This page describes concepts related to Google Cloud VPN. Creating a VPN describes the steps to create a virtual private network (VPN).
Google Cloud VPN securely connects your on-premises network to your Google Cloud Platform (GCP) Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet.
- Cloud VPN provides an SLA of 99.9% service availability.
- Cloud VPN supports site-to-site VPN. You can have multiple tunnels to a single VPN gateway.
- Cloud VPN supports both static routes and dynamic routes (via Cloud Router) for managing traffic between your instances and your existing infrastructure.
- Cloud VPN supports both IKEv1 and IKEv2 using a shared secret (IKE pre-shared key).
- Cloud VPN uses ESP in Tunnel mode with authentication. Cloud VPN does not support AH or ESP in Transport mode.
When to use Cloud VPN
You can use Cloud VPN to connect two different VPC networks or regions.
Cloud VPN only supports IPsec gateway-to-gateway scenarios. You must have a dedicated physical or virtual IPsec VPN gateway on the client side. Cloud VPN does not currently support client-to-gateway (road warrior) scenarios. In other words, it doesn't work with client software on a laptop, only with full IPsec VPN gateway software. Cloud VPN does not support VPN technologies other than IPsec.
The following terms are used in this document:
- Cloud VPN gateway
- The virtual VPN gateway running in GCP. This virtual device is managed by Google, but used only by you.
- Peer VPN gateway
- The other side of the connection. Frequently,
this is a physical device on your premises. However, it can be a second
Cloud VPN gateway or a virtual gateway running in another
Instructions are written from the point of view of your VPC network, so the "remote peer" is the gateway connecting to Cloud VPN.
- Project ID
- The GCP-generated Project ID, not the project name supplied by you.
VPN traffic selector
When creating a VPN tunnel, you must tell the tunnel which destination IP address ranges it can allow, and you must create routes to forward packets destined for that IP range to the tunnel.
Traffic selector is an agreement between IKE peers to permit traffic through
a tunnel if the traffic matches the specified addresses. With subnets, you must
specify which Google Cloud Platform CIDR ranges are valid for a
VPN tunnel. These ranges are specified in the
Local IP ranges field in the Cloud Platform Console and the
--local_traffic_selector field in the
gcloud command-line tool. These ranges
are configured when the tunnel is created and may not be changed afterwards
because they are used during the IKE handshake on connect.
The maximum number of CIDR ranges specified in the traffic selector is 128.
In some VPN configurations, gateways allow traffic to pass through that was not specified in the traffic selector during the IKE handshake. For consistent and predictable VPN behavior, make sure the routes destined for the tunnel match the prefixes specified during tunnel creation.
Traffic selector and auto mode VPC networks
If the network of the VPN gateway is an auto mode VPC network, the CIDR range of the subnet in the same region as the VPN gateway is automatically announced to the peer VPN. If you only want that subnet to use the tunnel, you do not have to manually specify the traffic selector. You do have to specify a route as shown in the steps below.
If you have an auto mode VPC network and wish subnets other than the subnet containing the gateway to use the tunnel, you must specify these ranges and create routes for them. If you use this field, you must even specify the subnet local to the gateway.
If you are using an auto mode VPC network and you don't specify the traffic selector, you get the default behavior, which is that the subnet local to the Cloud VPN gateway is used to create the tunnel.
Traffic selector and custom mode VPC networks
If the network of the VPN gateway is a custom mode VPC network, no IP prefix is announced to the peer VPN by default. You must use the traffic selector to specify the IP prefixes for the subnets that will be routed through the tunnel. You must also specify routes for traffic to reach the tunnel.
This diagram shows a simple VPN connection between your Cloud VPN gateway and your peer VPN gateway.
The following are required to use VPN.
- You must have a peer VPN gateway for the other side of the tunnel.
- The peer VPN gateway must have a static external IP address. You'll need to know the IP address when you configure Cloud VPN. If the peer VPN gateway is behind a firewall, you must configure the firewall to pass ESP and IKE traffic.
- The CIDR range of the VPC network must not conflict with the CIDR ranges of the networks on the peer side of the VPN.
- You must supply a shared secret for the VPN. This can either be provided by your existing peer VPN gateway or you can make one up.
- Cloud VPN supports both IKEv2 (recommended) and IKEv1. Determine what your peer VPN gateway supports.
- See Creating a VPN for instructions on setting up your VPN.