Cloud VPN Overview

This page describes concepts related to Google Cloud VPN. Creating a VPN describes the steps to create a virtual private network (VPN).

Introduction

Google Cloud VPN securely connects your on-premises network to your Google Cloud Platform (GCP) Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet.

When to use Cloud VPN

You can use Cloud VPN to connect two different VPC networks or regions.

Cloud VPN only supports IPsec gateway-to-gateway scenarios. You must have a dedicated physical or virtual IPsec VPN gateway on the client side. Cloud VPN does not currently support client-to-gateway (road warrior) scenarios. In other words, it doesn't work with client software on a laptop, only with full IPsec VPN gateway software. Cloud VPN does not support VPN technologies other than IPsec.

Terminology

The following terms are used in this document:

Cloud VPN gateway
The virtual VPN gateway running in GCP. This virtual device is managed by Google, but used only by you.
Peer VPN gateway
The other side of the connection. Frequently, this is a physical device on your premises. However, it can be a second Cloud VPN gateway or a virtual gateway running in another provider's network.
Instructions are written from the point of view of your VPC network, so the "remote peer" is the gateway connecting to Cloud VPN.
Project ID
The GCP-generated Project ID, not the project name supplied by you.

VPN traffic selector

When creating a VPN tunnel, you must tell the tunnel which destination IP address ranges it can allow, and you must create routes to forward packets destined for that IP range to the tunnel.

Traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches the specified addresses. With subnets, you must specify which Google Cloud Platform CIDR ranges are valid for a VPN tunnel. These ranges are specified in the Local IP ranges field in the Cloud Platform Console and the --local_traffic_selector field in the gcloud command-line tool. These ranges are configured when the tunnel is created and may not be changed afterwards because they are used during the IKE handshake on connect.

The maximum number of CIDR ranges specified in the traffic selector is 128.

In some VPN configurations, gateways allow traffic to pass through that was not specified in the traffic selector during the IKE handshake. For consistent and predictable VPN behavior, make sure the routes destined for the tunnel match the prefixes specified during tunnel creation.

Traffic selector and auto mode VPC networks

If the network of the VPN gateway is an auto mode VPC network, the CIDR range of the subnet in the same region as the VPN gateway is automatically announced to the peer VPN. If you only want that subnet to use the tunnel, you do not have to manually specify the traffic selector. You do have to specify a route as shown in the steps below.

If you have an auto mode VPC network and wish subnets other than the subnet containing the gateway to use the tunnel, you must specify these ranges and create routes for them. If you use this field, you must even specify the subnet local to the gateway.

If you are using an auto mode VPC network and you don't specify the traffic selector, you get the default behavior, which is that the subnet local to the Cloud VPN gateway is used to create the tunnel.

Traffic selector and custom mode VPC networks

If the network of the VPN gateway is a custom mode VPC network, no IP prefix is announced to the peer VPN by default. You must use the traffic selector to specify the IP prefixes for the subnets that will be routed through the tunnel. You must also specify routes for traffic to reach the tunnel.

VPN diagram

This diagram shows a simple VPN connection between your Cloud VPN gateway and your peer VPN gateway.

Diagram

Requirements

The following are required to use VPN.

  • You must have a peer VPN gateway for the other side of the tunnel.
  • The peer VPN gateway must have a static external IP address. You'll need to know the IP address when you configure Cloud VPN. If the peer VPN gateway is behind a firewall, you must configure the firewall to pass ESP and IKE traffic.
  • The CIDR range of the VPC network must not conflict with the CIDR ranges of the networks on the peer side of the VPN.
  • You must supply a shared secret for the VPN. This can either be provided by your existing peer VPN gateway or you can make one up.
  • Cloud VPN supports both IKEv2 (recommended) and IKEv1. Determine what your peer VPN gateway supports.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Compute Engine Documentation