This page describes concepts related to Google Cloud VPN. Creating a VPN describes the steps to create an virtual private network (VPN).
Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet.
- Cloud VPN provides an SLA of 99.9% service availability.
- Cloud VPN supports site-to-site VPN. You can have multiple tunnels to a single VPN gateway.
- Cloud VPN supports both static routes and dynamic routes (via Cloud Router) for managing traffic between your instances and your existing infrastructure.
- Cloud VPN supports both IKEv1 and IKEv2 using a shared secret (IKE pre-shared key).
- Cloud VPN uses ESP in Tunnel mode with authentication. Cloud VPN does not support AH or ESP in Transport mode.
When to use Cloud VPN
You can use Cloud VPN to connect two different GCP networks or regions.
Cloud VPN only supports IPsec gateway-to-gateway scenarios. You must have a dedicated physical or virtual IPsec VPN gateway on the client side. Cloud VPN does not currently support client-to-gateway (road warrior) scenarios. In other words, it doesn't work with client software on a laptop, only with full IPsec VPN gateway software. Cloud VPN does not support VPN technologies other than IPsec.
The following terms are used in this document:
- Cloud VPN gateway
- The virtual VPN gateway running in GCP. This virtual device is managed by Google, but used only by you.
- Peer VPN gateway
- The other side of the connection. Frequently,
this is a physical device on your premises. However, it can be a second
Cloud VPN gateway or a virtual gateway running in another
Instructions are written from the point of view of your GCP network, so the "remote peer" is the gateway connecting to Cloud VPN.
- Project ID
- The GCP-generated Project ID, not the project name supplied by you.
This diagram shows a simple VPN connection between your Cloud VPN gateway and your peer VPN gateway.
The following are required to use VPN.
- You must have a peer VPN gateway for the other side of the tunnel.
- The peer VPN gateway must have a static external IP address. You'll need to know the IP address when you configure Cloud VPN. If the peer VPN gateway is behind a firewall, you must configure the firewall to pass ESP and IKE traffic.
- The CIDR range of the network on the GCP side of the VPN must not conflict with the CIDR ranges of the networks on the peer side of the VPN.
- You must supply a shared secret for the VPN. This can either be provided by your existing peer VPN gateway or you can make one up.
- Cloud VPN supports both IKEv2 (recommended) and IKEv1. Determine what your peer VPN gateway supports.
- See Creating a VPN for instructions on setting up your VPN.