Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes

Create two VPN tunnels on the same Cloud VPN gateway that point to the same
destination VPN gateway IP address.

Add a second on-premises VPN gateway with a different public IP address. Create a
second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but
points at the new on-premises gateway IP.

Add a second Cloud VPN gateway in a different region than the existing VPN gateway.
Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range,
but points to the existing on-premises VPN gateway IP address.

Grant the compute.instanceAdmin to your user account.

Grant the iam.serviceAccountUser to your user account

Grant the read-only privilege to the service account for the Cloud Storage bucket

Grant the cloud-platform privilege to the service account for the Cloud Storage bucket

Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default
internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000
whose next hop is the VPN tunnel back to the on-premises data center.

Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet
gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next
hop is the VPN tunnel back to the on-premises data center.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure
a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default
internet gateway.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure
another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN
tunnel back to the onpremises
data center.

Create two firewall rules: one to block all traffic with priority 0, and another to allow port
22 with priority 1000.

Create two firewall rules: one to block all traffic with priority 65536, and another to allow
port 3389 with priority 1000.

Create a single firewall rule to allow port 22 with priority 1000.

Create a single firewall rule to allow port 3389 with priority 1000.

Firewall rule direction: ingress
Action: allow
Target: VM B service account
Source ranges: VM A service account
Priority: 1000

Firewall rule direction: ingress
Action: allow
Target: specific VM B tag
Source ranges: VM A tag and VM A source IP address
Priority: 1000

Firewall rule direction: ingress
Action: allow
Target: VM A service account
Source ranges: VM B service account and VM B source IP address
Priority: 100

Firewall rule direction: ingress
Action: allow
Target: specific VM A tag
Source ranges: VM B tag and VM B source IP address
Priority: 100

Apply an additional IAM role to the Google API’s service account to allow custom mode
networks.

Update the VPC firewall to allow the Cloud Deployment Manager to access the custom
mode networks.

Explicitly reference the custom mode networks in the Cloud Armor whitelist.

Explicitly reference the custom mode networks in the Deployment Manager templates

Update the TTL for the zone

Set the zone to the TRANSFER state.

Disable DNSSEC at your domain registar

Transfer ownership of the domain to a new registar

Use the Network Intelligence Center Connectivity Tests to test the connectivity between
the VPC and the on-premises network.

Use Network Intelligence Center Network Topology to check the traffic flow, and replay
the traffic from the time period when the connectivity issue occurred

Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

Configure a Compute Engine instance on the same VPC as the service running on
Google Cloud to run a traceroute targeted at the on-premises service.