The background
When IP forwarding is disabled (default) for a virtual machine instance in the Google Compute Engine, Google Cloud performs strict source and destination checking for packets so that VM instances can only send packets whose sources are set to match an internal IP address of its interface in the network. Also, packets are only delivered to an instance if their destination match the IP address of the instance’s interface in the network. This means by default, a VM cannot forward a packet originated by another VM.
When using a VM as a next hop route, the VM needs to receive packets having destinations other than itself. Since it forwards those packets, their sources will be different from its own internal IP. Toward that end it is necessary to enable IP forwarding1 for the VM. Then, Google Cloud will not be enforcing packet source and destination checking. While this property can be set using Google Cloud console, API, or Terraform when creating a new VM instance, updating properties for existing VM instances can only be done with gcloud or through the API.
The how
For carrying out the task with gcloud, first we need to export the specific VM instance’s properties as below2.
gcloud compute instances export INSTANCE_NAME \
--project PROJECT_ID \
--zone ZONE \
--destination=FILE_PATH
Edit the newly created file from the above command as per the requirement. Then, check how the new property values affect the existing VM by running the below command.
gcloud compute instances update-from-file INSTANCE_NAME \
--project PROJECT_ID \
--zone ZONE \
--source=FILE_PATH \
--most-disruptive-allowed-action NO_EFFECT
The above can help in identifying misconfigured properties and indicate whether a RESTART or REFRESH action is required
to apply the update. Once this is done, we can predictably carry out the property value change with the finalized
property values file by specifying the appropriate value for the most-disruptive-allowed-action in above.