IP and I can reach the service through external IP.
Now I want to create a VPN from on-premise to GCloud but I want that when I call the service from on-premise use and IP from on-premise range (172.30.XX) and be route to the compute engine.
I have configure the VPN between on-premise and gcloud using the next link:
https://cloud.google.com/vpn/docs/how-to/creating-static-vpns
- Created an VPC net and subnet using range 172.30.X.X
- Created an Classic VPN IKEv2 with Policy-based routing using the VPC net and subnet.
- Attached network tag to Compute engine and create a firewall rule allowing incoming trafic from on-premise.
The VPN gateway and tunnel is up and running but I'm not able to reach compute engine neither using on-premise range (172.30.x.x) nor internal ip (10.208.0.X).
Any help would be appreciated.
Regards
Ahmad Elias Hamanudin
Mar 4, 2020, 4:54:01 PM3/4/20
to Google App Engine
Have you tried pinging your on-prem from the GCE VM instance? This could confirm if connectivity is correct.
Additionally, you can use Stackdriver Logging and look at your tunnel to see if traffic is passing through? If you see sending packets but not receiving, could be a firewall issue with your on-prem. Have you configured an egress firewall rule for your on-prem?
Have you also verified you have the correct routes set up?
I would suggest posting your question to Stack Overflow or ServerFault seeing that the nature of it is more technical. Google Groups is mainly reserved for general questions or inquiries. For technical assistance, you [1][2]
[1] https://stackoverflow.com/
[2] https://serverfault.com/
Additionally, you can use Stackdriver Logging and look at your tunnel to see if traffic is passing through? If you see sending packets but not receiving, could be a firewall issue with your on-prem. Have you configured an egress firewall rule for your on-prem?
Have you also verified you have the correct routes set up?
I would suggest posting your question to Stack Overflow or ServerFault seeing that the nature of it is more technical. Google Groups is mainly reserved for general questions or inquiries. For technical assistance, you [1][2]
[1] https://stackoverflow.com/
[2] https://serverfault.com/
Gabriel Aberasturi
Mar 5, 2020, 10:21:00 AM3/5/20
to Google App Engine
Hi Ahmad,
I have asked in stackoverflow too.
I'm going to check your suggestions.
Thank you very much for your response.
Regards,
Gabriel Aberasturi
Apr 2, 2020, 8:16:54 AM4/2/20
to Google App Engine
Hi,
Finally we have solved in that way.
- Created an VPC net and subnet using range 172.30.X.X. OUR-NET
- Create a Compute engine (CE) using OUR-NET as primary interface eth0/nic0 and NOT External IP address.
- Created an Classic VPN IKEv2 with Policy-based routing using the VPC net and subnet. https://cloud.google.com/vpn/docs/how-to/creating-static-vpns. At this point we are able to connect from our on-premise hosts to CE
- Because our CE is in OUR-NET and we haven't an external IP address we have needed to enable Identity-Aware Proxy IAP for access through "gcloud compute ssh"
Regards,
Gabriel Aberasturi
Apr 2, 2020, 8:16:54 AM4/2/20
to Google App Engine
El miércoles, 4 de marzo de 2020, 14:40:22 (UTC+1), Gabriel Aberasturi escribió:
Reply all
Reply to author
Forward
0 new messages