How to use European subnet with US-based VPN tunnel

First of all I would like to explain that I am taking my first steps in networking in general and in GCP in particular.That’s why I apologize if the question makes no sense.

I’m facing a challenge with routing traffic from a subnet in Europe through a VPN tunnel based in the United States.

Here are the specifics:

  • Subnet details: located in europe-west1, containing 2 instances
  • VPN tunnel: Set up in the US, with the Cloud VPN gateway in us-west
  • Issue: Cannot add the europe-west1 subnet to the tunnel due to regional differences

Current limitations:

  • Unable to modify the other side of the tunnel
  • Cannot relocate the Gateway to europe-west1 as it would result in losing the IP configured on the other side of the tunnel
  • Unable to select a different range of local IPs for the tunnel.
  • Cannot move the instances from europe-west1 to another region

Attempted solutions:

  • Verified routing tables
  • Tried creating a Cloud NAT between the two subnets, but this approach doesn’t work as both subnets must be in the same region
  • Attempted VPC peering, which yielded the same result

Core question: Is there a method to route traffic from instances in one region (europe-west1) through a VPN tunnel configured in a different region (us-west)?

The only thing I can think of is to create another instance in a subnet in the US that acts as a proxy between the instances in Europe and the tunnel but it seems a very inefficient solution and I would like to know if there is an alternative that escapes me.

VPC in Google Is global, which means you can reach resources in the same vpc regardless the region. So are custom routes (compute API based). But Cloud VPN uses dynamic routes and these can be propagated globally or regionally depending on the settings.

Your solution is to change dynamic routing mode in VPC settings from regional to global.

The issue you’re facing arises because Cloud VPN on Google Cloud Platform (GCP) operates at a regional level. Subnets are tied to specific regions, and the VPN gateway also belongs to a region. For a VPN tunnel to connect to resources in a particular region, the subnet and VPN gateway must either be in the same region or properly routed via a global dynamic routing configuration.

Here’s how to address the problem:

1. Enable Global Dynamic Routing

This will allow the VPN to route traffic from the europe-west1 subnet to the VPN gateway in us-west.

2. Add the europe-west1 Subnet to the Tunnel

Once global routing is enabled:

  1. Ensure the necessary routes are in place.
    • The VPN will automatically propagate routes to connected subnets.
    • Verify that the subnet IP range for europe-west1 is listed in the route table.
  2. Update the tunnel configuration:
    • Include the CIDR range of the europe-west1 subnet in the VPN tunnel’s remote traffic selectors.

3. Use Cloud Router for Dynamic Routing

If you haven’t already, use a Cloud Router to dynamically manage routes for your VPN. This is crucial for scaling and managing cross-region connections efficiently.

Steps:

  1. Create or assign an existing Cloud Router in the us-west region where your VPN gateway resides.
  2. Attach the Cloud Router to the VPN tunnel.
  3. Verify the subnet advertisement. The Cloud Router should automatically propagate the europe-west1 subnet to the on-premises network.

4. Test Connectivity

  • Ping or use traceroute from an instance in the europe-west1 subnet to verify the connection through the VPN.
  • Check logs in Cloud Logging to ensure packets are correctly routed and there are no dropped connections.

VPC subnets within the same VPC can communicate with each other. The VPC Firewall rule default-allow-internal allows all TCP, UDP, and ICMP traffic between resources within the same VPC.

The key is to use the internal (private) IP address.

I really don’t understand why you need VPN here

To add to this you can create a connectivity test from vpn to instance to show if you have a blockage at a route or also perhaps firewall.

Really spending a day doing some networking fndundamental tutorials for GCP on how their VPCs work will pay off well.

This was the solution. Now I feel stupid for not realizing it sooner. Thank you for guiding me on the right path

Thank you for your answer, the solution is in point 1 you indicate.

The VPN tunnel is not between my own VPCs but between my VPC and my OTHER organization. Within my VPC I need different regions to communicate and pass through the tunnel.

No worries, routing in cloud is a mess. I’m happy I could help :slight_smile:

Glad I was able to help