GKE on-premises to control plane connectivity insights
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the Network Analyzer insights for Google Kubernetes Engine (GKE)
on-premises to control plane connectivity. For information about all the
insight types, see Insight groups and types.
View insights in the Recommender API
To view these insights in the Google Cloud CLI or the Recommender API, use
the following insight type:
GKE on-premises to control plane connectivity missing return route
This analyzer verifies connectivity between your on-premises network
and the GKE control plane.
If this analyzer infers that there is a route in your on-premises network that
delivers traffic to the control plane, the analyzer also verifies that the
return route exists in the control plane's VPC network. This
insight is generated when a Cloud Router advertises the control plane's
CIDR range to the on-premises network, but the custom route to the on-premises
network is not exported to the GKE cluster's
VPC Network Peering. When this happens, the analyzer infers that your
on-premises network has a route to the control plane's VPC
network. However, the GKE control plane does not have a return
route to your on-premises network. If this is your intended network
configuration, you can dismiss this insight.
This insight includes the following information:
GKE cluster: Name of the GKE cluster.
Network: Name of the network where the GKE cluster is configured.
VPC Network Peering: The name of the VPC peering configuration that connects
your GKE cluster to the control plane.
Associated Cloud Routers: The list of Cloud Routers that are advertising
the control plane's address range.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# GKE on-premises to control plane connectivity insights\n\nThis page describes the Network Analyzer insights for Google Kubernetes Engine (GKE)\non-premises to control plane connectivity. For information about all the\ninsight types, see [Insight groups and types](/network-intelligence-center/docs/network-analyzer/insight-groups-types).\n\nView insights in the Recommender API\n------------------------------------\n\nTo view these insights in the Google Cloud CLI or the Recommender API, use\nthe following insight type:\n\n- `google.networkanalyzer.container.connectivityInsight`\n\nYou need the following permissions:\n\n- `recommender.networkAnalyzerGkeConnectivityInsights.list`\n- `recommender.networkAnalyzerGkeConnectivityInsights.get`\n\nFor more information about using the Recommender API for\nNetwork Analyzer insights, see [Use the Recommender CLI and API](/network-intelligence-center/docs/network-analyzer/use-cli-recommender-api).\n\nGKE on-premises to control plane connectivity missing return route\n------------------------------------------------------------------\n\nThis analyzer verifies connectivity between your on-premises network\nand the GKE control plane.\n\nIf this analyzer infers that there is a route in your on-premises network that\ndelivers traffic to the control plane, the analyzer also verifies that the\nreturn route exists in the control plane's VPC network. This\ninsight is generated when a Cloud Router advertises the control plane's\nCIDR range to the on-premises network, but the custom route to the on-premises\nnetwork is not exported to the GKE cluster's\nVPC Network Peering. When this happens, the analyzer infers that your\non-premises network has a route to the control plane's VPC\nnetwork. However, the GKE control plane does not have a return\nroute to your on-premises network. If this is your intended network\nconfiguration, you can dismiss this insight.\n\nThis insight includes the following information:\n\n- **GKE cluster:** Name of the GKE cluster.\n- **Network:** Name of the network where the GKE cluster is configured.\n- **VPC Network Peering:** The name of the VPC peering configuration that connects your GKE cluster to the control plane.\n- **Associated Cloud Routers:** The list of Cloud Routers that are advertising the control plane's address range.\n\n### Related topics\n\nFor more information, see\n[Connecting to the control plane's private endpoint from on-premises networks](/kubernetes-engine/docs/how-to/private-clusters#cp-on-prem-routing).\n\n### Recommendations\n\n- Configure your VPC network to export its custom routes in the peering relationship to the control plane's VPC network."]]
