Bird
Raised Fist0
GCPcloud~10 mins

VPC peering in GCP - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - VPC peering
Create VPC Network A
Request Peering from A to B
Accept Peering in B
Peering Connection Established
Traffic Allowed Between A and B
This flow shows how two VPC networks request and accept peering to connect privately.
Execution Sample
GCP
gcloud compute networks peerings create peer-a-to-b \
  --network=vpc-a --peer-network=vpc-b

gcloud compute networks peerings create peer-b-to-a \
  --network=vpc-b --peer-network=vpc-a
Commands to create mutual VPC peering connections between two networks.
Process Table
StepActionNetwork A StateNetwork B StatePeering Status
1Create VPC Network AExists, no peeringNot createdNo peering
2Create VPC Network BExists, no peeringExists, no peeringNo peering
3Request peering from A to BPeering request sentNo peeringPending acceptance
4Accept peering in BPeering request sentPeering acceptedActive
5Create peering from B to APeering acceptedPeering request sentPending acceptance
6Accept peering in APeering acceptedPeering acceptedActive
7Peering connection establishedConnected to BConnected to AActive
8Traffic allowed between A and BCan route to BCan route to AActive
💡 Peering is active after mutual acceptance, allowing private traffic.
Status Tracker
VariableStartAfter Step 3After Step 4After Step 5After Step 6Final
Network A Peering StateNoneRequest sentRequest sentAcceptedAcceptedActive
Network B Peering StateNoneNoneAcceptedRequest sentAcceptedActive
Peering StatusNo peeringPending acceptanceActivePending acceptanceActiveActive
Key Moments - 3 Insights
Why do we need to create peering from both VPCs instead of just one?
Because VPC peering in GCP requires mutual peering connections for bidirectional communication, as shown in steps 3-6 in the execution_table.
What happens if one side does not accept the peering request?
The peering status remains pending and no traffic is allowed, as seen after step 3 before acceptance in step 4.
Does peering automatically allow all traffic between VPCs?
No, routing and firewall rules must allow traffic; peering only establishes the private connection, as implied after step 7 and 8.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the peering status after step 4?
APending acceptance
BNo peering
CActive
DDisconnected
💡 Hint
Check the 'Peering Status' column at step 4 in the execution_table.
At which step do both networks have accepted peering requests?
AStep 6
BStep 3
CStep 5
DStep 7
💡 Hint
Look at 'Network A Peering State' and 'Network B Peering State' columns in execution_table.
If Network B never accepts the peering request, what will be the final peering status?
AActive
BPending acceptance
CNo peering
DDisconnected
💡 Hint
Refer to the state after step 3 and before step 4 in execution_table.
Concept Snapshot
VPC Peering in GCP:
- Create two VPC networks.
- Request peering from one to the other.
- Accept peering on the other side.
- Repeat for mutual peering.
- Once active, private traffic can flow between VPCs.
- Routing and firewall rules must allow traffic.
Full Transcript
VPC peering connects two separate virtual networks privately. First, you create two VPCs. Then, one network requests peering to the other. The other network must accept this request. For full communication, both sides create and accept peering connections. After mutual acceptance, the peering is active, allowing private traffic between the networks. However, routing and firewall rules must be configured to permit this traffic. If one side does not accept, the peering remains pending and no connection is established.

Practice

(1/5)
1.

What is the main purpose of VPC peering in Google Cloud?

easy
A. To create a firewall rule between two networks
B. To connect two private networks securely without using the internet
C. To provide public internet access to virtual machines
D. To enable automatic backups of virtual machines

Solution

  1. Step 1: Understand VPC peering concept

    VPC peering connects two private networks directly, avoiding the public internet.

  2. Step 2: Compare options with concept

    Only To connect two private networks securely without using the internet describes secure private network connection without internet.

  3. Final Answer:

    To connect two private networks securely without using the internet -> Option B

  4. Quick Check:

    VPC peering = secure private network connection [OK]
Hint: VPC peering = private network connection, no internet needed [OK]
Common Mistakes:
  • Confusing VPC peering with firewall rules
  • Thinking VPC peering provides internet access
  • Assuming VPC peering is for backups
2.

Which of the following is the correct command to create a VPC peering connection from net-a to net-b in Google Cloud CLI?

gcloud compute networks peerings create PEERING_NAME --network=NETWORK --peer-network=PEER_NETWORK
easy
A. gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b
B. gcloud compute networks peerings create net-a --network=peer-ab --peer-network=net-b
C. gcloud compute networks peerings create net-b --network=net-a --peer-network=net-b
D. gcloud compute networks peerings create peer-ab --peer-network=net-a --network=net-b

Solution

  1. Step 1: Identify correct command syntax

    The command requires a peering name, the local network, and the peer network.

  2. Step 2: Match parameters to networks

    gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b correctly uses a peering name and assigns net-a as local network and net-b as peer network.

  3. Final Answer:

    gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b -> Option A

  4. Quick Check:

    Correct CLI syntax = gcloud compute networks peerings create peer-ab --network=net-a --peer-network=net-b [OK]
Hint: Peering name first, then --network local, --peer-network remote [OK]
Common Mistakes:
  • Swapping --network and --peer-network values
  • Using network names as peering name
  • Omitting required flags
3.

Given two VPC networks net-a and net-b peered together, which of the following statements about routing is true?

1. Each network must create routes to the other's IP ranges.
2. Routes are automatically shared by default.
3. Peering allows communication only if firewall rules permit.
4. Peering replaces the need for VPN connections.
medium
A. Only statement 2 and 3 are true
B. Only statement 1 and 3 are true
C. Only statement 1 and 2 are true
D. Only statement 3 and 4 are true

Solution

  1. Step 1: Analyze routing and firewall requirements

    VPC peering automatically shares subnet routes by default. Firewall rules still control traffic.

  2. Step 2: Evaluate statements

    Statement 1 is false (no manual route creation needed). Statements 2 and 3 are true. Statement 4 is not accurate (peering and VPN serve different purposes).

  3. Final Answer:

    Only statement 2 and 3 are true -> Option A

  4. Quick Check:

    Routes auto + firewall needed [OK]
Hint: Routes automatically shared; firewall rules still apply [OK]
Common Mistakes:
  • Thinking routes must be manually created
  • Ignoring firewall rules in peering
  • Thinking peering always replaces VPN
4.

You created a VPC peering between net-a and net-b, but instances in net-a cannot reach instances in net-b. What is the most likely cause?

medium
A. The peering connection was created only on net-a side
B. The peering connection was created with the wrong peering name
C. The VPC networks have overlapping IP ranges
D. Firewall rules in net-b block incoming traffic from net-a

Solution

  1. Step 1: Check common connectivity issues in VPC peering

    Firewall rules must allow traffic between peered networks; blocking rules prevent communication.

  2. Step 2: Evaluate other options

    Wrong peering name or one-sided peering would prevent peering creation. Overlapping IP ranges prevent peering setup itself.

  3. Final Answer:

    Firewall rules in net-b block incoming traffic from net-a -> Option D

  4. Quick Check:

    Firewall blocking = connectivity failure [OK]
Hint: Check firewall rules first when peering connectivity fails [OK]
Common Mistakes:
  • Ignoring firewall rules as cause
  • Assuming peering auto-fixes IP conflicts
  • Thinking peering is one-sided
5.

You have two VPC networks, net-a with CIDR 10.0.0.0/16 and net-b with CIDR 10.0.0.0/16. You want to peer them to share resources privately. What is the best approach?

hard
A. Create VPC peering directly between net-a and net-b despite overlapping CIDRs
B. Use VPN instead of VPC peering to connect the networks
C. Change one network's CIDR to a non-overlapping range before peering
D. Use shared VPC instead of peering for overlapping CIDRs

Solution

  1. Step 1: Understand CIDR overlap restrictions in VPC peering

    VPC peering requires non-overlapping IP ranges to route traffic correctly.

  2. Step 2: Choose solution for overlapping CIDRs

    Changing one network's CIDR to a non-overlapping range allows peering. VPN or shared VPC are alternatives but not direct peering solutions.

  3. Final Answer:

    Change one network's CIDR to a non-overlapping range before peering -> Option C

  4. Quick Check:

    Non-overlapping CIDRs required for peering [OK]
Hint: Peering needs unique IP ranges; change CIDR if overlapping [OK]
Common Mistakes:
  • Trying to peer overlapping CIDRs directly
  • Confusing VPN with peering
  • Ignoring shared VPC as different concept