Manage VPN Connections

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to manage VPN Connection resources in a Google Distributed Cloud Edge Zone.

You must configure your network to allow the traffic required by Distributed Cloud Edge VPN Connections as described in Firewall configuration.

When you create a Distributed Cloud Edge VPN Connection, Distributed Cloud Edge creates the required Cloud VPN Gateway and Cloud Router resources. The names of those resources are prefixed with anthos-mcc. You must not modify those resources, otherwise the Distributed Cloud Edge VPN Connection might stop functioning. If you have accidentally modified those resources, you must delete and recreate the affected Distributed Cloud Edge VPN Connection.

For more information on Distributed Cloud Edge VPN Connections, see How Distributed Cloud Edge works.

Create a VPN Connection

To create a Distributed Cloud Edge VPN Connection, complete the steps in this section.

Keep the following in mind:

  • Distributed Cloud Edge VPN Connections support IPv4 only.
  • You can only create one VPN Connection per Distributed Cloud Edge cluster.
  • If your local network uses multiple Network Address Translation (NAT) gateways, you must configure them so that your Distributed Cloud Edge installation uses a single IP address for outbound traffic to your VPC.
  • By default, Distributed Cloud Edge configures a single VPN client on a single Node to connect to Google Cloud using two VPN tunnels, also known as high-availability VPN on the Google Cloud end. You can further increase the availability of the VPN connection using the --high-availability flag. This flag instructs Distributed Cloud Edge to configure two VPN clients on two separate Nodes for a total of four VPN tunnels.
  • You must delete and re-create a VPN Connection if you want to change its configuration.
  • You can only manage VPN Connections using the gcloud CLI tool or the Distributed Cloud Edge API.

To complete this task, you must have the GDCE Admin role on your Cloud project. For more information, see Permissions and roles.

gcloud 

gcloud edge-cloud container vpn-connections create VPN_CONNECTION_NAME \
    --project=PROJECT_ID \
    --location=REGION \
    --cluster=CLUSTER_NAME \
    --vpc-network=VPC_NETWORK_NAME \
    --nat-gateway-ip=NAT_GATEWAY_IP \
    --high-availability

Replace the following:

  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge cluster.
  • VPC_NETWORK_NAME is the name of the target VPC network to which this VPN Connection will point. This network must be in the same Cloud project as your Distributed Cloud Edge installation.
  • NAT_GATEWAY_IP is the NAT gateway IP address for the target cluster. Omit if you are not using NAT.
  • --high-availability (optional) configures this VPN Connection for high availability on the cluster side by setting up two separate VPN clients running on two separate Nodes. Omit this flag to disable high availability.

API

Create the NodePool by making a POST request to the projects.locations.vpnConnections.create method as follows:

POST /v1/PROJECT_ID/locations/REGION/vpnConnections?vpnConnectionId=VPN_CONNECTION_ID&requestId=REQUEST_ID
{
  "name": string,
  "labels": {
   },
  "natGatewayIp": NAT_GATEWAY,
  "cluster": CLUSTER_PATH,
  "vpc": VPC_ID
  "enableHighAvailability": HA_ENABLE,
}

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_ID is a unique programmatic ID that identifies this NodePool resource.
  • REQUEST_ID is a unique programmatic ID that identifies this request.
  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • NAT_GATEWAY is the IP address of your NAT gateway.
  • CLUSTER_PATH is the full canonical path to the target cluster.
  • VPC_NETWORK_ID is the ID of the target VPC network.
  • HA_ENABLE indicates whether to configure this VPN Connection for high availability on the cluster side. If set to TRUE, configures two separate VPN clients running on two separate Nodes.

List VPN Connections

To list the VPN Connections provisioned for a Distributed Cloud Edge cluster, complete the steps in this section.

To complete this task, you must have the GDCE Viewer role on your Cloud project. For more information, see Permissions and roles.

gcloud 

gcloud edge-cloud container vpn-connections list \
    --project=PROJECT_ID \
    --location=REGION

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.

API

List the VPN Connections by making a GET request to the projects.locations.vpnConnections.list method as follows:

GET /v1/PROJECT_ID/locations/REGION/vpnConnections?filter=FILTER&pageSize=PAGE_SIZE&orderBy=SORT_BY&pageToken=PAGE_TOKEN

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • FILTER is an expression that constrains the returned results to specific values.
  • PAGE_SIZE is the number of results to return per page.
  • SORT_BY is a comma-delimited list of field names by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the desired field with ~.
  • PAGE_TOKEN is a token received in the response to the last list request in the nextPageToken field in the response. Send this token to receive the following page of results.

Get information about a VPN Connection

To get information about a Distributed Cloud Edge VPN Connection, complete the steps in this section.

To complete this task, you must have the GDCE Viewer role on your Cloud project. For more information, see Permissions and roles.

gcloud 

gcloud edge-cloud container vpn-connections describe VPN_CONNECTION_NAME \
    --cluster=PROJECT_ID \
    --location=REGION

Replace the following:

  • VPN_CONNECTION_NAME is the name of the target VPN Connection.
  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which you have

API

Get information about the VPN Connection by making a GET request to the projects.locations.vpnConnections.get method as follows:

GET /v1/PROJECT_ID/locations/REGION/vpnConnections/VPN_CONNECTION_NAME

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_NAME is the name of the target VPN Connection.

Delete a VPN Connection

To delete a Distributed Cloud Edge VPN Connection, complete the steps in this section.

To complete this task, you must have the GDCE Admin role on your Cloud project. For more information, see Permissions and roles.

gcloud 

gcloud edge-cloud container vpn-connections delete VPN_CONNECTION_NAME \
    --cluster=CLUSTER_NAME \
    --location=REGION \
    --project=PROJECT_ID

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which you have
  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge cluster.

API

Delete the VPN Connection by making a DELETE request to the projects.locations.vpnConnections.delete method as follows:

DELETE /v1/PROJECT_ID/locations/REGION/vpnConnections/VPN_CONNECTION_NAME?requestId=REQUEST_ID

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_NAME is the name of the target VPN Connection.
  • REQUEST_ID is a unique programmatic ID that identifies this request.

Manage cross-project VPN Connections

Distributed Cloud Edge also allows you to create VPN Connections to Virtual Private Cloud (VPC) networks in a Google Cloud project different from the Cloud project that contains your Distributed Cloud Edge cluster.

Prerequisites

You must satisfy the prerequisites in this section before you can create cross-project VPN Connections.

Caller account permissions

The caller user account in the target VPC project must have the following permissions. These permissions are also encapsulated in the Project IAM Admin role.

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

For information about how to set IAM roles and permissions, see Manage access to projects, folders, and organizations.

Distributed Cloud Edge service account permissions

To allow Distributed Cloud Edge to create the Cloud Router and Cloud VPN resources in the target VPC project that enables the cross-project VPN Connection, you must grant the Distributed Cloud Edge service account in your Distributed Cloud Edge cluster the compute.NetworkAdminpermission. To do this, use the following command:

 gcloud projects add-iam-policy-binding VPC_PROJECT_ID \
     --member="serviceAccount:service-PROJECT_ID@gcp-sa-edgecontainer.iam.gserviceaccount.com" \
     --role="roles/compute.networkAdmin" \
     --project=VPC_PROJECT_ID

Replace the following:

  • PROJECT_ID: the ID of the target Distributed Cloud Edge Cloud project.
  • VPC_PROJECT_ID: the ID of the target VPC project.

For more information about how to set IAM roles and permissions, see Manage access to projects, folders, and organizations.

Create a cross-project VPN Connection

To create a VPN Connection to a VPC network in a different Cloud project, complete the steps in this section.

gcloud 

gcloud edge-cloud container vpn-connections create VPN_CONNECTION_NAME \
    --project=PROJECT_ID \
    --location=REGION \
    --cluster=CLUSTER_NAME \
    --vpc-project=VPC_PROJECT_ID \
    --vpc-network=VPC_NETWORK_NAME \
    --nat-gateway-ip=NAT_GATEWAY_IP \
    --high-availability

Replace the following:

  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • PROJECT_ID is the ID of the target Distributed Cloud Edge cluster Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge cluster.
  • VPC_PROJECT_ID is the ID of the target Cloud project containing the target VPC network.
  • VPC_NETWORK_NAME is the name of the target VPC network to which this VPN Connection will point.
  • NAT_GATEWAY_IP is the NAT gateway IP address for the target cluster. Omit if you are not using NAT.
  • --high-availability (optional) configures this VPN Connection for high availability on the cluster side by setting up two separate VPN clients running on two separate Nodes. Omit this flag to disable high availability.

API

Create the NodePool by making a POST request to the projects.locations.vpnConnections.create method as follows:

POST /v1/PROJECT_ID/locations/REGION/vpnConnections?vpnConnectionId=VPN_CONNECTION_ID&requestId=REQUEST_ID
{
  "name": string,
  "labels": {
   },
  "natGatewayIp": NAT_GATEWAY,
  "cluster": CLUSTER_PATH,
  "vpc": VPC_NETWORK_ID,
  "vpcProject": VPC_PROJECT_ID,
  "vpcServiceAccount": var>VPC_PROJECT_SERVICE_ACCOUNT,
  "enableHighAvailability": HA_ENABLE,
}

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_ID is a unique programmatic ID that identifies this NodePool resource.
  • REQUEST_ID is a unique programmatic ID that identifies this request.
  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • NAT_GATEWAY is the IP address of your NAT gateway.
  • CLUSTER_PATH is the full canonical path to the target cluster.
  • VPC_NETWORK_ID is the ID of the target VPC network.
  • VPC_PROJECT_ID is the ID of the target Cloud project containing the target VPC network.
  • HA_ENABLE indicates whether to configure this VPN Connection for high availability on the cluster side. If set to TRUE, configures two separate VPN clients running on two separate Nodes.

Limitations of cross-project VPN Connections

Cross-project VPN Connections have the following limitations:

  • The cross-project VPN Connection resource exists only on your Distributed Cloud Edge cluster.
  • If you alter the permissions on the Distributed Cloud Edge service account in the target VPC project, you will not be able to delete the cross-project VPN Connection from your Distributed Cloud Edge cluster.

Cloud Audit Logs for cross-project VPN Connections

When you create a cross-project VPN Connection, Cloud Audit Logs logs are written as follows:

  • The audit logs for your Distributed Cloud Edge cluster record the long-running operation, authentication, and authorization information for the cross-project VPN Connection. This includes the caller of the create operation and the permissions the caller has been granted or denied.
  • The audit logs for the target VPC project record information about the Google Cloud resources that enable the cross-project VPN Connection, such as the Cloud Router and Cloud VPN resources. The caller accessing these resources is the Distributed Cloud Edge service account to which you have granted the Edge Container Service Agent role.

What's next