How to establish a VPN connection from your Cloud Functions to your On-premise network on GCP

1. Overview of the solution

  • What we are going to do is to create some components/services to enable the communication between our Cloud Functions and a VPN connection existing in the GCP.
  • First, we will create a VPC network with no subnets in the project where our Cloud Functions are. It will be used to enable the communication between our project/Cloud Functions with our existing VPN (Shared VPC)
  • After we will create a Serverless VPC Access Connector to enable our cloud functions to call services in the VPN.
  • We also need to create a VPC peering between our recently created VPC with the Shared VPC where the VPN was created. It is important to mention that we have to create a peering in each VPC network, to be more specific, in the Shared VPC network and in the VPC in our project (where are the Cloud Functions).
  • Next, we will configure our cloud function to use the Serverless VPC Access Connector. In this way, it will be possible to call any IP from our on-premise network.
  • Lastly, we will check all services status and create a simple cloud function to test the connection with our internal (on-premise) network.

Important:

The IPs used in this article can be different depending on your on-premise network configurations. If you don,t know this information nor have knowledge about network configurations, I would suggest you talk to someone that has this expertise to help you in some steps.

I am suggesting it because I ran into this issue. 😅

In the end, we will have an environment configuration like the following image.

1. Create a VPN connection to your on-premise network

This tutorial assumes you have a VPN established between GCP and your On-premise network and a Shared VPC that enables communication with you internal network.

2. Create a VPC network in the project where are your cloud functions.

  1. Access your project on GCP
  2. Click on VPC network in the main menu then Create VPC network
  3. Give a name to your new VPC, e.g my-vpc-vpn-conn
  4. In subnet creation mode delete de subnet. Click at the trash icon (see the following image)
This VPC will have no subnets

5. Leave all fields with the default values.

6. Click create

3. Create a Serverless VPC Access Connector

In order to create a Serverless VPC Access Connector, you need to enable the Serverless VPC Access API. To do this, follow the steps below.

  1. In the main menu, click on APIs & Services > Library
  2. In the search box, type Serverless VPC Access API and then click on the item shown in the results.
  3. Check if the API is enabled. If not, turn it on.

Now that the API is enabled, let's move on to create our connector

  1. In the VPC Network page, click on Serverless VPC access
  2. Click on Create connector
  3. Give a name to your connector, e.g connector2somevpc
  4. In Network select the VPC you created in the step 2.a (e.g my-vpc-vpn-conn)
  5. In the IP range, inform the subnet you will give to this connector. It is important to mention that it needs to be in the same network you are going to connect with. This was a difficult step to me and I just could do it when I asked for help from the network team (they always know how to help with this kind of information).
  6. Leave the other fields with default values
  7. Click create

4. Create a peering from your VPC network (e.g my-vpc-vpn-conn) to the Shared VPC

  1. In the VPC Network page, click on VC network peering
  2. Click on Create connection
  3. Click continue
  4. Give a name to your connector, e.g peering2somevpc
  5. In Your VPC network select your VPC (e.g my-vpc-vpn-conn)
  6. In Peered VPC network select In another project
  7. Fill the Project ID with the ID of the project where your Shared VPC is hosted.
  8. In the VPC network name, enter the name of your Shared VPC.
  9. Click on Exchange custom routes to see more options and enable both Import custom routes and Export custom routes.
  10. Click create

After you follow these steps, your peering will be in an Inactive state. To turn it activated you will need first to create a peering in your Shared VPC. After that, the connection should be ready to use.

5. Create a peering from the Shared VPC to your VPC network (e.g my-vpc-vpn-conn)

Follow the same steps below to create a peering from the Shared VPC to your VPC network. These steps have to be done in the project your Shared VPC is hosted.

6. Giving the right roles to the service account used by your Cloud Functions

  1. Go to IAM page and look for the Google Cloud Functions Service Agent, it should have an account name such as somename@gcf-admin-robot.iam.gserviceaccount.com
  2. Click on the edit button (pencil) in the same line you find the above account.
  3. Add the roles Compute Network User, Project Viewer and Cloud Functions Admin.
  4. Click Save

7. Check if everything is Ok

Now that all the setup was done, let’s take a look at some services status and create a simple function to check the connectivity.

  1. Go to VPC networks > VC network peering and check if the status of your peering is Active
  2. Go to VPC networks > Serveless VPC access and check ig the status of your connector is Active

If both are Ok, let’s now create a Cloud Function to check if it can communicate with your on-premise servers/services.

  1. In the main menu, click on Cloud Functions
  2. Click Create function and give a name to your function, e.g test-vpn
  3. In the index.js text box, you will see a predefined code. Replace it with the following code
const http = require('http');exports.test = (req, res) => {

http.get('http://<IP of your internal server>', (resp) => {
let data = '';
resp.on('data', (chunk) => {
data += chunk;
});
resp.on('end', () => {
console.log(data);
res.status(200).send(data);
});
}).on("error", (err) => {
console.log("Error: " + err.message);
});
};

In the Function to execute field, write "test" (it is the name of the function you create in the above code).

  1. Click on Environment variables, networking, timeouts and more to show more configuration options.
  2. In VPC Connector, choose the connector you create in the previous steps.
  3. Leave all other parameters with the default values.
  4. Click create

Wait a little bit while your function is created and deployed.

  1. When your function is ready, click on its name
  2. On the page that will be opened, you will see a lot of information about your function. Click on the Testing tab
  3. Click on the Test the function button

The first time you trigger your function, it could be a little bit slow. Wait a moment and check the results. At this point, you should receive some answers from your server/service.

If the answer takes too long to be returned, maybe there are some miss-configuration and you have to check in the steps we walked through in this tutorial.

Guilherme De Jesus Rafael

Written by

I am a passionate developer and I really enjoy creating new stuff. Nowadays my main role is Cloud Software and Mobile Engineer at BR Distribuidora.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade