Bird
Raised Fist0
GCPcloud~5 mins

VPC peering in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you have two separate private networks in the cloud and you want them to talk to each other securely without using the public internet. VPC peering connects these networks so they can share resources easily and safely.
When you have two projects with separate networks that need to share data privately.
When you want to connect a development environment network to a production environment network without exposing them publicly.
When you want to allow virtual machines in different networks to communicate directly.
When you want to reduce latency by connecting networks in the same region.
When you want to avoid using VPNs or public IPs for internal communication between networks.
Config File - vpc-peering.yaml
vpc-peering.yaml
resources:
- name: my-vpc-peering-connection
  type: compute.v1.networkPeering
  properties:
    network: projects/my-project/global/networks/my-vpc
    peerNetwork: projects/peer-project/global/networks/peer-vpc
    name: my-vpc-to-peer-vpc
    autoCreateRoutes: true

This YAML file defines a VPC peering connection between two networks.

network: The source VPC network in your project.

peerNetwork: The VPC network in the other project you want to connect to.

name: A name for this peering connection.

autoCreateRoutes: Automatically creates routes so traffic can flow between the networks.

Commands
This command creates a VPC peering connection from your VPC 'my-vpc' to the peer VPC 'peer-vpc' in the 'peer-project'. It also sets up routes automatically so the networks can communicate.
Terminal
gcloud compute networks peerings create my-vpc-to-peer-vpc --network=my-vpc --peer-project=peer-project --peer-network=peer-vpc --auto-create-routes
Expected OutputExpected
Created peering [my-vpc-to-peer-vpc].
--network - Specifies the name of your VPC network.
--peer-project - Specifies the project ID of the peer network.
--peer-network - Specifies the name of the peer VPC network.
--auto-create-routes - Automatically creates routes for network communication.
This command lists all VPC peering connections for your VPC 'my-vpc' so you can verify the peering was created successfully.
Terminal
gcloud compute networks peerings list --network=my-vpc
Expected OutputExpected
NAME NETWORK PEER_PROJECT PEER_NETWORK STATE my-vpc-to-peer-vpc my-vpc peer-project peer-vpc ACTIVE
--network - Specifies the VPC network to list peerings for.
This command shows detailed information about the specific VPC peering connection named 'my-vpc-to-peer-vpc'.
Terminal
gcloud compute networks peerings describe my-vpc-to-peer-vpc --network=my-vpc
Expected OutputExpected
name: my-vpc-to-peer-vpc network: projects/my-project/global/networks/my-vpc peerNetwork: projects/peer-project/global/networks/peer-vpc state: ACTIVE autoCreateRoutes: true
--network - Specifies your VPC network.
Key Concept

If you remember nothing else from this pattern, remember: VPC peering connects two private networks so they can communicate directly and securely without using the public internet.

Common Mistakes
Trying to create a peering connection without specifying the correct peer project or peer network.
The command will fail because it cannot find the target network to connect to.
Always double-check the peer project ID and peer network name before running the peering create command.
Not enabling auto-create-routes flag and forgetting to manually add routes.
Without routes, the networks cannot send traffic to each other even if peering exists.
Use --auto-create-routes to automatically set up routes or manually add routes after peering.
Assuming peering is bi-directional without creating peering from both sides.
In GCP, peering must be created from both VPCs to allow two-way communication.
Create a peering connection from each VPC to the other.
Summary
Use 'gcloud compute networks peerings create' to connect two VPC networks securely.
Verify the peering connection with 'gcloud compute networks peerings list' and 'describe'.
Remember to create peering from both networks and set up routes for communication.

Practice

(1/5)
1.

What is the main purpose of VPC peering in Google Cloud?

easy
A. To create a firewall rule between two networks
B. To connect two private networks securely without using the internet
C. To provide public internet access to virtual machines
D. To enable automatic backups of virtual machines

Solution

  1. Step 1: Understand VPC peering concept

    VPC peering connects two private networks directly, avoiding the public internet.

  2. Step 2: Compare options with concept

    Only To connect two private networks securely without using the internet describes secure private network connection without internet.

  3. Final Answer:

    To connect two private networks securely without using the internet -> Option B

  4. Quick Check:

    VPC peering = secure private network connection [OK]
Hint: VPC peering = private network connection, no internet needed [OK]
Common Mistakes:
  • Confusing VPC peering with firewall rules
  • Thinking VPC peering provides internet access
  • Assuming VPC peering is for backups
2.

Which of the following is the correct command to create a VPC peering connection from net-a to net-b in Google Cloud CLI?

gcloud compute networks peerings create PEERING_NAME --network=NETWORK --peer-network=PEER_NETWORK
easy
A. gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b
B. gcloud compute networks peerings create net-a --network=peer-ab --peer-network=net-b
C. gcloud compute networks peerings create net-b --network=net-a --peer-network=net-b
D. gcloud compute networks peerings create peer-ab --peer-network=net-a --network=net-b

Solution

  1. Step 1: Identify correct command syntax

    The command requires a peering name, the local network, and the peer network.

  2. Step 2: Match parameters to networks

    gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b correctly uses a peering name and assigns net-a as local network and net-b as peer network.

  3. Final Answer:

    gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b -> Option A

  4. Quick Check:

    Correct CLI syntax = gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b [OK]
Hint: Peering name first, then --network local, --peer-network remote [OK]
Common Mistakes:
  • Swapping --network and --peer-network values
  • Using network names as peering name
  • Omitting required flags
3.

Given two VPC networks net-a and net-b peered together, which of the following statements about routing is true?

1. Each network must create routes to the other's IP ranges.
2. Routes are automatically shared by default.
3. Peering allows communication only if firewall rules permit.
4. Peering replaces the need for VPN connections.
medium
A. Only statement 2 and 3 are true
B. Only statement 1 and 3 are true
C. Only statement 1 and 2 are true
D. Only statement 3 and 4 are true

Solution

  1. Step 1: Analyze routing and firewall requirements

    VPC peering automatically shares subnet routes by default. Firewall rules still control traffic.

  2. Step 2: Evaluate statements

    Statement 1 is false (no manual route creation needed). Statements 2 and 3 are true. Statement 4 is not accurate (peering and VPN serve different purposes).

  3. Final Answer:

    Only statement 2 and 3 are true -> Option A

  4. Quick Check:

    Routes auto + firewall needed [OK]
Hint: Routes automatically shared; firewall rules still apply [OK]
Common Mistakes:
  • Thinking routes must be manually created
  • Ignoring firewall rules in peering
  • Thinking peering always replaces VPN
4.

You created a VPC peering between net-a and net-b, but instances in net-a cannot reach instances in net-b. What is the most likely cause?

medium
A. The peering connection was created only on net-a side
B. The peering connection was created with the wrong peering name
C. The VPC networks have overlapping IP ranges
D. Firewall rules in net-b block incoming traffic from net-a

Solution

  1. Step 1: Check common connectivity issues in VPC peering

    Firewall rules must allow traffic between peered networks; blocking rules prevent communication.

  2. Step 2: Evaluate other options

    Wrong peering name or one-sided peering would prevent peering creation. Overlapping IP ranges prevent peering setup itself.

  3. Final Answer:

    Firewall rules in net-b block incoming traffic from net-a -> Option D

  4. Quick Check:

    Firewall blocking = connectivity failure [OK]
Hint: Check firewall rules first when peering connectivity fails [OK]
Common Mistakes:
  • Ignoring firewall rules as cause
  • Assuming peering auto-fixes IP conflicts
  • Thinking peering is one-sided
5.

You have two VPC networks, net-a with CIDR 10.0.0.0/16 and net-b with CIDR 10.0.0.0/16. You want to peer them to share resources privately. What is the best approach?

hard
A. Create VPC peering directly between net-a and net-b despite overlapping CIDRs
B. Use VPN instead of VPC peering to connect the networks
C. Change one network's CIDR to a non-overlapping range before peering
D. Use shared VPC instead of peering for overlapping CIDRs

Solution

  1. Step 1: Understand CIDR overlap restrictions in VPC peering

    VPC peering requires non-overlapping IP ranges to route traffic correctly.

  2. Step 2: Choose solution for overlapping CIDRs

    Changing one network's CIDR to a non-overlapping range allows peering. VPN or shared VPC are alternatives but not direct peering solutions.

  3. Final Answer:

    Change one network's CIDR to a non-overlapping range before peering -> Option C

  4. Quick Check:

    Non-overlapping CIDRs required for peering [OK]
Hint: Peering needs unique IP ranges; change CIDR if overlapping [OK]
Common Mistakes:
  • Trying to peer overlapping CIDRs directly
  • Confusing VPN with peering
  • Ignoring shared VPC as different concept