This page provides an overview of the Google Distributed Cloud (GDC) air-gapped VPN feature and describes the supported specifications and tunneling protocols.
GDC VPN securely extends a peer network to a user's virtual machine (VM) in an organization of a GDC zone through an Internet Protocol Security (IPsec) VPN connection.
Configure the GDC VPN using the VPNGateway,
PeerGateway, VPNBGPPeer, and VPNTunnel resources from the Networking
API.
Specifications
The GDC VPN has the following specifications:
- GDC VPN only supports site-to-site IPsec VPN connectivity. IPsec is a suite of protocols designed to secure communication over IP networks. Other VPN technologies, such as SSL and VPN are not supported.
- The peer VPN gateway must have a static external IPv4 address. You need this IP address to configure VPN.
- If your peer VPN gateway is behind a firewall rule, you must configure the firewall rule to pass both Encapsulating Security Payload (ESP) IPsec protocol and Internet Key Exchange (IKE) UDP 500 and UDP 4500 traffic to it.
- GDC VPN only supports one-to-one NAT by using UDP encapsulation for NAT-Traversal (NAT-T). The peer VPN gateway must be configured to identify itself using its static external IPv4 address, not its internal private IP.
- IPv6 traffic is not supported.
IPsec and IKE support
GDC VPN supports IKEv2 by using an IKE pre-shared key (shared secret) and IKE ciphers. GDC VPN only supports a pre-shared key for authentication. When you create the GDC VPN tunnel, specify a pre-shared key. When you create the tunnel at the peer VPN gateway, specify this same pre-shared key. For more information, see Create the secret with a PSK.
GDC VPN supports ESP in tunnel mode with authentication, but does not support AH or ESP in transport mode.