GCP - Edge to Edge Routing

Question

Hello Stackoverflow Community,

Anyone has ever tried finding a way of routing traffic through a peered VPC (where VPN tunnel is sitting) on Google Cloud down to the on-premise network?

Peered VPC1 -> Peered VPC2 (with VPN Gateway) -> On premises network

We need project resources in VPC1 to talk to on-premises but we wouldn't like to create a separate VPN tunnel for each of the VPC's. I know that AWS doesn't support cross edge routing, was wondering if there's a way to implement that with GCP? Do you know if its possible to set up a custom route? But in that case it seems to me, the gateway will need to exist within a project and somehow will need to point to another VPC...

Please let me know if someone had a chance to work with something similar before,

Ruben

Answer 1

for what I know, it's not possible, each vpc is a closed environment and you can open them to other vpc or network only by creating a route with a vpc peering or a tunnel. As a peering is managed from the two project it's difficult to make a real tight security in some cases.

Imagine the case where you need a company managing some product, let's say an ELK suite, on one of your project but you have something like 10 other project plus one for managing them, containing a bastion, some monitoring tools, and a vpc peering to all the others projects.

To allow you to use there managed tools, they do so by creating a project external to yours, for the purpose of using the ELK in your project, you create a vpc peering.

If what you want to do was possible and the company was dishonest, you would have a massive breach of security, from the ELK project, they would be able to create route to the manager project and then to the others...