Cloud Interconnect overview

Cloud Interconnect provides low-latency, high-availability connections that enable you to reliably transfer data between your Google Cloud Virtual Private Cloud (VPC) networks and your other networks. Also, Cloud Interconnect connections provide internal IP address communication, which means internal IP addresses are directly accessible from both networks.

Cloud Interconnect offers the following options for extending your network to include Google Cloud:

  • Dedicated Interconnect provides a direct physical connection between your on-premises network and the Google network.
  • Partner Interconnect provides connectivity between your on-premises and VPC networks through a supported service provider.
  • Cross-Cloud Interconnect provides a direct physical connection between your network in another cloud and the Google network.

For a comparison to help you choose between Dedicated Interconnect and Partner Interconnect, see the Cloud Interconnect section in Choosing a Network Connectivity product.

For definitions of terms used on this page, see Cloud Interconnect key terms.

Benefits

Using Cloud Interconnect provides the following benefits:

  • Traffic between your external network and your VPC network doesn't traverse the public internet. Traffic traverses a dedicated connection or goes through a service provider with a dedicated connection. By bypassing the public internet, your traffic takes fewer hops, so there are fewer points of failure where your traffic might get dropped or disrupted.

  • Your VPC network's internal IP addresses are directly accessible from your on-premises network. You don't need to use a NAT device or VPN tunnel to reach internal IP addresses. For details, see IP addressing and dynamic routes.

  • You can scale your connection capacity to meet your particular requirements.

    For Dedicated Interconnect, connection capacity is delivered over one or more 10-Gbps or 100-Gbps Ethernet connections, with the following maximum capacities supported per Cloud Interconnect connection:

    • 8 x 10-Gbps connections (80 Gbps total)
    • 2 x 100-Gbps connections (200 Gbps total)

    For Partner Interconnect, the following connection capacities for each VLAN attachment are supported:

    • 50-Mbps to 50-Gbps VLAN attachments. The maximum supported attachment size is 50 Gbps, but not all sizes might be available, depending on what's offered by your chosen partner in the selected location.
  • You can request 100-Gbps connections at any of the locations listed in All colocation facilities.

  • Dedicated Interconnect, Partner Interconnect, Direct Peering, and Carrier Peering can all help you optimize egress traffic from your VPC network and reduce your egress costs. Cloud VPN by itself does not reduce egress costs.

  • You can use Cloud Interconnect with Private Google Access for on-premises hosts so that on-premises hosts can use internal IP addresses rather than external IP addresses to reach Google APIs and services. For more information, see Private access options for services in the VPC documentation.

  • You can apply IPsec encryption to your Cloud Interconnect traffic by deploying HA VPN over Cloud Interconnect.

Considerations

Use Cloud VPN by itself

If you don't require an entire Cloud Interconnect connection, you can use Cloud VPN on its own to set up IPsec VPN tunnels between your networks. IPsec VPN tunnels encrypt data by using industry-standard IPsec protocols. The encrypted traffic traverses the public internet.

Cloud VPN requires that you configure a peer VPN gateway in your on-premises network.

IP addressing, IPv6 and dynamic routes

When you connect your VPC network to your on-premises network, you allow communication between the IP address space of your on-premises network and some or all of the subnets in your VPC network. Which VPC subnets are available depends on the dynamic routing mode of your VPC network. Subnet IP ranges in VPC networks are always internal IP addresses.

You can enable IPv6 traffic exchange between your IPv6-enabled VPC network and your on-premises network. For more information, see IPv6 support for Dedicated Interconnect and IPv6 support for Partner Interconnect.

The IP address space on your on-premises network and on your VPC network must not overlap, or traffic is not routed properly. Remove any overlapping addresses from either network.

Your on-premises router shares the routes of your on-premises network with the Cloud Router in your VPC network. This action creates custom dynamic routes in your VPC network, each with a next hop set to the appropriate VLAN attachment.

Unless modified by custom advertisements, Cloud Routers in your VPC network share VPC network subnet IP address ranges with your on-premises routers according to the dynamic routing mode of your VPC network.

The following configurations require that you create custom advertised routes on your Cloud Router to direct traffic from your on-premises network to certain internal IP addresses by using a Cloud Interconnect connection:

Cloud Interconnect as a data transfer network

Before you use Cloud Interconnect, carefully review Section 2 of the General Service Terms for Google Cloud.

Using Network Connectivity Center, you can use VLAN attachments to connect on-premises networks together, passing traffic between them as a data transfer network. You connect the networks by attaching VLAN attachments to a Network Connectivity Center spoke for each on-premises location. You then connect each spoke to a Network Connectivity Center hub.

For more information about Network Connectivity Center, see the Network Connectivity Center overview.

Encrypt Cloud Interconnect traffic

Cloud Interconnect doesn't encrypt traffic by default. You can use MACsec for Cloud Interconnect to help secure traffic between your on-premises router and Google's edge routers on supported Dedicated Interconnect circuits. For more information, see MACsec for Cloud Interconnect overview.

You can also deploy HA VPN over Cloud Interconnect if you need to encrypt the traffic carried by your VLAN attachments. HA VPN over Cloud Interconnect is supported for both Dedicated Interconnect and Partner Interconnect. You might be required to encrypt your Cloud Interconnect traffic to address certain regulatory or security requirements. For more information, see HA VPN over Cloud Interconnect overview.

Restrict Cloud Interconnect usage

By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restrict Cloud Interconnect usage.

Cloud Interconnect MTU

Cloud Interconnect VLAN attachments support the following four MTU sizes:

  • 1,440 bytes
  • 1,460 bytes
  • 1,500 bytes
  • 8,896 bytes

Google recommends that you use the same MTU for all VLAN attachments that are connected to the same VPC network, and that you set the MTU of the VPC network to the same value. While that is the recommended practice, you are not forced to make VLAN attachment MTUs and VPC network MTUs match. You can experience dropped packets, especially for protocols other than TCP, if you do any of the following:

  • Use different VLAN attachment MTUs for VLAN attachments connected to the same VPC network.
  • Configure VLAN attachment MTUs that are less than the MTU of the VPC network that contains the VLAN attachments.

For general information about how protocols handle mismatched MTUs, see Mismatched MTUs, MSS clamping, path MTU discovery in the VPC MTU documentation.

Packets sent through a VLAN attachment are processed in the following way:

Situation Behavior
TCP SYN and SYN-ACK packets Google Cloud performs MSS clamping, changing the MSS so that packets fit within the VLAN attachment MTU. For example, if the VLAN attachment MTU is 1,500 bytes, MSS clamping uses a 1,460-byte maximum segment size.
IP packets up to (and including) the MTU of the VLAN attachment Google Cloud makes no changes to the packet, except for SYN and SYN-ACK packets as discussed in the first row.
MTU checks for IP packets
  • The MTU for packets sent by Google Cloud resources through a VLAN attachment is limited by the VLAN attachment's MTU. For example, when a VM instance sends packets to a destination reachable by a dynamic route whose next hop is a VLAN attachment, packets that exceed the VLAN attachment's MTU are dropped:
    • Google Cloud drops the packet and sends a Fragmentation Needed (ICMP over IPv4) or Packet Too Big (ICMPv6) message both when the Don't Fragment (DF) bit is on and also when the DF bit is off.
    • You must configure ingress allow VPC firewall rules or rules in firewall policies such that ICMP (for IPv4) or ICMPv6 (for IPv6) are allowed from sources that match the original packet destinations.
    • Forwarding rules for internal passthrough Network Load Balancer and internal protocol forwarding must use the L3_DEFAULT protocol so that they process both ICMP for Path MTU discovery (PMTUD) and the protocol used by the original packet.
  • Cloud Interconnect does not enforce the VLAN attachment MTU for packets received from an on-premises network. Instead, Google Cloud enforces the MTU on the Google Cloud resource that receives the packet:
    • If the resource that receives the packet is a VM instance, Google Cloud enforces the MTU of the VPC network used by the network interface of the receiving VM, as if the receiving VM had received a packet routed within the VPC network.
    • Packets sent to Google APIs and services from on-premises through a VLAN attachment are processed in the same way as packets sent from VM instances to Google APIs and services. For more information, see Communication to Google APIs and services.
Packets sent through HA VPN over Cloud Interconnect HA VPN over Cloud Interconnect uses a gateway MTU of 1440 bytes, and payload MTUs are smaller, depending on the ciphers used. For more information, see MTU considerations in the Cloud VPN documentation.

Support for GRE traffic

Cloud Interconnect supports GRE traffic. Support for GRE allows you to terminate GRE traffic on a VM from the internet (external IP address) and Cloud VPN or Cloud Interconnect (internal IP address). The decapsulated traffic can then be forwarded to a reachable destination. GRE enables you to use services such as Secure Access Service Edge (SASE) and SD-WAN. You must create a firewall rule to allow GRE traffic.

Visualize and monitor Cloud Interconnect connections and VLAN attachments

Network Topology is a visualization tool that shows the topology of your VPC networks, hybrid connectivity to and from your on-premises networks, and the associated metrics. You can view your Cloud Interconnect connections and VLAN attachments as entities in the Network Topology view.

A base entity is the lowest level of a particular hierarchy and represents a resource that can directly communicate with other resources over a network. Network Topology aggregates base entities into hierarchical entities that you can expand or collapse. When you first view a Network Topology graph, it aggregates all the base entities into their top-level hierarchy.

For example, Network Topology aggregates VLAN attachments into their Cloud Interconnect connection, and you can view the hierarchy by expanding or collapsing the icons that represent Cloud Interconnect connections.

For more information, see the Network Topology overview.

Frequently asked questions

For answers to common questions about Cloud Interconnect architecture and features, see the Cloud Interconnect FAQ.

What's next?