Choosing a Network Connectivity product

Google's connectivity solutions enable you to connect your networks to Google in the following ways:

  • To Google Cloud, which enables you to access your Virtual Private Cloud (VPC) networks and Compute Engine virtual machine (VM) instances from your on-premises networks or from another cloud provider.

  • To Google Workspace and supported Google APIs, which lets you access only these products and services.

  • To CDN providers, which enables you to choose supported content delivery providers that establish Direct Peering links with Google's edge network. Choosing a provider enables you to send traffic from your VPC networks to that provider.

Connecting to Google Cloud

You can choose among the following Google Cloud products that provide network connectivity between your on-premises network and Google Cloud, or from Google Cloud to another cloud provider:

  • Cloud VPN
  • Dedicated Interconnect
  • Partner Interconnect
  • Cloud Router

If you need to access only Google Workspace or supported Google APIs, you have the following options:

  • You can use Direct Peering to directly connect (peer) with Google at a Google edge location.
  • You can use Carrier Peering to connect through a supported peering partner.

If you need to encrypt traffic to Google Cloud, or you need a lower throughput solution, or you are experimenting with migrating your workloads to Google Cloud, you can choose Cloud VPN.

If you need an enterprise-grade connection to Google Cloud that has higher throughput, you can choose Dedicated Interconnect or Partner Interconnect.

We recommend using Cloud Interconnect over Direct Peering and Carrier Peering, which you would only use in certain circumstances. For a quick summary, you can compare the features of Cloud Interconnect with Direct Peering and Cloud Interconnect with Carrier Peering.

Cloud Router provides dynamic routing by using the Border Gateway Protocol (BGP) over Cloud Interconnect connections and Cloud VPN gateways.

For pricing, quotas, service level agreement (SLA), and release note information for all Network Connectivity products, see the Network Connectivity resources page.

For high-level architectural guides and tutorials that describe networking scenarios for Google Cloud, see the Technical guides for networking.

Cloud VPN

Google Cloud offers two types of Cloud VPN gateways, HA VPN and Classic VPN.

For information about moving to HA VPN, see Moving to HA VPN from Classic VPN.

HA VPN

HA VPN is a high availability (HA) Cloud VPN solution that lets you securely connect your on-premises network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection in a single region. HA VPN provides an SLA of 99.99% service availability.

When you create an HA VPN gateway, Google Cloud automatically chooses two external IP addresses, one for each of its fixed number of two interfaces. Each IP address is automatically chosen from a unique address pool to support high availability. Each of the HA VPN gateway interfaces supports multiple tunnels. You can also create multiple HA VPN gateways. When you delete the HA VPN gateway, Google Cloud releases the IP addresses for reuse. You can configure an HA VPN gateway with only one active interface and one public IP address; however, this configuration does not provide a 99.99% service availability SLA.

In the API documentation and in gcloud commands, HA VPN gateways are referred to as VPN gateways rather than target VPN gateways. You don't need to create any forwarding rules for HA VPN gateways.

HA VPN uses an external VPN gateway resource in Google Cloud to provide information to Google Cloud about your peer VPN gateway or gateways.

For more information, see the following resources:

Cloud Interconnect

Network Connectivity provides two options for extending your on-premises network to your VPC networks in Google Cloud. You can create a dedicated connection (Dedicated Interconnect) or use a service provider (Partner Interconnect) to connect to VPC networks. When choosing an interconnect type, consider your connection requirements, such as the connection location and capacity.

If you can't physically meet Google's network in a colocation facility to reach your VPC networks, you can use Partner Interconnect to connect to a variety of service providers that connect directly to Google:

  • If you have high bandwidth needs, Dedicated Interconnect can be a cost-effective solution.
  • If you require a lower bandwidth solution, Dedicated Interconnect and Partner Interconnect provide a variety of capacity options starting at 50 Mbps.
  • Cloud Interconnect provides access to all Google Cloud products and services from your on-premises network except Google Workspace.
  • Cloud Interconnect also allows access to supported APIs and services by using Private Google Access from on-premises hosts.

Compare Cloud Interconnect solutions

The following table highlights the key differences between Dedicated Interconnect and Partner Interconnect.

Dedicated Interconnect Partner Interconnect
Features
  • A direct connection to Google.
  • Traffic flows directly between networks, not through the public internet.
  • 10 Gbps or 100 Gbps circuits with flexible interconnect attachment (VLAN) capacities from 50 Mbps to 50 Gbps.
  • More points of connectivity through one of our supported service providers.
  • Traffic flows between networks through a service provider, not through the public internet.
  • Flexible capacities from 50 Mbps to 50 Gbps.
Service providers
  • Connect to supported service providers, who provide more points of connectivity compared to the colocation facilities available for Dedicated Interconnect.
  • You must work with a supported service provider. If your service provider isn't supported, or if you don't want to pass traffic through a service provider, consider Cloud VPN or Dedicated Interconnect.
  • Compared to Dedicated Interconnect, you don't need to install and maintain routing equipment in a colocation facility.
Supported bandwidth
  • Scale your costs according to the number and capacity of interconnect attachments that you order, with capacities of 50 Mbps to 50 Gbps for each interconnect attachment.
  • Scale to meet the most demanding data needs. Connection capacity is delivered over one or more 10 Gbps or 100 Gbps Ethernet circuits, with a maximum of 8 x 10 Gbps circuits (80 Gbps), or 2 x 100 Gbps (200 Gbps) circuits for each Dedicated Interconnect connection.
  • If your traffic doesn't require a 10 Gbps or 100 Gbps circuit, consider Cloud VPN or Partner Interconnect.
  • Scale your costs according to the number and capacity of interconnect attachments that you order, with capacities of 50 Mbps to 50 Gbps for each interconnect attachment.
  • Increases in the number of interconnect attachments or increasing the capacity of an existing interconnect attachment depends on your service provider's available capacity.
Setup Requires routing equipment in a colocation facility that supports the regions that you want to connect to. Use any supported service provider to connect to Google.
BGP configuration You must configure BGP on your on-premises routers and Cloud Routers. For layer 2 connections, you must configure BGP on your on-premises routers and Cloud Routers. For layer 3 connections, the configuration of your Cloud Routers and their peers are fully automated.
Encryption The connection between your network and Google's network is not encrypted. If you require additional data security, use application-level encryption or your own VPN. Currently, you can't use Cloud VPN in combination with Dedicated Interconnect, but you can use your own VPN solution. The connection between your network and Google's network is not encrypted. If you require additional data security, use application-level encryption or your own VPN. Currently, you can't use Cloud VPN in combination with Partner Interconnect, but you can use your own VPN solution.
SLA Google offers an end-to-end SLA for the connectivity between your VPC network and on-premises network for Google-defined topologies. Google provides an SLA for the connection between Google and the service provider. Your service provider might provide an end-to-end SLA, based on the Google-defined topologies. For more information, contact your service provider.
Pricing See Dedicated Interconnect pricing. Google bills you based on your interconnect attachment's capacity and egress traffic. Charges also apply to egress traffic from your VPC network to your on-premises network. This doesn't include additional charges by your service provider, who might charge you to carry data across their network. See Partner Interconnect pricing.

For more information, see the following resources:

Cloud Router

Cloud Router is a fully distributed and managed Google Cloud service that programs custom dynamic routes and scales with your network traffic. Cloud Router works with both legacy networks and Virtual Private Cloud (VPC) networks.

Cloud Router isn't a connectivity option, but a service that works over Cloud VPN or Cloud Interconnect connections to provide dynamic routing by using the Border Gateway Protocol (BGP) for your VPC networks. Cloud Router isn't supported for Direct Peering or Carrier Peering connections.

Cloud Router isn't a physical device that might cause a bottleneck, and it can't be used by itself. However, it is required or recommended in the following cases:

  • Required for Cloud NAT
  • Required for Cloud Interconnect and HA VPN
  • A recommended configuration option for Classic VPN

When you extend your on-premises network to Google Cloud, use Cloud Router to dynamically exchange routes between your Google Cloud networks and your on-premises network. Cloud Router peers with your on-premises VPN gateway or router. The routers exchange topology information through BGP.

Topology changes automatically propagate between your VPC network and your on-premises network. When using Cloud Router, you don't need to configure static routes.

For more information, see the Cloud Router overview.

Connecting to Google Workspace and Google APIs

Direct Peering enables you to directly connect (peer) with Google Cloud at a Google edge location.

Carrier Peering enables you to peer with Google by connecting through a support provider, which in turn peers with Google. Both products give you access only to Google Workspace and supported APIs, and don't provide access to VPC networks and VMs in Google Cloud.

Direct Peering

Direct Peering enables you to establish a direct peering connection between your business network and Google's edge network and exchange high-throughput cloud traffic.

This capability is available at any of more than 100 locations in 33 countries around the world. For more information about Google's edge locations, see Google's peering site.

When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

Direct Peering exists outside of Google Cloud. Unless you need to access Google Workspace applications, the recommended methods of access to Google Cloud are Dedicated Interconnect or Partner Interconnect.

Compare Direct Peering and Cloud Interconnect

The following table describes the differences between Direct Peering and Cloud Interconnect.

Direct Peering Cloud Interconnect
Can be used by Google Cloud—for example, to access VMs through Cloud VPN—but does not require it. Requires Google Cloud.
Gives you direct access from your on-premises network to Google Workspace and Google APIs for the full suite of Google Cloud products. Does not give you access to Google Workspace, but gives you access to all other Google Cloud products and services from your on-premises network. Also allows access to supported APIs and services by using Private Google Access from on-premises hosts.
Has no setup or maintenance costs. Has maintenance costs; see pricing.
Has reduced internet egress rates to your on-premises network from Google Cloud resources in the same continental location and in an enabled project; see pricing. Has standard egress rates for traffic sent through an Interconnect connection; see pricing.
Connects to Google's edge network. Connects to Google's edge network.
Does not use any Google Cloud resources; configuration is opaque to Google Cloud projects. Uses Google Cloud resources, such as Interconnect connections, interconnect attachments (VLANs), and Cloud Routers.
To change the destination IP address ranges for your on-premises network, contact Google. To change the destination IP address ranges for your on-premises network, adjust the routes that your routers share with Cloud Routers in your project.
Routes to your on-premises network do not appear in any VPC network of your Google Cloud project. Routes to your on-premises network are learned by Cloud Routers in your project and applied as custom dynamic routes in your VPC network.

For more information, see the Direct Peering overview.

Carrier Peering

Carrier Peering enables you to access Google applications, such as Google Workspace, by using a service provider to obtain enterprise-grade network services that connect your infrastructure to Google.

When connecting to Google through a service provider, you can get connections with higher availability and lower latency, using one or more links. Work with your service provider to get the connection that you need.

When to use Carrier Peering

The following example describes a common use case for Carrier Peering.

To access Google Workspace applications from an on-premises network, an organization might need a perimeter network (also known as a DMZ) to reach Google's network. The perimeter network enables organizations to expose an isolated subnetwork to the public internet instead of their entire network. Instead of setting up and maintaining a perimeter network, the organization can work with a service provider so that their traffic travels on a dedicated link from their systems to Google. With the dedicated link, the organization gets a higher availability and lower latency connection to Google's network.

Unless you need to access Google Workspace applications as described in the preceding use case, Partner Interconnect is the recommended way to connect to Google through a service provider. To choose a product, see the Considerations section and the table that compares Carrier Peering with Cloud Interconnect.

Considerations

Review the following considerations to decide if Carrier Peering meets your needs:

  • Carrier Peering exists outside of Google Cloud. Instead of Carrier Peering, the recommended methods of access to Google Cloud are Partner Interconnect, which uses a service provider, or Dedicated Interconnect, which provides a direct connection to Google.
  • If used with Google Cloud, Carrier Peering doesn't produce any custom routes in a VPC network. Traffic sent from resources in a VPC network leaves by way of a route whose next hop is either a default internet gateway (a default route, for example) or a Cloud VPN tunnel.
  • To send traffic through Carrier Peering by using a route whose next hop is a Cloud VPN tunnel, the IP address of your on-premises network's VPN gateway must be in your configured destination range.

Compare Carrier Peering and Cloud Interconnect

The following table describes the differences between Carrier Peering and Cloud Interconnect.

Carrier Peering Cloud Interconnect
Can be used by Google Cloud, but does not require it. Requires Google Cloud.
Gives you direct access from your on-premises network through a service provider's network to Google Workspace and to Google Cloud products that can be exposed through one or more public IP addresses. Does not give you access to Google Workspace, but gives you access to all other Google Cloud products from your on-premises network. Also allows access to supported APIs and products by using Private Google Access from on-premises hosts.
Has service provider costs. Has maintenance costs; see pricing.
Has reduced internet egress rates to your on-premises network from Google Cloud resources in the same continental location and in an enabled project; see pricing. Has standard egress rates for traffic sent through an Interconnect connection; see pricing.
Connects to Google's edge network through a service provider. Connects to Google's edge network.
Does not use any Google Cloud resources; configuration is opaque to Google Cloud projects. Uses Google Cloud resources, such as Interconnect connections, interconnect attachments (VLANs), and Cloud Routers.
To change the destination IP address ranges for your on-premises network, contact Google. To change the destination IP address ranges for your on-premises network, adjust the routes that your routers share with Cloud Routers in your project.
Routes to your on-premises network do not appear in any VPC network of your Google Cloud project. Routes to your on-premises network are learned by Cloud Routers in your project and applied as custom dynamic routes in your VPC network.

For more information, see the Carrier Peering overview.

Connecting to CDN providers

CDN Interconnect

CDN Interconnect enables select third-party Content Delivery Network (CDN) providers to establish direct peering links with Google's edge network at various locations, which enables you to direct your traffic from your Virtual Private Cloud (VPC) networks to a provider's network.

CDN Interconnect enables you to optimize your CDN population costs and leverage direct connectivity to select CDN providers from Google Cloud.

Your network traffic egressing from Google Cloud through one of these links benefits from the direct connectivity to supported CDN providers and is billed automatically with reduced pricing.

Setting up CDN Interconnect

If your CDN provider is already part of the program, you don't have to do anything. Traffic from supported Google Cloud locations to your CDN provider automatically takes advantage of the direct connection and reduced pricing.

Work with your supported CDN provider to learn what locations are supported and how to correctly configure your deployment to use intra-region egress routes.

If your CDN provider is not part of the program, contact your CDN provider and ask them to work with Google to get connected.

Typical use cases for CDN Interconnect

  • High-volume egress traffic. If you're populating your CDN with large data files from Google Cloud, you can automatically optimize this traffic and save money by using the CDN Interconnect links between Google Cloud and selected providers.
  • Frequent content updates. Cloud workloads that frequently update data stored in CDN locations benefit from using CDN Interconnect because the direct link to the CDN provider reduces latency for these CDN destinations.

    For example, if you have frequently updated data served by the CDN originally hosted on Google Cloud, you might consider using CDN Interconnect.

For information about pricing and service providers, see the CDN Interconnect overview.

What's next