Manage VPN Connections

This page describes how to manage VPN Connection resources in a Google Distributed Cloud Edge Zone.

You must configure your network to allow the traffic required by Distributed Cloud Edge VPN Connections as described in Firewall configuration.

When you create a Distributed Cloud Edge VPN Connection, Distributed Cloud Edge creates the required Cloud VPN Gateway and Cloud Router Router resources. The names of those resources are prefixed with anthos-mcc. You must not modify those resources, otherwise the Distributed Cloud Edge VPN Connection might stop functioning. If you have accidentally modified those resources, you must delete and recreate the affected Distributed Cloud Edge VPN Connection.

For more information on Distributed Cloud Edge VPN Connections, see How Distributed Cloud Edge works.

Create a VPN Connection

To create a Distributed Cloud Edge VPN Connection, complete the steps in this section.

Keep the following in mind:

  • Distributed Cloud Edge VPN Connections support IPv4 only.
  • You can only create one VPN Connection per Distributed Cloud Edge Cluster.
  • If your local network uses multiple Network Address Translation (NAT) gateways, you must configure them so that your Distributed Cloud Edge installation uses a single IP address for outbound traffic to your VPC.
  • By default, Distributed Cloud Edge configures a single VPN client on a single Node to connect to Google Cloud using two VPN tunnels, also known as high-availability VPN on the Google Cloud end. You can further increase the availability of the VPN connection using the --high-availability flag. This flag instructs Distributed Cloud Edge to configure two VPN clients on two separate Nodes for a total of four VPN tunnels.
  • You must delete and re-create a VPN Connection if you want to change its configuration.
  • You can only manage VPN Connections using the gcloud CLI tool or the Distributed Cloud Edge API.

To complete this task, you must have the GDCE Admin role on your Cloud project. For more information, see Permissions and roles.

gcloud

gcloud edge-cloud container vpn-connections create VPN_CONNECTION_NAME \
    --project=PROJECT_ID \
    --location=REGION \
    --cluster=CLUSTER_NAME \
    --vpc-network=VPC_NETWORK_NAME \
    --nat-gateway-ip=NAT_GATEWAY_IP \
    --high-availability

Replace the following:

  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge Cluster.
  • VPC_NETWORK_NAME is the name of the target VPC network to which this VPN Connection will point. This network must be in the same Cloud project as your Distributed Cloud Edge installation.
  • NAT_GATEWAY_IP is the NAT gateway IP address for the target Cluster. Omit if you are not using NAT.

API

Create the NodePool by making a POST request to the projects.locations.vpnConnections.create method as follows:

POST /v1/PROJECT_ID/locations/REGION/vpnConnections?vpnConnectionId=VPN_CONNECTION_ID&requestId=REQUEST_ID
{
  "name": string,
  "labels": {
   },
  "natGatewayIp": NAT_GATEWAY,
  "cluster": CLUSTER_PATH,
  "vpc": VPC_ID
  "enableHighAvailability": HA_ENABLE,
}

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_ID is a unique programmatic ID that identifies this NodePool resource.
  • REQUEST_ID is a unique programmatic ID that identifies this request.
  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • NAT_GATEWAY is the IP address of your NAT gateway.
  • CLUSTER_PATH is the full canonical path to the target Cluster.
  • VPC_ID is the ID of the target VPC.
  • HA_ENABLE indicates whether to configure this VPN Connection for high availability on the Cluster side. If set to TRUE, configures two separate VPN clients running on two separate Nodes.

List VPN Connections

To list the VPN Connections provisioned for a Distributed Cloud Edge Cluster, complete the steps in this section.

To complete this task, you must have the GDCE Viewer role on your Cloud project. For more information, see Permissions and roles.

gcloud

gcloud edge-cloud container vpn-connections list \
    --project=PROJECT_ID \
    --location=REGION \
    --cluster=CLUSTER_NAME

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge Cluster.

API

List the VPN Connections by making a GET request to the projects.locations.vpnConnections.list method as follows:

GET /v1/PROJECT_ID/locations/REGION/vpnConnections?filter=FILTER&pageSize=PAGE_SIZE&orderBy=SORT_BY&pageToken=PAGE_TOKEN

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • FILTER is an expression that constrains the returned results to specific values.
  • PAGE_SIZE is the number of results to return per page.
  • SORT_BY is a comma-delimited list of field names by which the returned results are sorted. The default sort order is ascending; for descending sort order, prefix the desired field with ~.
  • PAGE_TOKEN is a token received in the response to the last list request in the nextPageToken field in the response. Send this token to receive the following page of results.

Get information about a VPN Connection

To get information about a Distributed Cloud Edge VPN Connection, complete the steps in this section.

To complete this task, you must have the GDCE Viewer role on your Cloud project. For more information, see Permissions and roles.

gcloud

gcloud edge-cloud container vpn-connections describe VPN_CONNECTION_NAME \
    --cluster=PROJECT_ID \
    --location=REGION \
    --project=CLUSTER_NAME

Replace the following:

  • VPN_CONNECTION_NAME is the name of the target VPN Connection.
  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which you have
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge Cluster.

API

Get information about the VPN Connection by making a GET request to the projects.locations.vpnConnections.get method as follows:

GET /v1/PROJECT_ID/locations/REGION/vpnConnections/VPN_CONNECTION_NAME

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_NAME is the name of the target VPN Connection.

Delete a VPN Connection

To delete a Distributed Cloud Edge VPN Connection, complete the steps in this section.

To complete this task, you must have the GDCE Admin role on your Cloud project. For more information, see Permissions and roles.

gcloud

gcloud edge-cloud container vpn-connections delete VPN_CONNECTION_NAME \
    --cluster=CLUSTER_NAME \
    --location=REGION \
    --project=PROJECT_ID

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which you have
  • VPN_CONNECTION_NAME is a descriptive name that uniquely identifies this VPN Connection.
  • CLUSTER_NAME is the name of the target Distributed Cloud Edge Cluster.

API

Delete the VPN Connection by making a DELETE request to the projects.locations.vpnConnections.delete method as follows:

DELETE /v1/PROJECT_ID/locations/REGION/vpnConnections/VPN_CONNECTION_NAME?requestId=REQUEST_ID

Replace the following:

  • PROJECT_ID is the ID of the target Google Cloud project.
  • REGION is the Google Cloud region in which the target Distributed Cloud Edge Zone has been created.
  • VPN_CONNECTION_NAME is the name of the target VPN Connection.
  • REQUEST_ID is a unique programmatic ID that identifies this request.

What's next