Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of the Google Distributed Cloud (GDC) air-gapped VPN feature and describes the supported specifications and tunneling protocols.
GDC VPN securely extends a peer network to a user's
virtual machine (VM) in an organization of a GDC zone
through an Internet Protocol Security (IPsec) VPN connection.
Configure the GDC VPN using the VPNGateway,
PeerGateway, VPNBGPPeer, and VPNTunnel resources from the Networking
API.
Specifications
The GDC VPN has the following specifications:
GDC VPN only supports site-to-site IPsec VPN
connectivity. IPsec is a suite of protocols designed to secure communication
over IP networks. Other VPN technologies, such as SSL and VPN are not
supported.
The peer VPN gateway must have a static external IPv4 address. You need this
IP address to configure VPN.
If your peer VPN gateway is behind a firewall rule, you must configure the
firewall rule to pass both Encapsulating Security Payload (ESP) IPsec
protocol and Internet Key Exchange (IKE) UDP 500 and UDP 4500 traffic to it.
GDC VPN only supports one-to-one NAT by using UDP
encapsulation for NAT-Traversal (NAT-T). The peer VPN gateway must be
configured to identify itself using its static external IPv4 address, not
its internal private IP.
IPv6 traffic is not supported.
IPsec and IKE support
GDC VPN supports IKEv2 by using an IKE pre-shared key
(shared secret) and IKE ciphers. GDC VPN only supports a
pre-shared key for authentication. When you create the
GDC VPN tunnel, specify a pre-shared key. When you
create the tunnel at the peer VPN gateway, specify this same pre-shared key. For more information, see Create the secret with a PSK.
GDC VPN supports ESP in tunnel mode with authentication, but does not support AH or ESP in transport mode.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eGDC VPN utilizes IPsec to establish secure, site-to-site VPN connections between a peer network and a user's VM in a GDC zone.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration of GDC VPN is managed using \u003ccode\u003eVPNGateway\u003c/code\u003e, \u003ccode\u003ePeerGateway\u003c/code\u003e, \u003ccode\u003eVPNBGPPeer\u003c/code\u003e, and \u003ccode\u003eVPNTunnel\u003c/code\u003e resources within the Networking API.\u003c/p\u003e\n"],["\u003cp\u003eThe supported specifications for GDC VPN include requiring a static external IPv4 address for the peer VPN gateway, as well as configuring firewalls to allow ESP, UDP 500, and UDP 4500 traffic.\u003c/p\u003e\n"],["\u003cp\u003eGDC VPN supports IKEv2 with a pre-shared key for authentication and ESP in tunnel mode with authentication.\u003c/p\u003e\n"],["\u003cp\u003eGDC VPN only supports one-to-one NAT using UDP encapsulation for NAT-T, and does not support IPv6, SSL, or other VPN technologies.\u003c/p\u003e\n"]]],[],null,[]]
