A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?
Correct: this ensures traffic from pods to on-premises is routed via VPN.
Why this answer
The VPC has a route for the on-premises range (10.100.0.0/16) pointing to the VPN gateway, but the GKE cluster's pod IP range (10.200.0.0/16) is not part of the VPC's primary or secondary subnet ranges. By default, GKE pods use IP addresses from a secondary IP range that is not automatically advertised over Cloud VPN. Adding a static route in the VPC for 10.200.0.0/16 with next hop set to the VPN gateway ensures that traffic from pods to the on-premises network is forwarded through the VPN tunnel, allowing the on-premises routers to learn the pod subnet and route return traffic back.
Exam trap
Google Cloud often tests the misconception that firewall rules or NAT configuration are the primary solution for connectivity issues, when in fact the missing route for the pod IP range to the VPN gateway is the root cause.
How to eliminate wrong answers
Option A is wrong because Cloud NAT is used for outbound internet access and translates pod IPs to node IPs for internet-bound traffic, not for on-premises traffic over VPN; using NAT for VPN traffic would break return routing and is unnecessary. Option C is wrong because disabling IP masquerade would cause pod traffic to use pod IPs directly, but the core issue is the lack of a route for the pod IP range to the VPN gateway, not the masquerade behavior. Option D is wrong because firewall rules control which traffic is allowed, but the problem is that traffic is not being routed to the VPN gateway at all; a firewall rule alone cannot fix a missing route.