GCP VPC Peering

Mitesh_Nandu — Fri, 13 Jan 2023 02:32:07 GMT

Hi,

We are deploying PA VM in GCP (Common Firewall Deployment Architecture). Deployment Architecture is attached.

In Trust VPC we have configured Internal Load Balance (TCP), Created VPC Peering between Trust VPC & Web VPC.

From Trust VPC Instance (VM) we are able to ping Web VPC Instance (VM) & Vice Versa.

Web VPC Default route is pointed towards Internal Load Balance.

Now the challenge is Web VPC Instances (VMs) unable to browse the internet.

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: GCP VPC Peering

mmclimans — Thu, 11 Jan 2024 16:16:50 GMT

When the web instance goes to the internet, do you see the request within the VM-Series traffic logs?

If you do not see the traffic logs:

The trust VPC's firewall rules are not allowing the internet request. Verify the trust VPC has an ingress VPC rule to allow the internet traffic.
The VM-Series VR does not have the correct default route. Check the following:
1. On the VM-Series, if the interfaces are configured for DHCP:
  1. Verify the trust interface has "Automatically create default route" unchecked.
  2. Verify the untrust interface has "Automatically create default route" checked on.
    - (You can also leave "Automatically create default route" checked off on both interfaces and create a static default route in the VR that uses the untrust interface as the next hop.)

If you do see the traffic logs:

On the VM-Series, verify there is an source NAT policy to translate the internet request to the untrust interface.
In GCP, verify the untrust NIC has an external IP attached the untrust NIC or has a Cloud NAT is deployed in the untrust network.

topic Re: GCP VPC Peering in VM-Series in the Public Cloud

GCP VPC Peering

Re: GCP VPC Peering