Set up a GCP VPC peering connection

Uses: Kong Gateway

Deployment Platform:

Prerequisites

Dedicated Cloud Gateway

This is a Konnect tutorial that requires Dedicated Cloud Gateways access.

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
- Dedicated Cloud Gateway Control Plane Dedicated Cloud Gateway: You can use an existing Dedicated Cloud Gateway or create a new one to use for this tutorial.
- Network ID: The default Dedicated Cloud Gateway network ID can be found in Gateway Manager > Network

Set these values as environment variables:

 export KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export KONNECT_NETWORK_ID='KONNECT NETWORK ID'

GCP credentials and VPC

Set up a GCP account with the Compute Network Admin role (roles/compute.networkAdmin) or the following custom permissions:

compute.networks.addPeering
compute.networks.updatePeering
compute.networks.removePeering
compute.networks.listPeeringRoutes

Initiate the VPC peering connection

Export the following values as environment variables, setting your own custom values:

export GCP_VPC_PEERING_NAME='gcp vpc peering'
export GCP_PROJECT_ID='my-gcp-vpc-project'
export GCP_VPC_NAME='my-gcp-vpc-name'

Where:

VPC Peering Name: A unique name to identify this VPC peering connection.
Project ID: ID of your GCP project that contains the VPC you want to peer with Kong.
VPC Name: Name of your VPC network in GCP for the peering connection.

Next, send the following request to the Cloud Gateways API:

 curl -X POST "https://global.api.konghq.com/v2/cloud-gateways/networks/$KONNECT_NETWORK_ID/transit-gateways" \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Accept: application/json"\
     -H "Content-Type: application/json" \
     --json '{
       "name": "'$GCP_VPC_PEERING_NAME'",
       "transit_gateway_attachment_config": {
         "kind": "gcp-vpc-peering-attachment",
         "peer_project_id": "'$GCP_PROJECT_ID'",
         "peer_vpc_name": "'$GCP_VPC_NAME'"
       }
     }'

Create a VPC peering resource in GCP

In Konnect, you need to retrieve two pieces of data: the provider account ID and the VPC ID.

First, make a GET request to the Konnect Cloud Gateways API using the /provider-accounts endpoint:

 curl -X GET "https://global.api.konghq.com/v2/cloud-gateways/provider-accounts" \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Accept: application/json"\
     -H "Content-Type: application/json"

Save the provider_account_id from the output:

export PROVIDER_ACCOUNT_ID='your-provider-account-id'

Next, make a GET request to the /networks endpoint:

 curl -X GET "https://global.api.konghq.com/v2/cloud-gateways/networks" \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Accept: application/json"\
     -H "Content-Type: application/json"

Save the provider_metadata.vpc_id from the output:

export PROVIDER_VPC_ID='your-provider-vpc-id'

In the GCP console, run the following command:

gcloud compute networks peerings create $GCP_VPC_PEERING_NAME \
  --network=$GCP_VPC_NAME \
  --peer-project=$PROVIDER_ACCOUNT_ID \
  --peer-network=$PROVIDER_VPC_ID \
  --stack-type=IPV4_ONLY \
  --import-custom-routes \
  --export-custom-routes \
  --import-subnet-routes-with-public-ip \
  --export-subnet-routes-with-public-ip \
  --project=$GCP_PROJECT_ID

Konnect generates a command with all of the required values populated. Copy the generated command and run it in the GCP console.

The command will look something like this:

gcloud compute networks peerings create $GCP_VPC_PEERING_NAME \
  --network=$GCP_VPC_NAME \
  --peer-project=$PROVIDER_ACCOUNT_ID \
  --peer-network=$PROVIDER_VPC_ID \
  --stack-type=IPV4_ONLY \
  --import-custom-routes \
  --export-custom-routes \
  --import-subnet-routes-with-public-ip \
  --export-subnet-routes-with-public-ip \
  --project=$GCP_PROJECT_ID

Make sure that your VPC ranges don’t conflict with the Cloud Gateway Network VPC range.

The peering connection status will initially show as Initializing and should change to Ready once peering is successfully established on both GCP and Kong.

Validation

To validate that everything was configured correctly, issue a GET request to the /transit-gateways endpoint to retrieve VPC peering information:

 curl -X GET "https://global.api.konghq.com/v2/cloud-gateways/networks/$KONNECT_NETWORK_ID/transit-gateways" \
     -H "Authorization: Bearer $KONNECT_TOKEN"