If you have ever wondered why your VMs can’t communicate to each other even though everything is connected, you’re not alone. It took me a few tries to understand how VPC peering actually works in Google Cloud Platform.

This guide walks through a real-world scenario: three VPCs that need selective connectivity. We’ll use a PostgreSQL database to prove what works and what doesn’t when dealing with non-transitive routing — something that matters when you’re connecting multiple VPCs together.

What We’re Building

We’re setting up three Virtual Private Cloud networks:

Platform VPC: Running an application server that needs database access
Data VPC: Hosting a PostgreSQL database (because sensitive data deserves its own network)
Security VPC: A separate monitoring/auditing environment

We’ll peer Platform ↔ Data and Data ↔ Security, but Platform will NOT be able to reach Security even though they’re both connected to Data. That’s non-transitive routing.

Architecture Overview

Here’s what the network topology looks like:

Key components:

VPC Peering connections: Layer 3 network connectivity using internal IP addresses. No gateways, VPN devices, or separate network appliances required.
Cloud NAT: Provides outbound internet access for VMs without external IPs. Essential for apt-get package installation during startup.
IAP (Identity-Aware Proxy): SSH access without exposing port 22 to the internet. Traffic tunnels through Google’s infrastructure.
Firewall rules: Allow ICMP (ping), SSH via IAP (tcp/22 from 35.235.240.0/20), PostgreSQL (tcp/5432), and HTTP (tcp/80) between peered networks.

Why This Matters

In production environments, you can’t just throw everything into one giant VPC. Different teams own different resources. Compliance requirements demand network isolation. But services still need to communicate.

VPC peering gives you that selective connectivity. It’s faster than VPN tunnels (no encryption overhead), cheaper than Shared VPC for multi-tenant scenarios, and more secure than assigning public IPs to all resources.

What is VPC Peering?

VPC Network Peering connects two Virtual Private Cloud networks so that resources in each network can communicate using private IP addresses. Traffic stays within Google’s network and doesn’t traverse the public internet.

How it works:

Google automatically adds each VPC’s subnet routes to the peer network’s routing table
No gateways, VPN tunnels, or extra network devices required
Works across different GCP projects and organizations
No bandwidth bottlenecks or single points of failure

The critical concept: Non-transitive routing

This is what we’ll prove in this demo. From Google Cloud documentation:

VPC Network Peering is not transitive. If VPC network N1 is peered with N2, and N2 is peered with N3, there is no connectivity between N1 and N3 unless you explicitly create a peering connection between them.

In practical terms:

If Platform peers with Data, and Data peers with Security → Platform CANNOT reach Security
Each peering is an isolated connection
You must create direct peering between every VPC pair that needs connectivity

This design is intentional for security and network isolation. You’ll see this behavior firsthand in Step 8.

Prerequisites

You’ll need:

A GCP project with billing enabled
gcloud CLI installed and authenticated
Terraform >= 1.0

Step 1: Clone and Prepare

Clone the repository:

git clone https://github.com/misskecupbung/gcp-vpc-peering.git
cd ~/gcp-vpc-peering/

Step 2: Enable APIs

Set your project ID and enable required APIs:

export PROJECT_ID="your-project-id"
gcloud config set project $PROJECT_ID

gcloud services enable compute.googleapis.com
gcloud services enable iap.googleapis.com

These APIs are required for:

compute.googleapis.com: VPCs, subnets, VMs, firewall rules, Cloud NAT
iap.googleapis.com: Identity-Aware Proxy for SSH access without external IPs

Step 3: Configure Terraform Variables

Navigate to the Terraform directory and set up your configuration:

cd ~/gcp-vpc-peering/terraform

cp terraform.tfvars.example terraform.tfvars

# Update the project ID in `terraform.tfvars`
sed -i "s/your-project-id/$PROJECT_ID/" terraform.tfvars

# Verify the configuration:
cat terraform.tfvars

You should see your actual project ID in the file.

Step 4: Deploy the Infrastructure

Initialize Terraform:

terraform init

Run the command below to see what resources will be created:

terraform plan

And then apply:

terraform apply

Type yes when prompted. This creates:

3 VPCs with subnets in us-central1
VPC peering connections (Platform ↔ Data, Data ↔ Security)
Cloud NAT gateways (VMs need internet for package downloads)
3 Compute Engine VMs without external IPs
Firewall rules allowing ICMP, SSH via IAP, and PostgreSQL (port 5432)

The apply takes about 2–3 minutes. After that, wait another 2–3 minutes for the startup scripts to install packages and configure PostgreSQL.

Note: VPC peering might show INACTIVE immediately after creation. Wait 30–60 seconds and run terraform refresh — peering connections need a moment to establish.

Check the outputs:

terraform output

You’ll see the internal IPs and peering status (should be ACTIVE).

Verify Peering Status

Before testing connectivity, confirm that all VPC peering connections are active:

gcloud compute networks peerings list --network=vpc-platform
gcloud compute networks peerings list --network=vpc-data
gcloud compute networks peerings list --network=vpc-security

You should see output like:

All peering connections should show STATE: ACTIVE

You can also check peering status in the Google Cloud Console:

Go to VPC network → VPC network peering in the Cloud Console and you’ll see all peering connections listed

Each peering appears twice (once from each VPC’s perspective):

peering-platform-data(vpc-platform → vpc-data)
peering-data-platform (vpc-data → vpc-platform)
peering-data-security (vpc-data → vpc-security)
peering-security-data (vpc-security → vpc-data)

Step 5: Verify Basic Connectivity

Let’s check if app-vm in Platform VPC can reach data-vm in Data VPC (they’re peered):

cd ~/gcp-vpc-peering/terraform

DATA_VM_IP=$(terraform output -raw data_vm_ip)

# Ping
gcloud compute ssh app-vm --zone=us-central1-a --tunnel-through-iap \
    --command="ping -c 3 $DATA_VM_IP"

You should see successful ping responses:

Now try with curl:

cd ~/gcp-vpc-peering/terraform

DATA_VM_IP=$(terraform output -raw data_vm_ip)

# HTTP (nginx)
gcloud compute ssh app-vm --zone=us-central1-a --tunnel-through-iap \
    --command="curl -s http://$DATA_VM_IP"

You’ll see Hello from data-vm. The VPC peering works.

View Peering Routes in Console

To see how VPC peering creates routes automatically:

Go to VPC network → Routes
Filter by Network→ Select vpc-data (for example)
You’ll see routes like:

Destination: 10.1.0.0/24 (vpc-data subnet) → Next hop: Peering to vpc-platform
Destination: 10.3.0.0/24 (vpc-platform subnet) → Next hop: Peering to vpc-security

These routes are automatically created by GCP when you establish peering. You can’t edit or delete them manually — they exist as long as the peering exists.

Step 6: Test the PostgreSQL Database

Here’s where it gets interesting. Our data-vm is running PostgreSQL with a sample database. Let’s first check if PostgreSQL is accepting connections:

cd ~/gcp-vpc-peering/terraform

DATA_VM_IP=$(terraform output -raw data_vm_ip)

# Check if PostgreSQL port is reachable
gcloud compute ssh app-vm --zone=us-central1-a --tunnel-through-iap \
    --command="pg_isready -h $DATA_VM_IP -U appuser"

Expected output: 10.2.0.2:5432 — accepting connections

This confirms:

Network path exists between VPCs (peering works)
PostgreSQL is listening on port 5432
Firewall allows TCP:5432 traffic

Now query the sample data:

gcloud compute ssh app-vm --zone=us-central1-a --tunnel-through-iap \
    --command="PGPASSWORD=changeme123 psql -h $DATA_VM_IP -U appuser -d appdb -c 'SELECT * FROM orders;'"

You should see order data:

This proves that:

Network connectivity works across VPC peering
PostgreSQL is configured correctly for remote access
The firewall rule allows TCP/5432 between peered VPCs

View Firewall Rules in Console

To see which firewall rules allow this cross-VPC database access:

Go to VPC network → Firewall
Filter by Network → Select vpc-data
You’ll see these rules:

data-allow-from-platform : Allows traffic from 10.1.0.0/24 (vpc-platform)
data-allow-from-security : Allows traffic from 10.3.0.0/24 (vpc-security)
data-allow-iap: Allows SSH from IAP range (35.235.240.0/20)

4. Click on data-allow-from-platform to see details:

Network: vpc-data
Targets: Apply to all instances in the network
Source IP ranges: 10.1.0.0/24
Protocols and ports: tcp:80, tcp:443, tcp:5432, icmp
Action: Allow
Priority: 1000

This rule allows app-vm (10.1.0.10) in vpc-platform to reach PostgreSQL on data-vm (10.2.0.2:5432).

Similarly, each VPC has specific rules:

vpc-platform: platform-allow-from-data (allows 10.2.0.0/24 → tcp:80,443, icmp), platform-allow-iap
vpc-security: security-allow-from-data (allows 10.2.0.0/24 → tcp:80, icmp), security-allow-iap

Notice how the rules are explicit about which source network can access which ports. This is important for security.

Step 7: Test data-vm → security-vm Connectivity

Let’s verify that data-vm can reach security-vm (they ARE peered):

cd ~/gcp-vpc-peering/terraform

SECURITY_VM_IP=$(terraform output -raw security_vm_ip)

gcloud compute ssh data-vm --zone=us-central1-a --tunnel-through-iap \
    --command="ping -c 3 $SECURITY_VM_IP"

Now try HTTP:

cd ~/gcp-vpc-peering/terraform

SECURITY_VM_IP=$(terraform output -raw security_vm_ip)

gcloud compute ssh data-vm --zone=us-central1-a --tunnel-through-iap \
    --command="curl -s http://$SECURITY_VM_IP"

Expected: Hellow from security-vm

This works because data ↔ security are directly peered.

Step 8: Prove Non-Transitive Routing

Now the key test. Platform is peered with data, data is peered with security. Can platform reach security?

cd ~/gcp-vpc-peering/terraform

SECURITY_VM_IP=$(terraform output -raw security_vm_ip)

# This will FAIL — timeout expected
gcloud compute ssh app-vm --zone=us-central1-a --tunnel-through-iap \
    --command="ping -c 3 -W 3 $SECURITY_VM_IP"

Expected: 100% packet loss. app-vm cannot reach security-vm even though both are peered with vpc-data.

This is non-transitive routing— the most important thing to understand about VPC Peering. Each peering is an independent connection. Traffic does not hop through an intermediate VPC.

platform ↔ data: ✅ peered, direct route exists
data ↔ security: ✅ peered, direct route exists
platform → security: ❌ no peering, no route

If you need platform to reach security, you’d have to create a third peering directly between them.

Verify Non-Transitive Behavior in Console

You can see this in the Cloud Console by checking routes:

1. Go to VPC network → Routes

2. Use the Network filter → Select vpc-platform

3. Filter by Route type → Peering subnet route

You’ll see:

Route to 10.2.0.0/24 (vpc-data) → Next hop: Peering ✅
NO route to 10.3.0.0/24 (vpc-security)

This proves that routes are NOT transitive. vpc-platform only gets routes for directly peered networks.

Step 9: Verify Private Routing

Let’s use traceroute to see the network path:

From app-vm to data-vm (should work):

cd ~/gcp-vpc-peering/terraform

DATA_VM_IP=$(terraform output -raw data_vm_ip)

gcloud compute ssh app-vm --zone=us-central1-a --tunnel-through-iap \
    --command="sudo traceroute -I $DATA_VM_IP"

You should see a single hop — traffic goes directly between VPCs via the peering connection, not through any gateway or public internet.

Cleanup

When you’re done testing, destroy all resources:

cd ~/gcp-vpc-peering/terraform
terraform destroy

Type yes to confirm. This removes all VPCs, VMs, peering connections, and firewall rules.

Resources

<hr><p>Understanding VPC Peering and Non-Transitive Routing in GCP was originally published in Google Cloud - Community on Medium, where people are continuing the conversation by highlighting and responding to this story.</p>