Subnet to Subnet Routes and Routing Tables in GCP
(Also read, Routing across a peered VPC in GCP )
Routes belong to a project (actually, to a network that belongs to a project)
The first thing to understand is that, like every other resource, routes are part of a network (VPC or Subnet) that is part of a project.
Hence, you can create routes for two completely different regions (e.g. vpn tunnels in region 1 and region 2) - and see them under the same single project.
Default Network Routes (these exist by default)
Subnet to Subnet Routes -These are automatically created (every time you add a new subnet). There is no way to modify these routes. This does not mean that a VM in one of these cannot have a different NEXT HOP (see below).
Route to the internet - priority 1000. This also is pre-existing and cannot be removed.
Subnet to Subnet Routes not available in GCP. Cannot insert a Traffic Filtering Appliance in GCP
In GCP, networks are global – and regions can be accessed using private IP addresses without any VPN setup. There is also only ONE global routing table (AWS has a MAIN VPC routing table but also new routing tables that can be defined at subnet level).
This means there is no need to create routes between regions (your subnet automatically spans all regions).
Since routing from subnet to subnet is automatic - this is also why you cannot place a Palo Alto between subnets (no way to control those routes). Whether this is a strength or a weakness, can be debated. Google's argument is that you are never leaving the google backbone if part of your subnet lives in North America and another in Asia.
In AWS, if you need to route traffic between regions, you have to use a tunnel.
In GCP, VPC Networks are global – and subnets within different regions can be accessed using private IP addresses (no VPN setup required).
Custom Routes (Static Routes)
If the next hop for your VM needs to be a VM in another VPC in another region, you would be able to accomplish this using a custom route.
1. A VPN Gateway on VPC B and VPC A
2. Two Custom (Static) routes - one for routing from routes have allowed traffic to be sent over the VPN tunnel as next hop
Routing Tables - GCP vs AWS
- There is also only ONE global routing table (AWS has a MAIN VPC routing table but also new routing tables that can be defined at subnet level).
- There is no need to create routes between regions (your VPC has subnets in each region - and thus, automatically spans all regions).
- Routing from subnet to subnet is automatic - that is also why you cannot place a Palo Alto between subnets (no way to control those routes)
Why does a second network interface require a separate VPC (subnet in a separate VPC) to attach to?
The reason has to do partly with the way routes are inherited by network interfaces. NICs automatically inherit default routes from the global vpc routing table. The question then arises - if you add a second NIC, what is the advantage of it inheriting exactly the same routes? The idea of a second NIC is typically to provide additional (Secondary) network routing.
Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.
Leave a Reply