DEV Community

Python-T Point
Python-T Point

Posted on • Originally published at pythontpoint.in

☁️ Mastering gcp vpc peering setup tutorial made easy

#googlecloud #cloud #devops

About 70% of Google Cloud Platform (GCP) users operate across multiple projects, making cross-project networking a routine requirement. VPC peering is the standard mechanism to enable direct, private communication between resources in separate VPCs without routing traffic through the public internet. This setup is stable, low-latency, and suitable for most intra-organization workloads.

📑 Table of Contents

  • 💻 GCP VPC Peering — What is Peering?
  • 🔑 Benefits of VPC Peering
  • 📦 Setting Up VPC Peering — Step by Step
  • 📝 Updating Network Configuration
  • 🔍 Verifying the Connection
  • 🔧 Troubleshooting Common Issues
  • 📊 Best Practices for VPC Peering
  • 🟩 Final Thoughts
  • ❓ Frequently Asked Questions
  • What is VPC peering?
  • How do I set up VPC peering?
  • What are the benefits of VPC peering?
  • 📚 References & Further Reading

💻 GCP VPC Peering — What is Peering?

GCP VPC peering establishes a direct network connection between two Virtual Private Clouds (VPCs), allowing resources in either network to communicate using internal IP addresses. The connection is regional: routes are exchanged automatically within each VPC, but only for subnets whose IP ranges do not overlap.

Peering is non-transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, traffic from A cannot reach C through B. This isolation prevents unintended lateral access and enforces explicit network design.

🔑 Benefits of VPC Peering

The primary benefit is secure, low-latency communication across project boundaries — ideal for microservices, databases, and shared infrastructure. Because traffic stays within Google's network, it avoids public exposure and benefits from built-in encryption at the PHY layer. Latency remains consistent and typically under 2ms in the same region.

$ gcloud compute networks peerings list
# Lists all VPC peering connections in your project



NAME                 NETWORK           PEER_NETWORK                  PEER_PROJECT    STATE
my-peering-connection my-network        my-peer-network                my-project       ACTIVE
Enter fullscreen mode Exit fullscreen mode

📦 Setting Up VPC Peering — Step by Step

To peer two VPCs, both networks must have non-overlapping CIDR ranges. One project initiates the peering request; the other accepts it. The setup requires IAM permissions: compute.networkAdmin in both projects.

First, create the peering connection from one side. Replace the full URL path with your peer project ID and network name.

$ gcloud compute networks peerings create my-peering-connection \
  --network my-network \
  --peer-network https://www.googleapis.com/compute/v1/projects/my-project/global/networks/my-peer-network
# Creates a new VPC peering connection
Enter fullscreen mode Exit fullscreen mode

Then, run the same command in the peer project, unless using a Shared VPC or an automated pipeline. Once initiated, the peering state transitions to PENDING_ACCEPTANCE. The peer project must accept it explicitly.

📝 Updating Network Configuration

After peering is established, configure firewall rules to allow traffic. By default, all traffic is blocked. Rules must be applied in both VPCs if bidirectional communication is needed.

Use network tags or service accounts to scope rules tightly. For example, allow HTTP traffic only from instances tagged as web-tier.

$ gcloud compute firewall-rules create my-firewall-rule \
  --network my-network \
  --allow tcp:80 \
  --source-ranges 10.128.0.0/9
# Authorizes TCP port 80 from peer VPC's IP range



Creating firewall... Done.
NAME                NETWORK       DIRECTION  PRIORITY  ALLOW     DENY  DISABLED
my-firewall-rule    my-network    INGRESS    1000      tcp:80          False
Enter fullscreen mode Exit fullscreen mode

🔍 Verifying the Connection

Test connectivity using ping or tools like telnet and nc. Ensure the target instance has internal connectivity and the correct firewall rules. (More onPythonTPoint tutorials)

$ ping -c 1 10.132.0.5
# Tests connectivity to an instance in the peer VPC



PING 10.132.0.5 (10.132.0.5) 56(84) bytes of data.
64 bytes from 10.132.0.5: icmp_seq=1 ttl=64 time=0.921 ms

--- 10.132.0.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.921/0.921/0.921/0.000 ms
Enter fullscreen mode Exit fullscreen mode

🔧 Troubleshooting Common Issues

Most issues stem from overlapping CIDR blocks, missing firewall rules, or unaccepted peering requests. Check the peering status first.

$ gcloud compute networks peerings describe my-peering-connection --network my-network
# Displays detailed information about the peering connection



name: my-peering-connection
network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/my-network
peerNetwork: https://www.googleapis.com/compute/v1/projects/peer-project/global/networks/my-peer-network
state: ACTIVE
stateDetails: ''
Enter fullscreen mode Exit fullscreen mode

If state is INACTIVE, confirm that both sides have completed setup and CIDR ranges do not overlap. Use gcloud compute networks list to audit IP ranges. (Also read: 🚀 Docker Compose Django Postgres tutorial — setup made simple)

For connectivity issues, verify that the target instance has a running service and that firewall rules allow the port. Use VPC Flow Logs to inspect allowed and denied traffic.

📊 Best Practices for VPC Peering

Plan your CIDR allocation carefully. Use a structured IP address plan (e.g., 10.128.0.0/9 for services, 10.132.0.0/10 for GKE) to avoid conflicts as the environment scales.

Prefer hierarchical firewall policies via Organization Policies when managing multiple projects. This ensures consistent rule enforcement and reduces configuration drift.

Monitor peering connections via Cloud Monitoring. Alert on state changes using the peerings/status metric. Downtime is rare but can occur during network reconfiguration or project deletion.

🟩 Final Thoughts

GCP VPC peering is a reliable, performant way to connect resources across projects while keeping traffic private and secure. It requires precise configuration — especially around CIDR ranges and firewall rules — but operates with minimal overhead once established.

For environments requiring transitive routing, consider using Cloud Router with VLAN attachments or a centralized transit VPC via Network Connectivity Center. But for direct, point-to-point connectivity, VPC peering remains the right choice.

❓ Frequently Asked Questions

What is VPC peering?

VPC peering connects two GCP VPCs, enabling private communication using internal IPs. Traffic traverses Google's backbone, stays isolated from the public internet, and supports no additional egress cost.

How do I set up VPC peering?

Create a peering request in one project, accept it in the peer project, then add firewall rules. Use gcloud compute networks peerings create and ensure CIDR ranges do not overlap. Status must reach ACTIVE on both ends.

What are the benefits of VPC peering?

It provides low-latency, secure, and cost-effective communication between VPCs in different projects or organizations. Latency is equivalent to same-VPC traffic, and throughput scales up to 50 Gbps per VM depending on machine type.

📚 References & Further Reading

  • Official GCP documentation for VPC peering — comprehensive guide to setting up and managing VPC peering connections: cloud.google.com
  • GCP VPC peering setup tutorial — step-by-step guide to setting up VPC peering between two projects: cloud.google.com
  • GCP networking documentation — detailed information on GCP networking features and best practices: cloud.google.com

Top comments (0)