A company runs a GKE cluster in a private cluster mode (no public endpoint) in a custom VPC. The cluster nodes are in a subnet that uses a secondary IP range for pods. The company needs the pods to access an on-premises service over a Cloud VPN connection that terminates in a different region. The on-premises service IP range is 10.100.0.0/16. The VPC has a route for 10.100.0.0/16 pointing to the VPN gateway. However, pods cannot reach the on-premises service. The GKE cluster is configured with a Cloud NAT for outbound internet access. The pod IP range is 10.200.0.0/16. Which step is required to allow pod traffic to reach the on-premises network?
Correct: this ensures traffic from pods to on-premises is routed via VPN.
Why this answer
The VPC has a route for the on-premises range (10.100.0.0/16) pointing to the VPN gateway, but the GKE cluster's pod IP range (10.200.0.0/16) is not part of the VPC's primary or secondary subnet ranges. By default, GKE pods use IP addresses from a secondary IP range that is not automatically advertised over Cloud VPN. Adding a static route in the VPC for 10.200.0.0/16 with next hop set to the VPN gateway ensures that traffic from pods to the on-premises network is forwarded through the VPN tunnel, allowing the on-premises routers to learn the pod subnet and route return traffic back.
How to eliminate wrong answers
Option A is wrong because Cloud NAT is used for outbound internet access and translates pod IPs to node IPs for internet-bound traffic, not for on-premises traffic over VPN; using NAT for VPN traffic would break return routing and is unnecessary. Option C is wrong because disabling IP masquerade would cause pod traffic to use pod IPs directly, but the core issue is the lack of a route for the pod IP range to the VPN gateway, not the masquerade behavior. Option D is wrong because firewall rules control which traffic is allowed, but the problem is that traffic is not being routed to the VPN gateway at all; a firewall rule alone cannot fix a missing route.