VPC peering shows intermittent packet loss between production networks

pro_func · August 11, 2025, 8:00am

We’re experiencing intermittent packet loss between two VPC networks connected via VPC peering after updating our firewall rules last week. The issue affects our production microservices communication.

Our setup uses VPC peering between vpc-prod-us-central and vpc-services-us-central. We recently added new firewall rules to restrict traffic, and now we see 5-15% packet loss during peak hours. VPC Flow Logs show some packets being dropped, but the firewall rules appear correctly configured with proper priority values.

Current firewall rule priorities:


allow-internal-services: priority 1000
allow-peered-traffic: priority 1100
deny-all-ingress: priority 2000

The packet loss is inconsistent - sometimes connections work fine for hours, then suddenly degrade. We’ve verified the peering connection status shows active on both sides. Has anyone dealt with firewall rule precedence issues in VPC peering scenarios?

tylerguru · August 26, 2025, 3:46pm

This is a classic firewall precedence issue. Remember that in GCP, lower priority numbers take precedence. Your allow-peered-traffic at 1100 is being evaluated AFTER the allow-internal-services at 1000. If the internal services rule has a narrow IP range that doesn’t include your peered VPC CIDR, traffic will continue down the chain. Make sure your peered traffic rule has a lower priority number than any restrictive rules and explicitly includes the entire CIDR range of both peered VPCs.

susan_732 · August 29, 2025, 10:59pm

We had similar issues last month. Beyond firewall rules, check your subnet routes. VPC peering automatically creates routes, but if you have custom static routes they might interfere. Run ‘gcloud compute routes list’ on both projects and look for conflicts. Also enable detailed VPC Flow Logs sampling at 100% temporarily to capture all dropped packets - the default 10% sampling might miss the pattern.

kavyaerp · September 18, 2025, 2:47pm

I see what happened here. You’re mixing target-based rules with IP-based peering, which creates gaps in coverage. Here’s the comprehensive solution:

VPC Peering Configuration Fix:

First, understand that VPC peering works at the network level, not the instance level. Your firewall rules must accommodate this:

Firewall Rule Precedence - Restructure your rules with proper priority ordering:


# Priority 900 - Explicit allow for peered VPC CIDR ranges
gcloud compute firewall-rules create allow-vpc-peering \
  --priority=900 \
  --source-ranges=10.128.0.0/20,10.138.0.0/20 \
  --allow=tcp,udp,icmp

VPC Flow Logs Analysis - Enable detailed logging to identify exact drop points:


gcloud compute networks subnets update prod-subnet \
  --enable-flow-logs \
  --logging-aggregation-interval=interval-5-sec \
  --logging-flow-sampling=1.0

Key insights from your situation:

Root Cause: Your allow-peered-traffic rule at priority 1100 uses service account targeting, but VPC peering routes don’t carry service account context. This means traffic from peered VPCs never matches that rule and falls through to your deny-all at 2000.

The Fix Strategy:

Remove service account targets from peering-related rules
Use source IP ranges matching your peered VPC CIDRs instead
Set priority below 1000 (I recommend 900) to ensure evaluation before other rules
Create symmetric rules in BOTH VPCs - ingress in one must match egress in the other

Verification Steps:

After updating rules, test with ping and traceroute from instances in both VPCs
Monitor VPC Flow Logs for disposition=ALLOWED on previously dropped flows
Check packet loss with: ping -c 100 <peered-instance-ip> and verify 0% loss
Use gcloud compute firewall-rules list --sort-by=priority to confirm rule order

Additional Recommendations:

Document your peering firewall rules separately from instance-level rules
Use consistent naming: prefix peering rules with ‘peer-’ for clarity
Set up alerting on VPC Flow Log drops with disposition=DENIED for peered traffic
Consider using Firewall Insights to identify overly permissive or shadowed rules

The intermittent nature you described (working fine, then degrading) suggests that during low traffic periods, connections were being established before hitting the deny rule, but under load, new connections were failing. This is typical when firewall rules don’t properly account for bidirectional traffic in peered networks.

megha_king · August 14, 2025, 11:11am

Thanks for the suggestion. I checked both VPCs and found that vpc-services-us-central has an egress deny rule at priority 1050 that I wasn’t aware of. This could be blocking return traffic. The VPC Flow Logs are showing dropped packets with disposition DENIED in the egress direction from the services VPC. I’m going to adjust the rule priorities to ensure peered traffic is allowed before any deny rules take effect. Will update once I test this.

jose_creator · September 5, 2025, 8:15am

Good catch on the sampling rate. I increased Flow Logs to 100% and now I can see the exact pattern. Packets are being dropped specifically when they match the deny-all-ingress rule at priority 2000, which means they’re not matching our allow rules properly. The issue is that our allow-peered-traffic rule uses a service account target, but some of our instances don’t have that service account attached.

Topic		Replies	Views
VPC peering causes ERP app timeouts between regions after network expansion Google Cloud Platform (GCP) question , compute , networking , timeout , erp-integration , gcp-2021 , cross-region , vpc-peering , firewall-rules	7	1	November 21, 2025
VPC peering blocks cross-region backup replication traffic for Cloud Storage Google Cloud Platform (GCP) question , networking , disaster-recovery , gcp-2020 , cloud-storage , cross-region , vpc-peering , firewall-rules , backup-disaster	4	0	June 19, 2025
VPC peering blocks ERP application traffic despite open security groups Amazon Web Services (AWS) question , networking , vpc , aws-2020 , security-groups , vpc-peering , route-tables , vpc-peering-block , integration-fail	7	0	February 15, 2025
VPC firewall rule conflict blocks secure API access from on-premises IBM Cloud question , networking , security , hybrid-cloud , vpc , ic-2021 , firewall-rules , api-access	5	0	September 17, 2025
VPC firewall rules block database connections over Private Service Access after subnet expansion Google Cloud Platform (GCP) question , networking , database , vpc , gcp-2021 , cloud-sql , connectivity-loss , firewall-block , private-service-access	7	0	July 9, 2025
VPC peering route table misconfiguration blocks ERP API traffic between accounts Amazon Web Services (AWS) question , networking , devops , aws-2019 , api-connectivity , security-groups , vpc-peering , route-tables , cidr-blocks	4	0	August 16, 2025
VNet peering traffic blocked by Network Security Group rules despite allow-all configuration Microsoft Azure question , networking , security , az-2020 , vnet-peering , cross-region , nsg , traffic-blocked , network-rules	7	0	October 24, 2025
Firewall policy blocking internal VPC traffic between subnets in same zone IBM Cloud question , networking , security , ic-2019 , vpc-routing , ibm-cloud-firewall , internal-block , service-disruption , firewall-policy	5	0	November 25, 2025
VPC peering connection fails for cross-region ECS communication between finance and HR modules Alibaba Cloud question , compute , networking , vpc , ac-2019 , cross-region , connectivity-failure , security-group , route-table	3	0	January 27, 2025

VPC peering shows intermittent packet loss between production networks

Related topics