0

I need to add a route in GCP's VPC Network and when I do, I get an error (shown below) that appears to state there is an overlap/conflict with the 10.130.0.0/16 range. I unfortunately do not see this 10.130.0.0/16 in any route, in any region and I have no idea why this error is occurring.

Creating route "test" failed. Error: Invalid value for field 'resource.destRange': '10.130.90.82/32'. 10.130.90.82/32 hides the reserved address space for network (10.130.0.0/16).

I have tried adding this simple route in several gcp projects but they all fail and seem to imply there might be some hidden reserved address space. Could this be? What am I missing? This occurs with any route destination value that is in the 10.130.0.0/16 space eg; 10.130.90.82/32 10.130.90.0/24

For clarification here is an example Route that fails: enter image description here

Additional Clarification, Here is the 'default' VPC Network: enter image description here

Brent
  • 101
  • 1
  • 2
  • 9
  • What is the CIDR for your VPC? – John Hanley Jun 02 '22 at 01:00
  • Another item. The CIDR 10.0.0.0/8 is private (RFC 1918). You must do special things to route RFC 1918 traffic such as peering, tunneling, etc. Edit your question with details on what you are trying to configure. – John Hanley Jun 02 '22 at 04:30
  • I am simply trying to add the route at this time and it is failing. In the long run, I will have a route that sends this local route to a vpn peer. My VPC CIDR range is 10.142.0.0/20 and I have checked all other ranges to make sure none overlap. Unfortunately the 10.130.0.0/16 network isn't in use (to my knowledge) in any region/project/route. – Brent Jun 02 '22 at 12:23
  • That is a subnet CIDR. What is the VPC CIDR? What do you mean you will have a route to a VPN peer? Routing requires a target. That target must exist. Your question lacks details on how you are adding a route or how the network is designed. – John Hanley Jun 02 '22 at 16:39
  • I apologize I tried to keep the question as simple as possible to reduce confusion. It does not matter to GCP what the target/'next hop' is (I used 'default internet gateway', 'instance' and 'vpn tunnel') and they all fail with the same error. – Brent Jun 02 '22 at 17:51
  • They failed because they are not valid targets. You can not send traffic RFC 1918 traffic to the Internet Gateway. Only routes that the VPN tunnel is configured for can be set as a target. An example of an acceptable next hop would be a compute engine instance provided that you do not have overlapping CIDRs. Again, what is the VPC CIDR? That is the most important detail that you have not answered. – John Hanley Jun 02 '22 at 19:08
  • I just updated the question showing a screenshot of the VPC network. This is the 'default' VPC network that includes all regions. On a side note; I created a very simple VPC network (192.168.1.0/24) and then added my route from above and it works. Something the default VPC network is overlapping but I do not see where. – Brent Jun 02 '22 at 23:43
  • Each one of those entries is a **subnetwork** of a VPC. This might help you understand: https://cloud.google.com/vpc/docs/vpc#vpc_networks_and_subnets – John Hanley Jun 02 '22 at 23:54
  • That is good info and I probably want to consider migrating to custom mode VPC but how do I find the CIDR range you are asking for? – Brent Jun 03 '22 at 00:39

2 Answers2

0

Google Cloud does not allow you to create a new subnet or peering subnet route whose destination exactly matches or is broader than (would contain) an existing custom static route. For example, if your VPC network has a custom static route for the 10.70.1.128/25 destination, Google Cloud prohibits the creation of any subnet or peering subnet route with a primary or secondary subnet IP address range of 10.70.1.128/25, 10.70.1.0/24, or any other range that contains all the IP addresses in 10.70.1.128/25.

Kindly check Configuring private services access docs. Included on the docs are the considerations , Creating an IP allocation, Deleting an allocated IP address range etc.

JaysonM
  • 596
  • 1
  • 10
  • That is good information but somewhat conflicts with my findings. The custom static route that I am adding is not broader than any existing range and in fact the range that the error is complaining about (10.130.0.0/16) is not in use. – Brent Jun 02 '22 at 12:47
  • BTW; this should be very reproducible if you simply create a compute instance in any region (I happen to be using us-east1) so that it creates a default network. Then simply add a VPC Network Route using any destination in the 10.130.0.0/16 range. This should fail with the same error. – Brent Jun 02 '22 at 12:51
0

There is in fact a hidden reserved address space in the default VPC network. I hesitate calling hidden as JaysonM mentioned it in his answer but it does not appear anywhere in the GPC console (to my knowledge).

The default VPC network is using 'auto' subnet creation mode. With this setting enabled the VPC network has a range of 10.128.0.0/9 (10.128.0.0 - 10.255.255.255) that cannot be overlapped. Simply setting 'auto' subnet creation of the VPC network to 'custom' will resolve this issue. Do also note this is a one-way change for your VPC network.

Cheers!

Brent
  • 101
  • 1
  • 2
  • 9