I am trying to setup a site-2-site VPN between my on-prem setup and a GCP VPC using Route-based Classic VPN option.
Now whatever inputs I try give in this setup, I am consistently facing this error about default network tier of the project being Standard.
STANDARD network tier (the project's default network tier) is not supported: The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.
From the GCP Docs, I know that Standard network tier does not support VPN gateways. Also if I try to create an IP for the VPN gateway from this Classic VPN setup wizard, the IP is provisioned from Premium network tier only.
I also thought of somehow explicitly specifying the network tier to be Premium for the VPN setup, but there does not seem to be any such option in google console; While this is perfectly valid when creating VM instances, i.e. I can easily select the network tier for my VM whatever be the default network tier of my project.
This behavior seems uncommon. It looks like Classic VPN setup wants my project’s default tier to be Premium, which makes little sense to me.
I need some confirmation on this behavior and that I am not doing something wrong. Also is there any other way with which I can specify the network tier for the VPN gateway when setting up a Classic VPN on GCP?
EDIT:
Only static routing is supported from my on-prem side of VPN gateway, so cannot use HA VPN. Also Classic VPN deprecation is only for the dynamic routing configuration, so my configuration is safe for now, I think.
It’s is not a hard requirement to use Standard tier for the VPN setup. Just that while attempting to configure it, I faced this conflict.I am trying to setup VPN between my company’s side network to GCP VPC. Currently the default network tier of the project (where VPC resides) is Standard, and it is highly unlikely that it will changed to Premium for this requirement. I think the better option would be to create a separate project and have Premium network tier as default there.
I wanted some confirmation that the error I am facing is indeed a problem in the console flow and that I am not missing something, like if it would be possible to specify some other parameters to make Classic VPN setup wizard succeed and use Premium network tier (or whatever its other requirements are).
In short, I am not able to setup Classic VPN on GCP side using the wizard, and the error reported seems to indicate that default tier of project being Standard is the problem.
Now since I can still create VMs using premium network tier in this project without any problem. Shouldn’t it be possible for the VPN setup also?
Since I was facing the consistent error while using the Classic VPN WebUI wizard, I went the CLI way and used gcloud utility to create the VPN resources tied to Premium network tier. I was able to create VPN resources this way, while the project’s default network tier was still set to Standard.
Ref: ( https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns#creating_a_gateway_and_tunnel ).
Note: My current GCP project still has default network tier as Standard.
gcloud compute target-vpn-gateways create GW_NAME --network=NETWORK --region=REGION --project=PROJECT_ID
Premium.Premium here):gcloud compute forwarding-rules create fr-GW_NAME-esp --load-balancing-scheme=EXTERNAL --network-tier=PREMIUM --ip-protocol=ESP --address=GW_IP_NAME --target-vpn-gateway=GW_NAME --region=REGION --project=PROJECT_ID
gcloud compute forwarding-rules create fr-GW_NAME-udp500 --load-balancing-scheme=EXTERNAL --network-tier=PREMIUM --ip-protocol=UDP --ports=500 --address=GW_IP_NAME --target-vpn-gateway=GW_NAME --region=REGION --project=PROJECT_ID
gcloud compute forwarding-rules create fr-GW_NAME-udp4500 --load-balancing-scheme=EXTERNAL --network-tier=PREMIUM --ip-protocol=UDP --ports=4500 --address=GW_IP_NAME --target-vpn-gateway=GW_NAME --region=REGION --project=PROJECT_ID
Now coming to what looks to be the issue with WebUI wizard:
While running gcloud commands for setting up the forwarding rules, if I specify the network tier as Standard --network-tier=STANDARD, I get an almost same error as the one I faced with WebUI wizard.
ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource:
- The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.
And if I do not specify the network tier in arguments, then I get exactly the same error that I faced with WebUI wizard.
ERROR: (gcloud.compute.forwarding-rules.create) Could not fetch resource:
- STANDARD network tier (the project's default network tier) is not supported: The network tier of specified IP address is PREMIUM, that of Forwarding Rule must be the same.
This leads me to believe that there is a bug in GCP WebUI, that while creating the Classic VPN using the wizard, it does not specify the required network tier as Premium to its internal calls. And by default, project’s default network tier i.e. Standard is picked up, which eventually fails since VPN resources are not supported with Standard network tier.
Also later, after some requests, I was able to get my hands on another GCP project where the default network tier is Premium. The Classic VPN setup wizard was successful there.
In conclusion, I have found that it is indeed the case that GCP Classic VPN setup using WebUI wizard won’t be successful if project’s default network tier is set to Standard.