This page describes concepts related to Google Cloud VPN. Creating a VPN describes the steps to create an virtual private network (VPN).


Google Cloud VPN securely connects your existing network to your Google Cloud Platform (GCP) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet.

When to use Cloud VPN

You can use Cloud VPN to connect two different GCP networks or regions.

Cloud VPN only supports IPsec gateway-to-gateway scenarios. You must have a dedicated physical or virtual IPsec VPN gateway on the client side. Cloud VPN does not currently support client-to-gateway (road warrior) scenarios. In other words, it doesn't work with client software on a laptop, only with full IPsec VPN gateway software. Cloud VPN does not support VPN technologies other than IPsec.


The following terms are used in this document:

Cloud VPN gateway
The virtual VPN gateway running in GCP. This virtual device is managed by Google, but used only by you.
Peer VPN gateway
The other side of the connection. Frequently, this is a physical device on your premises. However, it can be a second Cloud VPN gateway or a virtual gateway running in another provider's network.
Instructions are written from the point of view of your GCP network, so the "remote peer" is the gateway connecting to Cloud VPN.
Project ID
The GCP-generated Project ID, not the project name supplied by you.

This diagram shows a simple VPN connection between your Cloud VPN gateway and your peer VPN gateway.



The following are required to use VPN.

  • You must have a peer VPN gateway for the other side of the tunnel.
  • The peer VPN gateway must have a static external IP address. You'll need to know the IP address when you configure Cloud VPN. If the peer VPN gateway is behind a firewall, you must configure the firewall to pass ESP and IKE traffic.
  • The CIDR range of the network on the GCP side of the VPN must not conflict with the CIDR ranges of the networks on the peer side of the VPN.
  • You must supply a shared secret for the VPN. This can either be provided by your existing peer VPN gateway or you can make one up.
  • Cloud VPN supports both IKEv2 (recommended) and IKEv1. Determine what your peer VPN gateway supports.

What's next

Send feedback about...

Compute Engine Documentation