This page describes how to create and manage Google Distributed Cloud Edge VPN connection resources in a Distributed Cloud Edge zone.
For more information about Distributed Cloud Edge VPN connections, see How Distributed Cloud Edge works.
Keep the following in mind:
You must configure your network to allow the traffic required by Distributed Cloud Edge VPN connections.
When you create a Distributed Cloud Edge VPN connection, Distributed Cloud Edge creates the required Cloud VPN gateway and Cloud Router resources. The name of the Cloud VPN gateway is prefixed with
anthos-mcc
. The name of the Cloud Router is prefixed withgdce
. You must not modify these resources; otherwise, the Distributed Cloud Edge VPN connection might stop functioning. If you accidentally modify these resources, you must delete and re-create the affected Distributed Cloud Edge VPN connection.Distributed Cloud Edge creates a single Cloud Router per Google Cloud project per region when you create your first Distributed Cloud Edge VPN connection in that Google Cloud project and region. All VPN connections subsequently created in that Google Cloud project and region reuse that same Cloud Router resource.
A Cloud Router resource can only be deleted when there are no secondary network interfaces attached to it. Distributed Cloud Edge automatically deletes a Cloud Router when you delete the last remaining VPN connection attached to it.
Distributed Cloud Edge VPN connections support IPv4 addresses only.
You can create only one VPN connection per Distributed Cloud Edge cluster.
If your local network uses multiple network address translation (NAT) gateways, you must configure them so that your Distributed Cloud Edge installation uses a single IP address for outbound traffic to your Virtual Private Cloud (VPC) network.
By default, Distributed Cloud Edge configures a single VPN client on a single node to connect to Google Cloud by using two VPN tunnels, also known as HA VPN on the Google Cloud end. You can further increase the availability of the VPN connection by using the
--high-availability
flag. This flag instructs Distributed Cloud Edge to configure two VPN clients on two separate nodes for a total of four VPN tunnels.You must delete and re-create a VPN connection if you want to change its configuration.
You can manage VPN connections by using the Google Cloud CLI or the Distributed Cloud Edge Container API.
Create a VPN connection
To create a Distributed Cloud Edge VPN connection, complete the steps in this section.
To complete this task, you must have the
Edge Container Admin role
(roles/edgecontainer.admin
) in your Google Cloud project.
gcloud
Use the gcloud edge-cloud container vpn-connections create
command:
gcloud edge-cloud container vpn-connections create VPN_CONNECTION_NAME \ --project=PROJECT_ID \ --location=REGION \ --cluster=CLUSTER_NAME \ --vpc-network=VPC_NETWORK_NAME \ --nat-gateway-ip=NAT_GATEWAY_IP \ --router=ROUTER_NAME \ --high-availability
Replace the following:
VPN_CONNECTION_NAME
: a descriptive name that uniquely identifies this VPN connection.PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.CLUSTER_NAME
: the name of the target Distributed Cloud Edge cluster.VPC_NETWORK_NAME
: the name of the target VPC network to which this VPN connection points. This network must be in the same Google Cloud project as your Distributed Cloud Edge installation.NAT_GATEWAY_IP
: the NAT gateway IP address for the target cluster. Omit this flag if you are not using NAT.ROUTER_NAME
(optional): specifies an existing Cloud Router resource to use for this VPN connection. Otherwise, Distributed Cloud Edge creates a Cloud Router automatically if one does not yet exist in the target Google Cloud project and region.--high-availability
(optional): configures this VPN connection for high availability on the cluster side by setting up two separate VPN clients that run on two separate nodes. To disable high availability, omit this flag.
API
Make a POST
request to the projects.locations.vpnConnections.create
method:
POST /v1/PROJECT_ID/locations/REGION/vpnConnections?vpnConnectionId=VPN_CONNECTION_ID&requestId=REQUEST_ID { "name": string, "labels": { }, "natGatewayIp": NAT_GATEWAY, "cluster": CLUSTER_PATH, "vpc": VPC_NETWORK_ID "enableHighAvailability": HA_ENABLE, "router": ROUTER_NAME, }
Replace the following:
PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.VPN_CONNECTION_ID
: a unique programmatic ID that identifies this node pool resource.REQUEST_ID
: a unique programmatic ID that identifies this request.VPN_CONNECTION_NAME
: a descriptive name that uniquely identifies this VPN connection.NAT_GATEWAY
: the IP address of your NAT gateway.CLUSTER_PATH
: the full canonical path to the target cluster.VPC_NETWORK_ID
: the ID of the target VPC network.HA_ENABLE
: indicates whether to configure this VPN connection for high availability on the cluster side. If set toTRUE
, configures two separate VPN clients that run on two separate nodes.ROUTER_NAME
(optional): specifies an existing Cloud Router resource to use for this VPN connection. Otherwise, Distributed Cloud Edge creates a Cloud Router automatically if one does not yet exist in the target Google Cloud project and region.
List VPN connections
To list the VPN connections provisioned for a Distributed Cloud Edge cluster, complete the steps in this section.
To complete this task, you must have the
Edge Container Viewer role
(roles/edgecontainer.viewer
) in your Google Cloud project.
gcloud
Use the gcloud edge-cloud container vpn-connections list
command:
gcloud edge-cloud container vpn-connections list \ --project=PROJECT_ID \ --location=REGION
Replace the following:
PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.
API
Make a GET
request to the projects.locations.vpnConnections.list
method:
GET /v1/PROJECT_ID/locations/REGION/vpnConnections?filter=FILTER&pageSize=PAGE_SIZE&orderBy=SORT_BY&pageToken=PAGE_TOKEN
Replace the following:
PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.FILTER
: an expression that constrains the returned results to specific values.PAGE_SIZE
: the number of results to return per page.SORT_BY
: a comma-delimited list of field names by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the desired field with~
.PAGE_TOKEN
: a token received in the response to the last list request in thenextPageToken
field in the response. Send this token to receive a page of results.
Get information about a VPN connection
To get information about a Distributed Cloud Edge VPN connection, complete the steps in this section.
To complete this task, you must have the
Edge Container Viewer role
(roles/edgecontainer.viewer
) in your Google Cloud project.
gcloud
Use the gcloud edge-cloud container vpn-connections describe
command:
gcloud edge-cloud container vpn-connections describe VPN_CONNECTION_NAME \ --project=PROJECT_ID \ --location=REGION
Replace the following:
VPN_CONNECTION_NAME
: the name of the target VPN connection.PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.
API
Make a GET
request to the projects.locations.vpnConnections.get
method:
GET /v1/PROJECT_ID/locations/REGION/vpnConnections/VPN_CONNECTION_NAME
Replace the following:
PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.VPN_CONNECTION_NAME
: the name of the target VPN connection.
Delete a VPN connection
To delete a Distributed Cloud Edge VPN connection, complete the steps in this section.
If you are deleting the last remaining VPN connection associated with a
Cloud Router resource that Distributed Cloud Edge
previously created in the Google Cloud project,
deleting the VPN connection automatically deletes the associated
Cloud Router resource. However, only Cloud Router resources
that are automatically created by Distributed Cloud Edge are
automatically deleted in this situation. Distributed Cloud Edge
does not delete existing Cloud Router resources that are specified
by using the --router
flag.
To complete this task, you must have the
Edge Container Admin role
(roles/edgecontainer.admin
) in your Google Cloud project.
gcloud
Use the gcloud edge-cloud container vpn-connections delete
command:
gcloud edge-cloud container vpn-connections delete VPN_CONNECTION_NAME \ --location=REGION \ --project=PROJECT_ID
Replace the following:
VPN_CONNECTION_NAME
: a descriptive name that uniquely identifies this VPN connection.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.PROJECT_ID
: the ID of the target Google Cloud project.
API
Make a DELETE
request to the projects.locations.vpnConnections.delete
method:
DELETE /v1/PROJECT_ID/locations/REGION/vpnConnections/VPN_CONNECTION_NAME?requestId=REQUEST_ID
Replace the following:
PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.VPN_CONNECTION_NAME
: the name of the target VPN connection.REQUEST_ID
: a unique programmatic ID that identifies this request.
Manage cross-project VPN connections
Distributed Cloud Edge also allows you to create VPN connections to VPC networks in a Google Cloud project that's different from the Google Cloud project that contains your Distributed Cloud Edge cluster.
Prerequisites
You must satisfy the prerequisites in this section before you can create cross-project VPN connections.
Caller account permissions
The caller user account in the target VPC project must have the
following permissions. These permissions are encapsulated in the
Project IAM Admin role
(roles/resourcemanager.projectIamAdmin
):
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
For information about how to set IAM roles and permissions, see Manage access to projects, folders, and organizations.
Distributed Cloud Edge service account permissions
To allow Distributed Cloud Edge to create the
Cloud Router and Cloud VPN resources in the target
VPC project that enables the cross-project VPN connection, you
must grant the
Compute Network Admin role
(roles/compute.networkAdmin
) to the Distributed Cloud Edge
service account in your Distributed Cloud Edge cluster.
To grant the Compute Network Admin role, do the following.
gcloud
Use the gcloud projects add-iam-policy-binding
command:
gcloud projects add-iam-policy-binding VPC_PROJECT_ID \ --member="serviceAccount:service-PROJECT_NUM@gcp-sa-edgecontainer.iam.gserviceaccount.com" \ --role="roles/compute.networkAdmin" \ --project=VPC_PROJECT_ID
Replace the following:
VPC_PROJECT_ID
: the ID of the target VPC project.PROJECT_NUM
: the number of the target Distributed Cloud Edge Google Cloud project.
Create a cross-project VPN connection
To create a VPN connection to a VPC network in a different Google Cloud project, complete the steps in this section.
gcloud
Use the gcloud edge-cloud container vpn-connections create
command:
gcloud edge-cloud container vpn-connections create VPN_CONNECTION_NAME \ --project=PROJECT_ID \ --location=REGION \ --cluster=CLUSTER_NAME \ --vpc-project=VPC_PROJECT_ID \ --vpc-network=VPC_NETWORK_NAME \ --nat-gateway-ip=NAT_GATEWAY_IP \ --high-availability
Replace the following:
VPN_CONNECTION_NAME
: a descriptive name that uniquely identifies this VPN connection.PROJECT_ID
: the ID of the target Distributed Cloud Edge cluster Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.CLUSTER_NAME
: the name of the target Distributed Cloud Edge cluster.VPC_PROJECT_ID
: the ID of the target Google Cloud project containing the target VPC network.VPC_NETWORK_NAME
: the name of the target VPC network to which this VPN connection points.NAT_GATEWAY_IP
: the NAT gateway IP address for the target cluster. Omit this flag if you are not using NAT.--high-availability
(optional): configures this VPN connection for high availability on the cluster side by setting up two separate VPN clients that run on two separate nodes. To disable high availability, omit this flag.
API
Make a POST
request to the projects.locations.vpnConnections.create
method:
POST /v1/PROJECT_ID/locations/REGION/vpnConnections?vpnConnectionId=VPN_CONNECTION_ID&requestId=REQUEST_ID { "name": string, "labels": { }, "natGatewayIp": NAT_GATEWAY, "cluster": CLUSTER_PATH, "vpc": VPC_NETWORK_ID, "vpcProject": VPC_PROJECT_ID, "vpcServiceAccount": var>VPC_PROJECT_SERVICE_ACCOUNT, "enableHighAvailability": HA_ENABLE, }
Replace the following:
PROJECT_ID
: the ID of the target Google Cloud project.REGION
: the Google Cloud region in which the target Distributed Cloud Edge zone is created.VPN_CONNECTION_ID
: a unique programmatic ID that identifies this node pool resource.REQUEST_ID
: a unique programmatic ID that identifies this request.VPN_CONNECTION_NAME
: a descriptive name that uniquely identifies this VPN connection.NAT_GATEWAY
: the IP address of your NAT gateway.CLUSTER_PATH
: the full canonical path to the target cluster.VPC_NETWORK_ID
: the ID of the target VPC network.VPC_PROJECT_ID
: the ID of the target Google Cloud project that contains the target VPC network.HA_ENABLE
: indicates whether to configure this VPN connection for high availability on the cluster side. If set toTRUE
, configures two separate VPN clients that run on two separate nodes.
Cloud Audit Logs for cross-project VPN connections
When you create a cross-project VPN connection, Cloud Audit Logs logs are written as follows:
- The audit logs for your Distributed Cloud Edge cluster record the long-running operation, authentication, and authorization information for the cross-project VPN connection. This information includes the caller of the create operation and the permissions the caller has been granted or denied.
- The audit logs for the target VPC project record information
about the Google Cloud resources that enable the cross-project VPN
connection, such as the Cloud Router and Cloud VPN
resources. The caller that accesses these resources is the
Distributed Cloud Edge service account to which you have
granted the
Edge Container Service Agent role
(
roles/edgecontainer.serviceAgent
).
Limitations of VPN connections
If you modify the node pool of the cluster in which you created a particular VPN connection, you must delete and recreate that VPN connection. Otherwise, unexpected behavior might occur, including:
- Intermittent loss of VPN connectivity
- Inability to create VPN connections in the other clusters in the Distributed Cloud Edge zone
Limitations of cross-project VPN connections
Additionally, cross-project VPN connections have the following limitations:
- The cross-project VPN connection resource exists only on your Distributed Cloud Edge cluster.
- If you alter the permissions on the Distributed Cloud Edge service account in the target VPC project, you are not able to delete the cross-project VPN connection from your Distributed Cloud Edge cluster.
What's next
- Deploy workloads on Google Distributed Cloud Edge
- Manage zones
- Create and manage clusters
- Create and manage node pools
- Manage virtual machines
- Manage GPU workloads