By default the itopia VPN module will create the site-to-site tunnel to allow connections between your on site network and the network in the Google cloud. 

However, what the process does not do is open up any firewall rules between your on-prem network and the Google cloud network. This is done by default to allow you to dictate what traffic is allowed into the Google cloud network through the VPN. You will be able to ping devices across the tunnel because of a default firewall rule created by Google allowing ICMP requests but nothing else.

In order to allow traffic from your on-site network you will need to log into the Google console and go into the Firewall rules under VPC network:

Once in the Firewall rules page, click on Create Firewall Rule at the top of the page:

When creating the firewall rule, create a name for it, make sure the direction of traffic is Ingress, select Allow in the Action to Match section, type in your source IP range(s) and either allow all ports or select the ports you want to allow. Below is a screenshot showing most of those options filled in or selected:

Once you hit create, Google will create the firewall rule and traffic will be allowed from IP's on the source network you filled in and only on the ports you selected.

Additional resources:

https://cloud.google.com/vpn/docs/how-to/logging?hl=vi

https://cloud.google.com/vpn/docs/resources/troubleshooting

Did this answer your question?