When working with Google Cloud, sometimes you need resources in different VPC networks to talk to each other securely without using public IPs. That’s where VPC Network Peering comes in.
🔹 What is VPC Network Peering?
- VPC Peering connects two VPC networks so resources in each can communicate over internal (private) IPs.
- It’s like creating a “bridge” between networks while still keeping them separate.
- Supported in cases like:
- Same project
- Different projects (within same organization)
- Even across organizations (partner/customer scenarios)
Where can we use VPC Peering?
- Compute Engine VMs → Communicate privately across VPCs
- Google Kubernetes Engine (GKE) clusters → Share services/resources
- App Engine Flexible → Access backend services in another VPC
- SaaS Providers → Publish services securely to customers via Cloud Marketplace
🔹 Benefits
- Low latency, private connectivity (no public internet hops)
- Works for both IPv4 and IPv6
- Fully managed – no VPN/proxy setup required
🔹 Key Notes
- ❌ Two auto-mode VPCs cannot peer (they overlap at 10.128.0.0/9).
- ✅ Auto-mode VPC can peer with a custom-mode VPC (as long as no overlap).
- CIDR ranges of both VPCs must be unique (no overlaps).
👉 Example:
- VPC A → 10.10.0.0/16
- VPC B → 10.20.0.0/16
- These can peer successfully.
But if both had 10.10.0.0/16, peering would fail.
🔹 Restrictions
Peering is powerful, but there are limitations:
- No subnet IP overlap allowed
- No support for legacy networks
- Compute Engine DNS resolution does not work across peers
- Tags and service accounts for firewall rules don’t propagate across VPCs
- GKE needs IP Aliases or custom routes for full support
- Cloud Load Balancing can’t have frontends in one VPC and backends in another
✅ Summary
- VPC Network Peering = Secure, private, low-latency communication between VPCs.
- Works across projects and even organizations (great for SaaS or shared services).
- Always plan non-overlapping IP ranges before setting up.
- Not all Google Cloud features work seamlessly across peered networks, so check restrictions first.
Top comments (0)