Bird
Raised Fist0
GCPcloud~15 mins

VPC peering in GCP - Deep Dive

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Overview - VPC peering
What is it?
VPC peering is a way to connect two separate private networks in the cloud so they can talk to each other directly. It allows resources in one network to communicate with resources in another without using the public internet. This connection is private, secure, and fast. It helps different parts of a cloud setup work together smoothly.
Why it matters
Without VPC peering, networks would have to send data over the public internet or complicated VPNs, which can be slower, less secure, and more expensive. VPC peering solves this by creating a private link that feels like the networks are part of the same system. This makes cloud applications more reliable and easier to manage.
Where it fits
Before learning VPC peering, you should understand what a VPC (Virtual Private Cloud) is and how cloud networks work. After mastering VPC peering, you can explore more advanced networking topics like VPNs, shared VPCs, and hybrid cloud connectivity.
Mental Model
Core Idea
VPC peering is like building a private, direct bridge between two separate cloud neighborhoods so their houses can share resources safely and quickly.
Think of it like...
Imagine two separate office buildings that want to share documents quickly. Instead of mailing letters through the public post office, they build a private hallway connecting the two buildings. This hallway lets employees walk directly between offices without leaving the buildings, making communication faster and safer.
┌─────────────┐      ┌─────────────┐
│  VPC Network│──────│  VPC Network│
│     A       │      │     B       │
└─────────────┘      └─────────────┘
       ▲                    ▲
       │                    │
   Resources            Resources
       │                    │
       └─────Private Link───┘
Build-Up - 7 Steps
1
FoundationUnderstanding VPC Basics
🤔
Concept: Learn what a Virtual Private Cloud (VPC) is and why it is used.
A VPC is a private network in the cloud where you can place your cloud resources like virtual machines and databases. It acts like your own secure neighborhood inside the cloud, isolated from others. You control who can enter and what traffic flows inside.
Result
You understand that a VPC is a private space for cloud resources, separated from other networks.
Knowing what a VPC is helps you see why connecting two VPCs needs a special method like peering.
2
FoundationWhy Networks Need to Connect
🤔
Concept: Understand why separate VPCs might need to communicate.
Sometimes, different teams or projects have their own VPCs for security or organization. But these teams may need to share data or services. Without a connection, they can't talk directly. This need creates the problem VPC peering solves.
Result
You realize that isolated networks need a way to connect securely to share resources.
Understanding the need for connection sets the stage for why VPC peering is important.
3
IntermediateHow VPC Peering Works
🤔Before reading on: do you think VPC peering routes traffic through the public internet or stays private? Commit to your answer.
Concept: Learn that VPC peering creates a private, direct link between two VPCs without using the public internet.
VPC peering links two VPCs so their resources can communicate as if they were on the same network. The traffic stays inside Google's network and does not go over the public internet. Each VPC keeps its own IP address range, and routes are updated to send traffic through the peering connection.
Result
Traffic between peered VPCs is private, fast, and secure without extra gateways.
Knowing that peering keeps traffic private inside the cloud network helps you trust and design secure systems.
4
IntermediateSetting Up VPC Peering in GCP
🤔Before reading on: do you think VPC peering requires both sides to accept the connection? Commit to your answer.
Concept: Understand the steps and permissions needed to create a VPC peering connection in Google Cloud Platform.
To create a VPC peering, you must request peering from one VPC and accept it from the other. Both VPCs must have non-overlapping IP ranges. After acceptance, routes are automatically added so resources can find each other. No VPN or extra hardware is needed.
Result
You can connect two VPCs securely and quickly by following simple steps in the GCP console or CLI.
Knowing the mutual acceptance process prevents common setup errors and ensures secure connections.
5
IntermediateLimitations of VPC Peering
🤔Before reading on: do you think VPC peering supports transitive routing (A to B to C)? Commit to your answer.
Concept: Learn about what VPC peering can and cannot do, including routing limits and IP range restrictions.
VPC peering does not support transitive routing, meaning if VPC A peers with B, and B peers with C, A cannot reach C through B. Also, IP address ranges of peered VPCs must not overlap. Peering connections are one-to-one and cannot be shared.
Result
You understand the boundaries of VPC peering and when it might not fit your needs.
Knowing these limits helps you design network architectures that avoid unreachable resources or conflicts.
6
AdvancedSecurity and Traffic Control in Peering
🤔Before reading on: do you think firewall rules apply across peered VPCs automatically? Commit to your answer.
Concept: Understand how security policies like firewalls work with VPC peering connections.
VPC peering does not bypass firewall rules. Each VPC controls its own firewall policies. Traffic from a peered VPC is treated like any other incoming traffic. You must configure firewall rules to allow or block traffic between peered networks. Peering does not grant automatic access.
Result
You can secure peered networks independently and control exactly what traffic flows.
Knowing that peering does not override security policies prevents accidental exposure of resources.
7
ExpertAdvanced Use Cases and Internal Mechanics
🤔Before reading on: do you think VPC peering can be used across different projects and organizations? Commit to your answer.
Concept: Explore how VPC peering works across projects, organizations, and the internal routing mechanisms in GCP.
VPC peering can connect VPCs in different projects and even different organizations if permissions allow. Internally, Google’s network updates routing tables to direct traffic through private links. Peering is a software-defined connection without physical hardware. It avoids bottlenecks by using Google's global backbone. However, it does not support transitive routing or overlapping IPs, so complex topologies require multiple peering connections or other solutions like Shared VPC or VPN.
Result
You can design complex, multi-project cloud networks with private, high-performance connections.
Understanding the internal routing and cross-project capabilities unlocks powerful, scalable network designs.
Under the Hood
VPC peering works by updating the routing tables in each VPC to include routes that point to the peer's IP address range via a private, software-defined link. This link uses Google's internal network infrastructure, so traffic never leaves Google's secure environment. The peering connection is managed by control plane APIs that ensure both sides agree and maintain the connection. No physical cables or VPN tunnels are created; instead, routing entries and network virtualization handle the traffic flow.
Why designed this way?
Google designed VPC peering to provide a simple, scalable way to connect isolated networks without the complexity and overhead of VPNs or physical connections. By using software-defined routing inside their global network, they avoid latency and security risks of public internet traffic. Alternatives like VPNs add encryption overhead and require more management. Peering is limited to one-to-one connections to keep routing simple and avoid complex transitive routing issues.
┌─────────────┐      ┌─────────────┐
│  VPC A      │      │  VPC B      │
│ Routing    │◄─────►│ Routing    │
│ Tables     │      │ Tables     │
└─────────────┘      └─────────────┘
       ▲                    ▲
       │                    │
   Resources            Resources
       │                    │
       └─────Software-defined─────┘
             Private Link
          (Google's internal net)
Myth Busters - 4 Common Misconceptions
Quick: Does VPC peering allow traffic to flow through a third VPC automatically? Commit to yes or no.
Common Belief:VPC peering supports transitive routing, so if A peers with B and B peers with C, A can reach C through B.
Tap to reveal reality
Reality:VPC peering does NOT support transitive routing. Each peering connection is one-to-one, so A cannot reach C through B.
Why it matters:Assuming transitive routing can cause unreachable services and network failures in multi-VPC architectures.
Quick: Does VPC peering automatically bypass firewall rules? Commit to yes or no.
Common Belief:Once VPCs are peered, all traffic between them is allowed regardless of firewall settings.
Tap to reveal reality
Reality:Firewall rules still apply. Peering does not override security policies; you must explicitly allow traffic.
Why it matters:Ignoring firewall rules can lead to blocked connections or unintended exposure if rules are too open.
Quick: Can two VPCs with overlapping IP ranges be peered? Commit to yes or no.
Common Belief:VPC peering works even if the two VPCs have overlapping IP address ranges.
Tap to reveal reality
Reality:VPC peering requires non-overlapping IP ranges to avoid routing conflicts.
Why it matters:Overlapping IPs cause routing confusion, making communication between VPCs impossible.
Quick: Can VPC peering connect VPCs across different projects and organizations? Commit to yes or no.
Common Belief:VPC peering only works within the same project or organization.
Tap to reveal reality
Reality:VPC peering can connect VPCs across different projects and organizations if permissions allow.
Why it matters:Knowing this enables flexible network designs spanning multiple teams or companies.
Expert Zone
1
VPC peering connections do not support transitive routing, so complex multi-VPC topologies require multiple peering connections or alternative solutions like Shared VPC or VPN.
2
Firewall rules are enforced independently in each VPC; peering does not grant implicit trust or access, requiring careful security planning.
3
Peering connections are software-defined and managed by Google’s control plane, which means they have low latency and high reliability without physical hardware.
When NOT to use
Avoid VPC peering when you need transitive routing or overlapping IP ranges. Instead, use Shared VPC for centralized network management or VPN/Interconnect for cross-cloud or hybrid connections.
Production Patterns
In production, teams use VPC peering to connect microservices across projects securely, isolate environments (dev, test, prod) while allowing controlled communication, and link partner networks. Peering is often combined with firewall rules and IAM policies for fine-grained access control.
Connections
VPN (Virtual Private Network)
Alternative solution for connecting networks, often used when VPC peering limits apply.
Understanding VPC peering helps clarify when VPNs are needed for encrypted, cross-cloud, or transitive connections.
Shared VPC
Builds on VPC networking by allowing multiple projects to share a common VPC.
Knowing VPC peering limitations highlights why Shared VPC is useful for centralized network control.
Human Social Networks
Both involve direct connections between separate groups to share resources securely.
Seeing VPC peering like social network friendships helps understand the need for mutual agreement and trust before sharing.
Common Pitfalls
#1Trying to peer VPCs with overlapping IP ranges.
Wrong approach:gcloud compute networks peerings create peer-connection --network=vpc-a --peer-network=vpc-b # Both VPCs have 10.0.0.0/16 IP range
Correct approach:Use distinct IP ranges for each VPC, e.g., 10.0.0.0/16 for vpc-a and 10.1.0.0/16 for vpc-b, then create peering.
Root cause:Misunderstanding that overlapping IPs cause routing conflicts and prevent peering.
#2Assuming peering automatically allows all traffic between VPCs.
Wrong approach:No firewall rules configured after peering; expecting free communication.
Correct approach:Configure firewall rules in both VPCs to allow desired traffic between peered networks.
Root cause:Belief that peering bypasses security controls.
#3Expecting transitive routing through peered VPCs.
Wrong approach:Peering VPC A to B and B to C, then trying to reach C from A without direct peering.
Correct approach:Create direct peering between A and C or use Shared VPC/VPN for transitive needs.
Root cause:Not knowing peering connections are one-to-one and non-transitive.
Key Takeaways
VPC peering creates a private, direct connection between two separate cloud networks, allowing secure and fast communication.
Peering traffic stays inside the cloud provider's network and does not use the public internet, enhancing security and performance.
Each VPC keeps its own IP range, which must not overlap with the peer's range to avoid routing conflicts.
Firewall rules remain in effect after peering; you must explicitly allow traffic between peered networks.
VPC peering connections are one-to-one and do not support transitive routing, so complex network designs require multiple peerings or other solutions.

Practice

(1/5)
1.

What is the main purpose of VPC peering in Google Cloud?

easy
A. To create a firewall rule between two networks
B. To connect two private networks securely without using the internet
C. To provide public internet access to virtual machines
D. To enable automatic backups of virtual machines

Solution

  1. Step 1: Understand VPC peering concept

    VPC peering connects two private networks directly, avoiding the public internet.

  2. Step 2: Compare options with concept

    Only To connect two private networks securely without using the internet describes secure private network connection without internet.

  3. Final Answer:

    To connect two private networks securely without using the internet -> Option B

  4. Quick Check:

    VPC peering = secure private network connection [OK]
Hint: VPC peering = private network connection, no internet needed [OK]
Common Mistakes:
  • Confusing VPC peering with firewall rules
  • Thinking VPC peering provides internet access
  • Assuming VPC peering is for backups
2.

Which of the following is the correct command to create a VPC peering connection from net-a to net-b in Google Cloud CLI?

gcloud compute networks peerings create PEERING_NAME --network=NETWORK --peer-network=PEER_NETWORK
easy
A. gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b
B. gcloud compute networks peerings create net-a --network=peer-ab --peer-network=net-b
C. gcloud compute networks peerings create net-b --network=net-a --peer-network=net-b
D. gcloud compute networks peerings create peer-ab --peer-network=net-a --network=net-b

Solution

  1. Step 1: Identify correct command syntax

    The command requires a peering name, the local network, and the peer network.

  2. Step 2: Match parameters to networks

    gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b correctly uses a peering name and assigns net-a as local network and net-b as peer network.

  3. Final Answer:

    gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b -> Option A

  4. Quick Check:

    Correct CLI syntax = gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b [OK]
Hint: Peering name first, then --network local, --peer-network remote [OK]
Common Mistakes:
  • Swapping --network and --peer-network values
  • Using network names as peering name
  • Omitting required flags
3.

Given two VPC networks net-a and net-b peered together, which of the following statements about routing is true?

1. Each network must create routes to the other's IP ranges.
2. Routes are automatically shared by default.
3. Peering allows communication only if firewall rules permit.
4. Peering replaces the need for VPN connections.
medium
A. Only statement 2 and 3 are true
B. Only statement 1 and 3 are true
C. Only statement 1 and 2 are true
D. Only statement 3 and 4 are true

Solution

  1. Step 1: Analyze routing and firewall requirements

    VPC peering automatically shares subnet routes by default. Firewall rules still control traffic.

  2. Step 2: Evaluate statements

    Statement 1 is false (no manual route creation needed). Statements 2 and 3 are true. Statement 4 is not accurate (peering and VPN serve different purposes).

  3. Final Answer:

    Only statement 2 and 3 are true -> Option A

  4. Quick Check:

    Routes auto + firewall needed [OK]
Hint: Routes automatically shared; firewall rules still apply [OK]
Common Mistakes:
  • Thinking routes must be manually created
  • Ignoring firewall rules in peering
  • Thinking peering always replaces VPN
4.

You created a VPC peering between net-a and net-b, but instances in net-a cannot reach instances in net-b. What is the most likely cause?

medium
A. The peering connection was created only on net-a side
B. The peering connection was created with the wrong peering name
C. The VPC networks have overlapping IP ranges
D. Firewall rules in net-b block incoming traffic from net-a

Solution

  1. Step 1: Check common connectivity issues in VPC peering

    Firewall rules must allow traffic between peered networks; blocking rules prevent communication.

  2. Step 2: Evaluate other options

    Wrong peering name or one-sided peering would prevent peering creation. Overlapping IP ranges prevent peering setup itself.

  3. Final Answer:

    Firewall rules in net-b block incoming traffic from net-a -> Option D

  4. Quick Check:

    Firewall blocking = connectivity failure [OK]
Hint: Check firewall rules first when peering connectivity fails [OK]
Common Mistakes:
  • Ignoring firewall rules as cause
  • Assuming peering auto-fixes IP conflicts
  • Thinking peering is one-sided
5.

You have two VPC networks, net-a with CIDR 10.0.0.0/16 and net-b with CIDR 10.0.0.0/16. You want to peer them to share resources privately. What is the best approach?

hard
A. Create VPC peering directly between net-a and net-b despite overlapping CIDRs
B. Use VPN instead of VPC peering to connect the networks
C. Change one network's CIDR to a non-overlapping range before peering
D. Use shared VPC instead of peering for overlapping CIDRs

Solution

  1. Step 1: Understand CIDR overlap restrictions in VPC peering

    VPC peering requires non-overlapping IP ranges to route traffic correctly.

  2. Step 2: Choose solution for overlapping CIDRs

    Changing one network's CIDR to a non-overlapping range allows peering. VPN or shared VPC are alternatives but not direct peering solutions.

  3. Final Answer:

    Change one network's CIDR to a non-overlapping range before peering -> Option C

  4. Quick Check:

    Non-overlapping CIDRs required for peering [OK]
Hint: Peering needs unique IP ranges; change CIDR if overlapping [OK]
Common Mistakes:
  • Trying to peer overlapping CIDRs directly
  • Confusing VPN with peering
  • Ignoring shared VPC as different concept