2

I am trying to setup a site-2-site VPN between my on-prem setup and a GCP VPC using Route-based Classic VPN option.

Now whatever inputs I try give in this setup, I am consistently facing this error about default network tier of the project being Standard.

STANDARD network tier (the project's default network tier) is not supported: The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.

From the GCP Docs, I know that Standard network tier does not support VPN gateways. Also if I try to create an IP for the VPN gateway from this Classic VPN setup wizard, the IP is provisioned from Premium network tier only.

I also thought of somehow explicitly specifying the network tier to be Premium for the VPN setup, but there does not seem to be any such option in google console; While this is perfectly valid when creating VM instances, i.e. I can easily select the network tier for my VM whatever be the default network tier of my project.

This behavior seems uncommon. It looks like Classic VPN setup wants my project’s default tier to be Premium, which makes little sense to me. I need some confirmation on this behavior and that I am not doing something wrong. Also is there any other way with which I can specify the network tier for the VPN gateway when setting up a Classic VPN on GCP?

EDIT:

Only static routing is supported from my on-prem side of VPN gateway, so cannot use HA VPN. Also Classic VPN deprecation is only for the dynamic routing configuration, so my configuration is safe for now, I think.

It’s is not a hard requirement to use Standard tier for the VPN setup. Just that while attempting to configure it, I faced this conflict.I am trying to setup VPN between my company’s side network to GCP VPC. Currently the default network tier of the project (where VPC resides) is Standard, and it is highly unlikely that it will changed to Premium for this requirement. I think the better option would be to create a separate project and have Premium network tier as default there.

I wanted some confirmation that the error I am facing is indeed a problem in the console flow and that I am not missing something, like if it would be possible to specify some other parameters to make Classic VPN setup wizard succeed and use Premium network tier (or whatever its other requirements are).

In short, I am not able to setup Classic VPN on GCP side using the wizard, and the error reported seems to indicate that default tier of project being Standard is the problem. Now since I can still create VMs using premium network tier in this project without any problem. Shouldn’t it be possible for the VPN setup also?

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
VISHAL SINGH
  • 21
  • 4
  • [Classic VPN](https://cloud.google.com/network-connectivity/docs/vpn/concepts/classic-topologies) will be deprecated on 31.03.2022. Why not `HA VPN`? In [Network Service Tiers overview](https://cloud.google.com/network-tiers/docs/overview), Standard tier is mainly for `Traffic between the internet and VM instances in your VPC network is routed over the internet in general` and `For services hosted entirely within a region` If I understand you want to connect your home machine with GCP using Classic Cloud VPN using Standard Tier? Could you elaborate on how you want to configure this connection? – PjoterS Dec 06 '21 at 08:22
  • @PjoterS, I have edited the question to address your queries – VISHAL SINGH Dec 06 '21 at 12:58
  • 1
    So in short, you want to connect your corporate network to GCP Cloud. Could you share how your company network is configured (without Private/Sensitive Info). Do you have some dedicated server for this VPN tunnel? Do you have a static IP? Does your VM are in one VPC or in the multiple VPCs? Could you elaborate on what you mean by using the `Premium` network tier? You mean to switch standard to premium, create a VPN gateway and then switch again to default? when change tier `New resources will use the selected tier by default (existing resources won’t change tiers)` did you try this? – PjoterS Dec 07 '21 at 11:02
  • @PjoterS I was able to setup the VPN resources. And I think I know what is possibly the issue. I have documented all the findings as the answer to this question. – VISHAL SINGH Dec 14 '21 at 21:37

2 Answers2

0

OP wants to connect Corporate Network with Google Cloud Platform site-to-site using Classic VPN with static routing (some of the features will be deprecated on March 31, 2022, for more details, check this doc. Due to that change, GCP advises to use HA VPN).

In Classic VPN topology, it's required to use Cloud VPN Gateway (at least on the GCP side) and on Google Cloud Platform is available only in Premium Network Tier (which also is recommended by default). Otherwise you will get error like OP:

STANDARD network tier (the project's default network tier) is not supported: The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.

However, there is a possibility to switch between Network Tiers. As per information during changing tier you will get pop-up with information:

New resources will use the selected tier by default (existing resources won’t change tiers)

It's indicating that you can switch between tiers, and resources created in a specific tier won't change when you will change Network Tier. Not sure if this would work in this setup depending on the corporate network/environment configuration.

Solution:

As Classic VPN site-to-site requires Cloud VPN Gateway you need to create this resource on Premium Tier, not Standard.

It's impossible to provide a full solution, as On-Premise configuration it's corporate network with its own specific security/configuration. It also depends on the OPs permission in the GCP project.

Additional docs

PjoterS
  • 12,841
  • 1
  • 22
  • 54
0

Since I was facing the consistent error while using the Classic VPN WebUI wizard, I went the CLI way and used gcloud utility to create the VPN resources tied to Premium network tier. I was able to create VPN resources this way, while the project’s default network tier was still set to Standard.
Ref: ( https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns#creating_a_gateway_and_tunnel ).

Note: My current GCP project still has default network tier as Standard.

  1. A simple VPN gateway(nothing specific to any network tier):
gcloud compute target-vpn-gateways create GW_NAME    --network=NETWORK    --region=REGION    --project=PROJECT_ID
  1. Reserved an IP with network tier as Premium.
  2. Then created the 3 forwarding rules (Note the network tier is being explicitly specified as Premium here):
gcloud compute forwarding-rules create fr-GW_NAME-esp    --load-balancing-scheme=EXTERNAL    --network-tier=PREMIUM    --ip-protocol=ESP    --address=GW_IP_NAME    --target-vpn-gateway=GW_NAME    --region=REGION    --project=PROJECT_ID
gcloud compute forwarding-rules create fr-GW_NAME-udp500    --load-balancing-scheme=EXTERNAL    --network-tier=PREMIUM    --ip-protocol=UDP    --ports=500    --address=GW_IP_NAME    --target-vpn-gateway=GW_NAME    --region=REGION    --project=PROJECT_ID
gcloud compute forwarding-rules create fr-GW_NAME-udp4500    --load-balancing-scheme=EXTERNAL    --network-tier=PREMIUM    --ip-protocol=UDP    --ports=4500    --address=GW_IP_NAME    --target-vpn-gateway=GW_NAME    --region=REGION    --project=PROJECT_ID
  1. Tunnels can be configured now with CLI as well as WebUI.

Now coming to what looks to be the issue with WebUI wizard:

While running gcloud commands for setting up the forwarding rules, if I specify the network tier as Standard --network-tier=STANDARD, I get an almost same error as the one I faced with WebUI wizard.

ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource:
 - The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.

And if I do not specify the network tier in arguments, then I get exactly the same error that I faced with WebUI wizard.

ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource:
 - STANDARD network tier (the project's default network tier) is not supported: The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.

This leads me to believe that there is a bug in GCP WebUI, that while creating the Classic VPN using the wizard, it does not specify the required network tier as Premium to its internal calls. And by default, project’s default network tier i.e. Standard is picked up, which eventually fails since VPN resources are not supported with Standard network tier.

Also later, after some requests, I was able to get my hands on another GCP project where the default network tier is Premium. The Classic VPN setup wizard was successful there.

In conclusion, I have found that it is indeed the case that GCP Classic VPN setup using WebUI wizard won’t be successful if project’s default network tier is set to Standard.

VISHAL SINGH
  • 21
  • 4