Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Questa pagina descrive come creare un gateway VPN o una risorsa gateway peer.
I gateway VPN forniscono una connettività sicura tra più siti, ad esempio tra data center on-premise e ambienti cloud.
Esistono due componenti del gateway da configurare per la VPN con air gap di Google Distributed Cloud (GDC):
Un gateway VPN in GDC.
Il gateway VPN peer. Si tratta di un dispositivo gateway VPN fisico o di un'applicazione software nella rete peer a cui si connette il gateway VPN. Il gateway peer può essere un gateway VPN on-premise o uno ospitato da un altro provider cloud.
Prima di iniziare
Per gestire o visualizzare le risorse VPN dalla console GDC, devi disporre dei ruoli di identità e accesso necessari:
Amministratore VPN: dispone delle autorizzazioni di lettura e scrittura su tutte le risorse correlate alla VPN. Chiedi all'amministratore IAM dell'organizzazione di concederti il ruolo Amministratore VPN (vpn-admin).
Visualizzatore VPN: dispone di autorizzazioni di lettura su tutte le risorse correlate alla VPN. Chiedi all'amministratore IAM dell'organizzazione di concederti il ruolo Visualizzatore VPN (vpn-viewer).
Specifica un nome di interfaccia sul gateway per
rappresentare l'indirizzo IP. Quando viene creato il gateway, viene allocato automaticamente un indirizzo IPv4 esterno. Crea l'oggetto gateway VPN nello spazio dei nomi della piattaforma:
MANAGEMENT_API_SERVER: il percorso kubeconfig del server API zonale. Se non hai ancora generato un file kubeconfig
per il server API nella zona di destinazione, consulta
Accedi per i dettagli.
VPN_GW_NAME: il nome dell'oggetto gateway VPN. Ad esempio, vpngateway.
VPN_INTERFACE_NAME: il nome dell'interfaccia VPN. Ad esempio, interface0.
Verifica che l'oggetto VPN_GW_NAME sia stato riconciliato correttamente esaminando il campo Status. Visualizza i dettagli dell'oggetto gateway VPN:
Esamina l'output, che deve essere simile all'esempio seguente:
status:
conditions:
- lastTransitionTime: "2024-05-10T00:12:58Z"
message: All interfaces are assigned an IP.
observedGeneration: 1
reason: Ready
status: "True"
type: IPsAssigned
- lastTransitionTime: "2024-05-10T00:12:36Z"
message: Condition "TunnelsAttached" is not ready.
observedGeneration: 1
reason: NotReady
status: "False"
type: Ready
- lastTransitionTime: "2024-05-10T00:12:36Z"
message: 'At least one interface is not attached to any VPNTunnel: ["interface0"]'
observedGeneration: 1
reason: NoTunnelAttached
status: "False"
type: TunnelsAttached
interfaces:
- ip: 10.252.218.240
name: interface0
L'oggetto VPNGateway deve essere allegato a un VPNTunnel. Gestiamo questo passaggio in Crea un tunnel VPN.
Crea un gateway VPN peer
Crea un gateway VPN peer creando un oggetto PeerGateway nel server API Management. L'oggetto PeerGateway rappresenta un endpoint VPN remoto. Un'interfaccia
su un oggetto PeerGateway viene utilizzata da un tunnel VPN per stabilire un
tunnel criptato al sito remoto. Per creare un gateway peer VPN:
Specifica un nome di interfaccia e l'indirizzo IPv4 esterno statico del gateway VPN peer. L'oggetto PeerGateway deve essere creato nello spazio dei nomi della piattaforma:
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details the process of creating both a VPN gateway and a peer VPN gateway resource for secure connectivity.\u003c/p\u003e\n"],["\u003cp\u003eA VPN gateway is created in Google Distributed Cloud (GDC) by specifying an interface name, and an external IPv4 address is automatically allocated to it.\u003c/p\u003e\n"],["\u003cp\u003eA peer VPN gateway, representing a remote endpoint, requires specifying an interface name and the static external IPv4 address, which can be an on-premises or cloud-hosted resource.\u003c/p\u003e\n"],["\u003cp\u003eTo manage or view VPN resources, users need the VPN Admin role for read and write permissions, or the VPN Viewer role for read-only access.\u003c/p\u003e\n"],["\u003cp\u003eBoth VPN gateways and peer VPN gateways require the creation of a VPN Tunnel to establish the actual connection, and information to complete this step is provided in the relevant documentation linked.\u003c/p\u003e\n"]]],[],null,["# Create a VPN gateway and peer gateway\n\nThis page describes how to create a VPN gateway or a peer\ngateway resource.\n\nVPN gateways provide secure connectivity between multiple sites, such as between on-premises data centers and cloud environments.\nThere are two gateway components to configure for Google Distributed Cloud (GDC) air-gapped VPN:\n\n- A VPN gateway in GDC.\n- Your peer VPN gateway. This is a physical VPN gateway device or software application in the peer network to which the VPN gateway connects. The peer gateway can either be an on-premises VPN gateway or one hosted by another cloud provider.\n\nBefore you begin\n----------------\n\nTo manage or view VPN resources from the GDC console, you must have the necessary identity and access roles:\n\n- VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (`vpn-admin`) role.\n- VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (`vpn-viewer`) role.\n- For more information, see [Role definitions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/role-definitions).\n\nCreate a VPN gateway\n--------------------\n\nTo create a VPN gateway, follow these steps:\n\n1. Specify an interface name on the gateway to\n represent the IP address. When the gateway is created an external IPv4 address\n is automatically allocated. Create the VPN gateway object in the platform namespace:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e create -n platform -f - \u003c\u003cEOF\n apiVersion: networking.gdc.goog/v1\n kind: VPNGateway\n metadata:\n name: \u003cvar translate=\"no\"\u003eVPN_GW_NAME\u003c/var\u003e\n spec:\n interfaces:\n - name: \u003cvar translate=\"no\"\u003eVPN_INTERFACE_NAME\u003c/var\u003e\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n - \u003cvar translate=\"no\"\u003eVPN_GW_NAME\u003c/var\u003e: the name of the VPN gateway object. For example, `vpngateway`.\n - \u003cvar translate=\"no\"\u003eVPN_INTERFACE_NAME\u003c/var\u003e: the name of the VPN interface. For example, `interface0`.\n2. Verify that the \u003cvar translate=\"no\"\u003eVPN_GW_NAME\u003c/var\u003e object was correctly reconciled by examining the `Status` field. Get the details for the VPN gateway object:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e describe -n platform vpngateway \u003cvar translate=\"no\"\u003eVPN_GW_NAME\u003c/var\u003e\n\n Examine the output, it must look similar to the following example: \n\n\n status:\n conditions:\n - lastTransitionTime: \"2024-05-10T00:12:58Z\"\n message: All interfaces are assigned an IP.\n observedGeneration: 1\n reason: Ready\n status: \"True\"\n type: IPsAssigned\n - lastTransitionTime: \"2024-05-10T00:12:36Z\"\n message: Condition \"TunnelsAttached\" is not ready.\n observedGeneration: 1\n reason: NotReady\n status: \"False\"\n type: Ready\n - lastTransitionTime: \"2024-05-10T00:12:36Z\"\n message: 'At least one interface is not attached to any VPNTunnel: [\"interface0\"]'\n observedGeneration: 1\n reason: NoTunnelAttached\n status: \"False\"\n type: TunnelsAttached\n interfaces:\n - ip: 10.252.218.240\n name: interface0\n\nThe `VPNGateway` object must be attached to a `VPNTunnel`. We handle this step in [Create a VPN Tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel#create-a-vpn-tunnel).\n\nCreate a peer VPN gateway\n-------------------------\n\nCreate a peer VPN gateway by creating a `PeerGateway` object in the Management API server. The `PeerGateway` object represents a remote VPN endpoint. An interface\non a `PeerGateway` object is used by a VPN tunnel to establish an\nencrypted tunnel to the remote site. To create a peer VPN gateway, follow these steps:\n\n1. Specify an interface name and the static\n external IPv4 address of your peer VPN gateway. Create the `PeerGateway` object must be created in the platform namespace:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e create -n platform -f - \u003c\u003cEOF\n apiVersion: networking.gdc.goog/v1\n kind: PeerGateway\n metadata:\n name: \u003cvar translate=\"no\"\u003ePEER_GW_NAME\u003c/var\u003e\n spec:\n interfaces:\n - name: \u003cvar translate=\"no\"\u003ePEER_INTERFACE_NAME\u003c/var\u003e\n ip: \u003cvar translate=\"no\"\u003ePEER_INTERFACE_IP\u003c/var\u003e\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePEER_GW_NAME\u003c/var\u003e: the name of the peer VPN gateway. For example, `peergateway`.\n - \u003cvar translate=\"no\"\u003ePEER_INTERFACE_NAME\u003c/var\u003e: the name of the peer interface. For example, `interface0`.\n - \u003cvar translate=\"no\"\u003ePEER_INTERFACE_IP\u003c/var\u003e: the static external IPv4 address of your peer VPN gateway.\n2. Verify that the \u003cvar translate=\"no\"\u003ePEER_GW_NAME\u003c/var\u003e object was correctly reconciled by examining the `Status` field.\n\n Get the details for the peer VPN gateway object: \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e describe -n platform peergateway \u003cvar translate=\"no\"\u003ePEER_GW_NAME\u003c/var\u003e\n\n Examine the output, it must look similar to the following example: \n\n Status:\n Conditions:\n Last Transition Time: 2024-05-10T00:15:25Z\n Message: Condition \"TunnelsAttached\" is not ready.\n Observed Generation: 1\n Reason: NotReady\n Status: False\n Type: Ready\n Last Transition Time: 2024-05-10T00:20:45Z\n Message: Ready\n Observed Generation: 1\n Reason: Ready\n Status: True\n Type: ValidGatewayIPs\n Last Transition Time: 2024-05-10T00:15:25Z\n Message: At least one interface is not attached to any VPNTunnel: [\"interface0\"]\n Observed Generation: 1\n Reason: NoTunnelAttached\n Status: False\n Type: TunnelsAttached\n\n The `PeerGateway` object must be referenced by a `VPNTunnel`. We handle this step in [Create a VPN Tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel#create-a-vpn-tunnel).\n\nWhat's next\n-----------\n\n- [Create a VPN BGP session](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-routing)\n- [Supported IKE ciphers](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/supported-ike-ciphers)"]]