Creating a Tunnel with Dynamic Routes

Create a tunnel that uses dynamic routing by using Cloud Router. For more information about dynamic routing, see dynamic versus static routing in the Cloud Router overview page.

In this example, the network is a custom mode VPC network.

Cloud Router for VPNs with VPC network (click to enlarge)
Cloud Router for VPNs with VPC network (click to enlarge)

Before you begin

Create the VPN tunnel and Cloud Router

Console


Click create a Cloud Router before the VPN to create a Cloud Router, then use it when creating a VPN. Click create a Cloud Router as part of the VPN flow to create a Cloud Router as part of the VPN workflow.

Create Cloud Router before VPN

Use this procedure if you wish to create your Cloud Router first, then create a VPN.

  1. Go to the create Cloud Router page in the Google Cloud Platform Console.
    Go to the Routers page
  2. Create a Cloud Router in the region where you want your VPN gateway and tunnels.
    • Name — The name of the Cloud Router. This name is displayed in the console and used by thegcloud command-line tool to reference the router. Example: my-router
    • VPC network — The network containing the instances the VPN gateway will serve. Example: my-network
    • Region — The region where you want to locate the Cloud Router and VPN gateway. Normally, this is the region that contains the instances you wish to reach. Example: asia-east1
    • Google ASN — The private ASN (64512 - 65534, 4200000000 - 4294967294) for the router you are configuring. It can be any private ASN you are not already using as a peer ASN in the same region and network. Example: 65001
  3. Your new router appears on the Cloud Router listing page. In the VPN Gateway column of your new router, click Configure.
  4. Populate the fields for the VPN gateway:
    • Name — The name of the VPN gateway. This name is displayed in the console and used by thegcloud command-line tool to reference the gateway. Example: my-vpn
    • VPC network — The VPC network containing your Cloud Router and the instances the VPN gateway will serve. Example: my-network
    • Region — The region where you want to create the VPN gateway. Must be the same region as your Cloud Router. This is the region that contains the instances you wish to reach. Example: asia-east1
    • IP Address — Select a pre-existing static external IP address. If you don't have a static external IP address, you can create one.
  5. Populate fields for at least one tunnel:
    • Peer IP address — Public IP address of the peer gateway. This is the public IP address of the peer VPN gateway, not the one you are currently configuring.
    • IKE version — IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    • Shared Secret — Character string used in establishing encryption for that tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the peer side of the tunnel doesn't generate one automatically, you can make one up.
    • Routing options — Select Dynamic (BGP).
    • Cloud router — Select my-router.
    • BGP session — Click the "pencil" icon, then populate the following fields. When you are done, click Save and continue.
      • Namebgp-peer1
      • Peer ASN — You can use your public ASN or any private ASN (64512 - 65534, 4200000000 - 4294967294) that you are not already using in the peer or VPC network. Example: 65002
      • Advertised route priority — (Optional) The base value Cloud Router uses to calculate route metrics. All routes advertised for this session will use this base value. For more information, see Route metrics.
      • Google BGP IP address — The two BGP interface IP addresses must be link-local IP addresses belonging to the same /30 subnet in 169.254.0.0/16. Example: 169.254.1.1
      • Peer BGP IP address — See explanation for Google BGP IP address. Example: 169.254.1.2
  6. Click Create to create the gateway and initiate all tunnels, though tunnels will not connect until you've configured the peer router as well.
    This step automatically creates the necessary forwarding rules for the gateway and tunnels.

Create Cloud Router as part of VPN flow

Use this procedure if you don't already have a Cloud Router and want to create one as part of the VPN workflow.

  1. Go to the create VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Populate the fields for the VPN gateway:
    • Name — The name of the VPN. This name is displayed in the console and used by thegcloud command-line tool to reference the VPN. Example: my-vpn
    • VPC network — The VPC network containing the instances the VPN gateway will serve. Example: my-network
    • Region — The region where you want to create the VPN gateway. Must be the same region as your Cloud Router. This is the region that contains the instances you wish to reach. Example: asia-east1
    • IP Address — Select a pre-existing static external IP address. If you don't have a static external IP address, click New static IP address to create one.
  3. Populate fields for at least one tunnel:
    • Peer IP address — Public IP address of the peer gateway. This is the public IP address of the peer VPN gateway, not the one you are currently configuring.
    • IKE version — IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    • Shared Secret — Character string used in establishing encryption for that tunnel. You must enter the same shared secret into both VPN gateways. If the VPN gateway device on the peer side of the tunnel doesn't generate one automatically, you can make one up.
    • Routing options — Select Dynamic (BGP).
    • Cloud router — Select Create cloud router, then populate the following fields. When you are done, click Save and continue.
      • Name — The name of the Cloud Router. This name is displayed in the console and used by thegcloud command-line tool to reference the router. Example: my-router
      • Google ASN — The private ASN (64512 - 65534, 4200000000 - 4294967294) for the router you are configuring. It can be any private ASN you are not already using. Example: 65001
    • BGP session — Click the "pencil" icon, then populate the following fields. When you are done, click Save and continue.
      • Namebgp-peer1
      • Peer ASN — The private ASN (64512 - 65534, 4200000000 - 4294967294) for the router you are configuring. It can be any private ASN you are not already using. Example: 65002
      • Advertised route priority — (Optional) The base value Cloud Router uses to calculate route metrics. All routes advertised for this session will use this base value. For more information, see Route metrics.
      • Google BGP IP address — The two BGP interface IP addresses must be link-local IP addresses belonging to the same /30 subnet in 169.254.0.0/16. Example: 169.254.1.1
      • Peer BGP IP address — See explanation for Google BGP IP address. Example: 169.254.1.2
  4. Click Create to create the gateway, Cloud Router, and all tunnels, though tunnels will not connect until you've configured the peer router as well.
    This step automatically creates the necessary forwarding rules for the gateway and tunnels. Note that creating a BGP peer session using the Google Cloud Platform Console automatically creates a Cloud Router interface for that peer.

gcloud


  1. Choose or create a VPC network. In this example, you are creating custom mode VPC network.

    gcloud compute networks create my-network \
      --mode custom
    
    NAME       MODE   IPV4_RANGE GATEWAY_IPV4
    my-network custom
    
  2. Specify the subnet prefix for your first subnet. In this example, you are assigning 10.21.0.0/16 to region asia-east1.

    gcloud compute networks subnets create subnet-1 \
        --network my-network \
        --region asia-east1 \
        --range 10.21.0.0/16
    
    NAME     REGION      NETWORK    RANGE
    subnet-1 asia-east1  my-network 10.21.0.0/16
    
  3. Create a VPN gateway in the desired region. Normally, this is the region that contains the instances you wish to reach. This step creates an unconfigured virtual VPN gateway named my-vpn in your VPC network.

    gcloud compute target-vpn-gateways create my-vpn \
        --project [PROJECT_ID] \
        --region asia-east1 \
        --network my-network
    
    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/targetVpnGateways/my-vpn].
    NAME   NETWORK    REGION
    my-vpn my-network asia-east1
    
  4. Reserve a static IP address in the VPC network and region where you created the VPN gateway. Make a note of the created address for use in future steps. The numerical address is shown as IP-ADDRESS in future steps.

    gcloud compute addresses create vpn-static-ip \
        --project [PROJECT_ID] \
        --region asia-east1
    
    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/addresses/address1].
    NAME          REGION       ADDRESS         STATUS
    vpn-static-ip asia-east1   IP-ADDRESS      RESERVED
    
  5. Create forwarding rules that forward ESP, UDP:500, and UDP:4500 traffic toward the Cloud VPN gateway. Use the static IP address IP-ADDRESS you reserved earlier. This step generates forwarding rules named fr-esp, fr-udp500, and fr-udp4500.

    First, create the fr-esp rule:

    gcloud compute forwarding-rules create fr-esp \
        --project [PROJECT_ID] \
        --region asia-east1 \
        --address IP-ADDRESS \
        --target-vpn-gateway my-vpn \
        --ip-protocol ESP
    
    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/forwardingRules/fr-esp].
    NAME   REGION       IP-ADDRESS      IP_PROTOCOL TARGET
    fr-esp asia-east1   IP-ADDRESS      ESP         asia-east1/targetVpnGateways/my-vpn
    

    Create fr-udp500:

    gcloud compute forwarding-rules create fr-udp500 \
        --project [PROJECT_ID] \
        --region asia-east1 \
        --address IP-ADDRESS \
        --target-vpn-gateway my-vpn \
        --ip-protocol UDP \
        --ports 500
    
    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/forwardingRules/fr-udp500].
    NAME      REGION       IP-ADDRESS      IP_PROTOCOL TARGET
    fr-udp500 asia-east1   IP-ADDRESS      UDP         asia-east1/targetVpnGateways/my-vpn
    

    Create fr-udp4500:

    gcloud compute forwarding-rules create fr-udp4500 \
         --project [PROJECT_ID] \
         --region asia-east1 \
         --address IP-ADDRESS \
         --target-vpn-gateway my-vpn \
         --ip-protocol UDP \
         --ports 4500
    
     Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/forwardingRules/fr-udp4500].
     NAME       REGION       IP-ADDRESS      IP_PROTOCOL TARGET
     fr-udp4500 asia-east1   IP-ADDRESS      UDP         asia-east1/targetVpnGateways/my-vpn
    
  6. Create a Cloud Router in the region where you created the VPN gateway. This example uses ASN 65001 for the Cloud Router ASN, but you can use any private ASN (64512 - 65534, 4200000000 - 4294967294) that you are not already using in the peer network.

    gcloud compute --project [PROJECT_ID] routers create my-router \
      --region asia-east1 \
      --network my-network \
      --asn 65001
    
    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router].
    NAME      REGION     NETWORK
    my-router asia-east1 my-network
    
  7. Create a VPN tunnel on the Cloud VPN gateway that points to the external IP address PEER-GW-EXT-IP of the peer VPN gateway. You also need to supply the shared secret for the VPN tunnel, the name of the Cloud Router, and the IKE version. IKE version 2 is recommended, but use version 1 if the peer gateway does not support version 2.
    Once this command is executed, resources are allocated for this VPN tunnel, but it cannot yet pass traffic.

    gcloud compute --project [PROJECT_ID] vpn-tunnels create tunnel1 \
      --region asia-east1 \
      --ike-version 2 \
      --target-vpn-gateway my-vpn \
      --peer-address PEER-GW-EXT-IP \
      --shared-secret SHAREDSECRET \
      --router my-router
    
    Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/vpnTunnels/tunnel1].
    NAME       REGION     GATEWAY      PEER_ADDRESS
    tunnel1    asia-east1 my-vpn       PEER-GW-EXT-IP
    
  8. Update the Cloud Router config to add a virtual interface (--interface-name) for the BGP peer. The BGP interface IP address must be a link-local IP address belonging to the IP address range 169.254.0.0/16 and it must belong to same subnet as the interface address of the peer router. The netmask length is recommended to be 30. Make sure each tunnel has a unique pair of IPs. Alternatively, you can leave --ip-address and --mask-length blank, and leave --peer-ip-address blank in the next step, and IP addresses will be automatically generated for you.

    gcloud compute --project [PROJECT_ID] routers add-interface my-router \
      --interface-name if-1 \
      --ip-address 169.254.1.1 \
      --mask-length 30 \
      --vpn-tunnel tunnel1 \
      --region asia-east1
    
    Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router].
    
  9. Update the Cloud Router config to add the BGP peer to the interface. This example uses ASN 65002 for the peer ASN. You can use your public ASN or private ASN (64512 - 65534, 4200000000 - 4294967294) that you are not already using in the peer network. The BGP peer interface IP address must be a link-local IP address belonging to the IP address range 169.254.0.0/16. It must belong to same subnet as the Google Cloud Platform-side interface. Make sure each tunnel has a unique pair of IPs. To specify a base priority value, use the --advertised-route-priority flag. Cloud Router uses this value to calculate route metrics for all routes it advertises for this session. For more information, see Route metrics.

    gcloud compute --project [PROJECT_ID] routers add-bgp-peer my-router \
      --peer-name bgp-peer1 \
      --interface if-1 \
      --peer-ip-address 169.254.1.2 \
      --peer-asn 65002 \
      --region asia-east1
    
    Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router].
    
  10. View details of the Cloud Router and confirm your settings.

    gcloud compute --project [PROJECT_ID] routers describe my-router \
      --region asia-east1
    
    bgp:
     asn: 65001
    bgpPeers:
    - interfaceName: if-bgp-peer1
      ipAddress: 169.254.1.1
      name: bgp-peer1
      peerAsn: 65002
      peerIpAddress: 169.254.1.2
    creationTimestamp: '2015-10-19T14:31:52.639-07:00'
    id: '4047683710114914215'
    interfaces:
    - ipRange: 169.254.1.1/30
      linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/vpnTunnels/tunnel1
      name: if-bgp-peer1
    kind: compute#router
    name: my-router
    network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/my-network
    region: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1
    selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router
    

Configure Google Cloud Platform firewall rules

You must configure your Google Cloud Platform firewall rules to allow inbound traffic from the peer network subnets, and you must configure the peer network firewall to allow inbound traffic from your Compute Engine prefixes.

To configure your Google Cloud Platform firewall rules, run the following command. You might want to configure a range broad enough to cover future BGP updates.

Console


  1. Go to the Firewall rules page.
  2. Click Create firewall rule.
  3. Populate the following fields:
    • Name: vpnrule1
    • VPC network: my-network
    • Source filter: IP ranges.
    • Source IP ranges: The peer ranges to accept from the peer VPN gateway.
    • Allowed protocols and ports: tcp;udp;icmp
  4. Click Create.

If you have more than one peer network range, provide a comma-separated list in the Source IP ranges field (10.10.4.0/24,10.10.6.0/24).

gcloud


gcloud compute --project [PROJECT_ID] firewall-rules create vpnrule1 \
    --network my-network \
    --allow tcp,udp,icmp \
    --source-ranges PEER-SOURCE-RANGE

If you have more than one peer network range, provide a comma-separated list in the --source-ranges field (--source-ranges 10.10.4.0/24,10.10.6.0/24).

This rule allows TCP, UDP, and ICMP traffic from all ports to all machines in the VPC network, as long as the traffic is coming from the peer source ranges. If you wish to restrict the valid destinations for VPN traffic, see firewalls for information on creating more specific rules.

Configure on-premises firewall rules

Configure your on-premises firewall with the ranges you expect to receive from your Cloud VPN gateway. You might want to configure a range broad enough to cover future BGP updates.

You must also configure your on-premises firewall to allow incoming TCP traffic with either source or destination port 179. This is the port used for the BGP announcements.

Configure on-premises gateway for the BGP session

Look up the ASNs and IP addresses of the Cloud Router and peer connections, then use that information to configure your on-premises gateway.

Console


  1. Open the Cloud Router list.
  2. Click on the name of your Cloud Router.
  3. Make a note of the values for Google ASN, Peer ASN, Google BGP IP address, and Peer BGP IP address.

gcloud


gcloud compute --project [PROJECT_ID] routers describe my-router --region asia-east1
bgp:
 asn: 65001
bgpPeers:
- interfaceName: if-bgp-peer1
  ipAddress: 169.254.1.1
  name: bgp-peer1
  peerAsn: 65002
  peerIpAddress: 169.254.1.2
creationTimestamp: '2015-10-19T14:31:52.639-07:00'
id: '4047683710114914215'
interfaces:
- ipRange: 169.254.1.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/vpnTunnels/tunnel1
  name: if-bgp-peer1
kind: compute#router
name: my-router
network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/my-network
region: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1
selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router

Make a note of the asn, ipAddress, peerAsn, and peerIpAddress.

Configure on-premises gateway for the tunnel

For VPN gateway settings, see Set up the peer VPN gateway in the VPN documentation.

Check VPN tunnel status

Console


Open the VPN list and look for a green circle with a checkmark. That means the tunnel is established. If you see an exclamation mark in a red circle, then the tunnel is still coming up or has already failed. Click the Log link to see current information on the tunnel.

gcloud


gcloud compute --project [PROJECT_ID] vpn-tunnels describe tunnel1 \
    --region asia-east1
creationTimestamp: '2015-10-19T14:33:45.449-07:00'
description: ''
detailedStatus: 'Initial handshake. More info: https://console.developers.google.com/[PROJECT_ID]/507356250768/logs?service=compute.googleapis.com&key1=targetVpnGateway&key2=4189032514050383796'
id: '2196766647665614678'
ikeVersion: 2
kind: compute#vpnTunnel
name: tunnel1
peerIp: PEER-GW-EXT-IP
region: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1
router: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/routers/my-router
selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/vpnTunnels/tunnel1
sharedSecret: SHAREDSECRET
sharedSecretHash: AH6QHyVoninNYieomeYx95HBlKl8
status: FIRST_HANDSHAKE
targetVpnGateway: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/asia-east1/targetVpnGateways/my-vpn

A Status of ESTABLISHED means the tunnel is up. For a list of intermediate and error statuses, see Check the status of your tunnel in the VPN documentation.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Compute Engine Documentation