VLAN attachments (also known as interconnectAttachments
) determine which
Virtual Private Cloud (VPC) networks can reach your on-premises network through
a Dedicated Interconnect connection. You can create VLAN attachments
over connections that have
passed all tests
and are ready to use.
You can create unencrypted VLAN attachments or encrypted VLAN attachments. Encrypted VLAN attachments are used in HA VPN over Cloud Interconnect deployments. You can create unencrypted VLAN attachments that are single stack (IPv4 only) or dual stack (IPv4 and IPv6).
By default, when you create an unencrypted VLAN attachment, the VLAN attachment is single stack (IPv4 only). Unless you specify otherwise, the interface that you create for your unencrypted VLAN attachment is a single interface with an IPv4 address and the resulting BGP session exchanges only IPv4 routes.
If you need to support IPv6 traffic, you must configure a dual-stack (IPv4 and IPv6) unencrypted VLAN attachment. With a dual-stack VLAN attachment, you can create an IPv4 BGP session, an IPv6 BGP session, or you can create both.
Encrypted VLAN attachments are always configured to be IPv4 only. If you want to support IPv6 traffic in your encrypted attachments for an HA VPN over Cloud Interconnect deployment, you can deploy configure dual-stack HA VPN gateways and tunnels.
Billing for VLAN attachments starts when you create them and stops when you delete them.
If you are using VLAN attachments located in different Google Cloud regions than your Dedicated Interconnect connection, then change your VPC network's dynamic routing mode to Global.
If you need to create a VLAN attachment for a connection in another Google Cloud project, see Use Dedicated Interconnect connections in other projects.
For VLAN attachments for Partner Interconnect, see Create VLAN attachments for Partner Interconnect.
For definitions of terms used on this page, see Cloud Interconnect key terms.
To help you solve common issues that you might encounter when using Dedicated Interconnect, see Troubleshooting.
Associate VLAN attachments with a Cloud Router
For Dedicated Interconnect, the VLAN attachment allocates a VLAN on a connection and associates that VLAN with the specified Cloud Router. It is possible to associate multiple, different VLAN attachments to the same Cloud Router.
When you create the VLAN attachment, specify a Cloud Router that's in the region that contains the subnets that you want to reach. The VLAN attachment automatically allocates a VLAN ID and Border Gateway Protocol (BGP) peering IP addresses. Use that information to configure your on-premises router and establish a BGP session with your Cloud Router.
Optionally, you can manually specify a candidate range for IPv4 BGP addresses when you create the VLAN attachment. Cloud Router selects IPv4 addresses from this range for the interface and the BGP peer. These IPv4 addresses can't be modified after they have been selected. The BGP IPv4 address range that you specify as a candidate must be unique among all Cloud Routers in all regions of a VPC network.
You can't manually specify a candidate range for IPv6 addresses when creating your VLAN attachment.
For HA VPN over Cloud Interconnect, you must create a Cloud Router that is used exclusively with encrypted VLAN attachments. The Cloud Router only exchanges routes for the VPN gateways over the VLAN attachments, which ensures that only encrypted traffic egresses the attachments. You cannot use this Cloud Router for any unencrypted VLAN attachments or for any VPN tunnels.
Utilize multiple VLAN attachments
Each VLAN attachment supports a maximum bandwidth of 50 Gbps in increments described on the Pricing page, and a maximum packet rate as documented in Cloud Interconnect limits. This is true even if the attachment is configured on a connection that has a greater bandwidth capacity than the attachment.
To fully use the bandwidth of a connection, you might need to create multiple VLAN attachments.
To use multiple VLAN attachments simultaneously for egress traffic in a VPC network, create them in the same region. Then configure your on-premises router to advertise routes with the same MED. The custom dynamic routes, learned through BGP sessions on one or more Cloud Routers that manage the VLAN attachments, are applied to your VPC network with a route priority corresponding to the MED.
When multiple available routes have the same priority, Google Cloud distributes traffic among them by using a five-tuple hash for affinity, implementing an equal-cost multipath (ECMP) routing design. For more information, see Applicability and order in the VPC documentation.
Create unencrypted VLAN attachments
Console
In the Google Cloud console, go to the Cloud Interconnect VLAN attachments tab.
Click Create VLAN attachments.
Select Dedicated Interconnect connection
In the Encrypt interconnect section, select Set up unencrypted Interconnect, and then click Continue.
To create attachments in your project, in the Select interconnects & redundancy section, select In this project. For other projects, see Use Dedicated Interconnect connections in other projects.
Select an existing Dedicated Interconnect connection in your project, and then click Continue.
Select Add VLAN attachment, and then specify the following details:
- Name: A name for the attachment. This name is displayed
in the Google Cloud console and is used by the Google Cloud CLI to
reference the attachment—for example,
my-attachment
. - Description (optional): A description of the attachment.
- Name: A name for the attachment. This name is displayed
in the Google Cloud console and is used by the Google Cloud CLI to
reference the attachment—for example,
Select a stack type for the attachment, either IPv4 (single stack) or IPv4 and IPv6 (dual stack).
Select a Cloud Router to associate with this attachment. The Cloud Router must be in the VPC network that you want to connect to.
If you don't have an existing Cloud Router, select Create new router. For the BGP AS number, use any private ASN (
64512-65535
or4200000000-4294967294
) or16550
.Optional: To specify a VLAN ID, a specific IP address range for the BGP session, the VLAN attachment's capacity, or the maximum transmission unit (MTU), click VLAN ID, BGP IPs, capacity, MTU.
To specify a VLAN ID, in the VLAN ID section, select Customize.
By default, Google automatically generates a VLAN ID. You can specify a VLAN ID in the range 2-4093. You cannot specify a VLAN ID that is already in use on the connection. If your VLAN ID is in use, you are asked to choose another one.
If you don't enter a VLAN ID, an unused, random VLAN ID is automatically selected for the VLAN attachment.
To specify an IPv4 address range for the BGP session, in the Allocate BGP IPv4 address section, select Manually.
The BGP IPv4 address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.
IPv4 addresses used for the BGP session between a Cloud Router and your on-premises router are allocated from the IPv4 link-local address space (
169.254.0.0/16
). By default, Google selects unused addresses from the IPv4 link-local address space.To restrict the IPv4 range that Google selects from, you can specify up to 16 prefixes from the IPv4 link-local address space. All prefixes must reside within
169.254.0.0/16
and must have a prefix length of/30
or shorter, for example,/29
or/28
. An unused/29
range is automatically selected from your specified prefix. The address allocation request fails if all possible/29
ranges are in use by Google Cloud.If you don't supply a range of prefixes, Google Cloud picks a
/29
address allocation from169.254.0.0/16
that is not already used by any BGP session in your VPC network. If you supply one or more prefixes, Google Cloud picks an unused/30
address allocation from the supplied prefixes.After the
/30
address range is selected, Google Cloud assigns the Cloud Router one address and your on-premises router another address. The rest of the address space in the/30
prefix is reserved for Google's use.To specify the maximum bandwidth, in the Capacity field, select a value. If you don't select a value, Cloud Interconnect uses 10 Gbps.
If you have multiple VLAN attachments on a connection, the capacity setting helps you control how much bandwidth each attachment can use. The maximum bandwidth is approximate, so it's possible for VLAN attachments to use more bandwidth than the selected capacity.
To specify the maximum transmission unit (MTU) for the attachment, select a value from the field.
To make use of a 1460-, 1500-, or 8896-byte MTU, the VPC network that uses the attachment must set an MTU to the same value. In addition, the on-premises virtual machine (VM) instances and routers must set their MTU to the same value. If your network has the default MTU of
1460
, then select an MTU of1460
for your attachment.
If you want to connect multiple VPC networks (for example, to build redundancy), click + Add VLAN attachment to attach additional VLANs to your connection. Choose a different Cloud Router for each VLAN attachment. For more information, see the Redundancy section in the overview.
When you have created all needed VLAN attachments, click Create. The attachment takes a few moments to create.
The Configure BGP sessions page shows each VLAN attachment and its configuration status.
For each VLAN attachment, create a BGP session to exchange BGP routes between your Cloud Router network and your on-premises router. Click Configure, and then enter the following information:
- Name: A name for the BGP session.
- Peer ASN: The public or private ASN of your on-premises router.
- Advertised route priority (MED) (optional): The base value that Cloud Router uses to calculate route metrics. All routes advertised for this session use this base value. For more information, see Advertised prefixes and priorities.
- BGP peer: Lets you enable or disable the BGP session with this peer. If disabled, this Cloud Router does not send BGP connection requests and rejects all BGP connection requests from this peer.
- MD5 authentication (optional): Lets you authenticate BGP sessions between Cloud Router and its peers. For instructions about how to use MD5 authentication, see Use MD5 authentication.
- Custom advertised routes (optional): Lets you choose which routes Cloud Router advertises to your on-premises router through BGP. For configuration steps, see the overview for custom advertised routes.
- Custom learned routes: Lets you manually define additional learned routes for a BGP session. The Cloud Router behaves as if it learned the routes from the BGP peer.
Bidirectional forwarding detection (BFD) for Cloud Router (optional): Detects forwarding path outages such as link down events, allowing for more resilient hybrid networks. For instructions about how to update a BGP session to use BFD, see Configuring BFD.
Click Save and continue.
After you add BGP sessions for all your VLAN attachments, click Save configuration. The BGP sessions that you configured are inactive until you configure BGP on your on-premises router.
gcloud
Before you create a VLAN attachment, you must have an existing
Cloud Router in the network and region that you want to reach from
your on-premises network. If you don't have an existing Cloud Router,
create one.
The Cloud Router must have a BGP ASN of 16550
, or you can use
any private ASN (64512-65535
or 4200000000-4294967294
).
Create a VLAN attachment, specifying the names of your Dedicated Interconnect connection and Cloud Router. The attachment allocates a VLAN on your connection that connects to the Cloud Router.
The following example creates an attachment for the connection
my-interconnect
that connects to the Cloud Routermy-router
, which is in the regionus-central1
.gcloud compute interconnects attachments dedicated create my-attachment \ --region us-central1 \ --router my-router \ --interconnect my-interconnect
Dual-stack (IPv4 and IPv6) VLAN attachment
To create a dual-stack VLAN attachment that can support both IPv4 and IPv6 traffic, specify
--stack-type IPV4_IPV6
.gcloud compute interconnects attachments dedicated create my-attachment \ --region us-central1 \ --router my-router \ --interconnect my-interconnect --stack-type IPV4_IPV6
When you create a VLAN attachment with the
IPV4_IPV6
(dual stack) stack type, Google Cloud automatically assigns an unused/125
CIDR from the2600:2d00:0:1::/64
range as the IPv6 address for the VLAN attachment.If you select the
IPV4_IPV6
(dual stack) stack type, you can configure the VLAN attachment later with an IPv4 BGP session, an IPv6 BGP session, or both.If you omit the
--stack-type
flag, the VLAN attachment is configured as an IPv4-only (single stack) attachment. AnIPV4_ONLY
(single stack) VLAN attachment can exchange only IPv4 routes. https://developers.google.com/devsite/author-databases You can also change the stack type of an attachment after you create it. See Modify stack type.Allocate IPv4 addresses for BGP peering
For BGP peering, Google can allocate unused IPv4 addresses from the IPv4 link-local address space (
169.254.0.0/16
). To constrain the range of IPv4 addresses that Google can select from, you can use the--candidate-subnets
flag, as shown in the following example.The BGP peering IPv4 address range that you specify must be unique among all Cloud Routers in all regions of a VPC network.
gcloud compute interconnects attachments dedicated create my-attachment \ --router my-router \ --interconnect my-interconnect \ --candidate-subnets 169.254.0.0/29,169.254.10.0/24 \ --region us-central1
You can specify a range of up to 16 prefixes from the IPv4 link-local address space. All prefixes must reside within
169.254.0.0/16
and must be a/29
or shorter, for example,/28
or/27
. An unused/29
is automatically selected from your specified range of prefixes. The address allocation request fails if all possible/29
prefixes are in use by Google Cloud.You can specify candidate subnet ranges only for IPv4 addresses. You can't specify a candidate address range for IPv6 addresses.
VLAN ID configuration
To specify a VLAN ID, use the
--vlan
flag, as shown in the following example:gcloud compute interconnects attachments dedicated create my-attachment \ --router my-router \ --interconnect my-interconnect \ --vlan 5 \ --region us-central1
By default, Google automatically generates a VLAN ID. You can specify a VLAN ID in the range 2-4093. You cannot specify a VLAN ID that is already in use on the Dedicated Interconnect connection. If your VLAN ID is in use, you are asked to choose another one.
If you don't enter a VLAN ID, an unused, random VLAN ID is automatically selected for the VLAN attachment.
Maximum bandwidth configuration
To specify the attachment's maximum bandwidth, use the
--bandwidth
flag, as shown in the following example. If you have multiple VLAN attachments on a connection, the capacity setting helps you control how much bandwidth each attachment can use. The maximum bandwidth is approximate, so it's possible for VLAN attachments to use more bandwidth than the selected capacity.gcloud compute interconnects attachments dedicated create my-attachment \ --router my-router \ --interconnect my-interconnect \ --bandwidth 500M \ --region us-central1
If you don't specify a capacity, Cloud Interconnect uses the default of 10 Gbps. For more information, see the
gcloud compute interconnects attachments dedicated create
reference.MTU configuration
The default MTU of an attachment is 1440 bytes. You can also specify an attachment MTU of 1460, 1500, or 8896 bytes. To specify an MTU of 1460, 1500, or 8896 bytes for the attachment, use the
--mtu
flag, as shown in the following example:gcloud compute interconnects attachments dedicated create my-attachment \ --router my-router \ --interconnect my-interconnect \ --mtu 1500 \ --region us-central1
To make use of a 1460, 1500 or 8896-byte MTU, the VPC network that uses the attachment and the on-premises systems and routers must all have the same MTU value set.
Describe the attachment to retrieve the resources that it allocated, such as the VLAN ID and BGP peering addresses, as shown in the following example. Use these values to configure your Cloud Router and your on-premises router.
gcloud compute interconnects attachments describe my-attachment \ --region us-central1
Output:
cloudRouterIpAddress: 169.254.180.81/29 creationTimestamp: '2022-03-22T10:31:40.829-07:00' customerRouterIpAddress: 169.254.180.82/29 dataplaneVersion: 2 id: '2973197662755397267' interconnect: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/myinterconnect kind: compute#interconnectAttachment mtu: 1500 name: my-attachment operationalStatus: ACTIVE privateInterconnectInfo: tag8021q: 1000 region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1 router: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/routers/my-router stackType: IPV4_ONLY state: ACTIVE type: DEDICATED vlanTag8021q: 1000
- The VLAN tag (
1000
) identifies traffic that goes across this attachment. You need this value to configure a tagged VLAN subinterface on your on-premises router. - The Cloud Router address (
169.254.180.81/29
) is an IPv4 link-local address. When you create a Cloud Router interface for this attachment, the interface uses this IP address. You use this same address for the BGP neighbor on your on-premises router. - The customer router address (
169.254.180.82/29
) is an IPv4 link-local address. On the Cloud Router, configure a BGP peer with this address over the interface that has the Cloud Router address assigned to it. You assign this address to the VLAN subinterface on your on-premises router. - The
IPV4_ONLY
(single stack) stack type indicates the type of traffic supported by the VLAN attachment.
- The VLAN tag (
On your Cloud Router, add the interface or interfaces that connect to the VLAN attachment.
If your VLAN attachment is IPv4-only, you must create an interface with an IPv4 address.
If your VLAN attachment uses the
IPV4_IPV6
(dual stack) stack type, you can create an interface with an IPv4 address, an interface with an IPv6 address, or you can create both.Creating both an interface with an IPv4 address and an interface with an IPv6 address lets you run two BGP sessions in parallel over the same VLAN attachment. For more information, see Establish BGP sessions in the Cloud Router documentation.
To create an interface with an IPv4 address, run the following command.
gcloud compute routers add-interface my-router \ --region us-central1 \ --interface-name my-router-intf-v4 \ --interconnect-attachment my-attachment
The IPv4 address of an interface is automatically configured using your attachment's
cloudRouterIpAddress
.To create an interface with an IPv6 address, run the following command.
gcloud beta compute routers add-interface my-router \ --region us-central1 \ --interface-name my-router-intf-v6 \ --interconnect-attachment my-attachment --ip-version=IPV6
The IPv6 address of an interface is automatically configured using your attachment's
cloudRouterIpv6Address
.
Add a BGP peer for each interface that you created. For the peer ASN value, use the same number that you configure on your on-premises router.
gcloud compute routers add-bgp-peer my-router \ --interface my-router-intf-v4 \ --region us-central1 \ --peer-name bgp-for-my-interconnect-v4 \ --peer-asn 65201
The BGP peer's IPv4 address is automatically configured using your attachment's
customerRouterIpAddress
.gcloud compute routers add-bgp-peer my-router \ --interface my-router-intf-v6 \ --region us-central1 \ --peer-name bgp-for-my-interconnect-v6 \ --peer-asn 65201
The peer's IPv6 address is automatically configured using your attachment's
customerRouterIpv6Address
.Multiprotocol BGP (MP-BGP) configuration
If you configured the VLAN attachment with the
IPV4_IPV6
(dual stack) stack type, you can use multiprotocol BGP (MP-BGP) in your single IPv4 BGP or single IPv6 BGP session. You can't use MP-BGP if you're using both BGP sessions.With MP-BGP, you can exchange IPv6 routes over an IPv4 BGP session or you can exchange IPv4 routes over an IPv6 BGP session.
To enable IPv6 route exchange in an IPv4 BGP session, run the following command.
gcloud compute routers add-bgp-peer my-router \ --interface my-router-intf-v4 \ --region us-central1 \ --peer-name bgp-for-my-interconnect-v4 \ --peer-asn 65201 \ --enable-ipv6
If you omit the
--enable-ipv6
flag, the IPv4 BGP session exchanges only IPv4 routes. You can also enable IPv6 route exchange in the BGP session at a later time.To enable IPv4 route exchange in an IPv6 BGP session, run the following command.
gcloud beta compute routers add-bgp-peer my-router \ --interface my-router-intf-v6 \ --region us-central1 \ --peer-name bgp-for-my-interconnect \ --peer-asn 65201 \ --enable-ipv4
For more information, see Configure multiprotocol BGP for IPv4 or IPv6 BGP sessions.
If you enable IPv6 route exchange in your IPv4 BGP session, you must configure your on-premises router to advertise its IPv6 routes with your attachment's
customerRouterIpv6Address
as the next hop.If you enable IPv4 route exchange in your IPv6 BGP session, you must configure your on-premises router to advertise its IPv4 routes with your attachment's
customerRouterIpAddress
as the next hop.Describe the attachment to retrieve the IPv4 or IPv6 next hop address.
gcloud compute interconnects attachments describe my-attachment \ --region us-central1
Output:
cloudRouterIpAddress: 169.254.180.81/29 cloudRouterIpv6Address: 2600:2d00:0:1:8000:12:0:299/125 creationTimestamp: '2022-03-22T10:31:40.829-07:00' customerRouterIpAddress: 169.254.180.82/29 customerRouterIpv6Address: 2600:2d00:0:1:8000:12:0:29a/125 dataplaneVersion: 2 id: '2973197662755397267' interconnect: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/myinterconnect kind: compute#interconnectAttachment mtu: 1500 name: my-attachment operationalStatus: ACTIVE privateInterconnectInfo: tag8021q: 1000 region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1 router: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/routers/my-router stackType: IPV4_IPV6 state: ACTIVE type: DEDICATED vlanTag8021q: 1000
Custom advertised route and route priority (MED) configuration
To specify a base priority value, use the
--advertised-route-priority
flag. Cloud Router uses this value to calculate route metrics for all routes that it advertises for this session. For more information, see Advertised prefixes and priorities in the Cloud Router documentation.You can also use the
--advertisement-mode
flag to enable custom advertisement mode for this BGP session. Use--advertisement-groups
and--advertisement-ranges
to define the custom advertised routes for the BGP session. Custom advertised routes let you choose which routes Cloud Router advertises to your on-premises router through BGP. You can specify both IPv4 and IPv6 custom advertised routes. However, IPv6 custom advertised routes are advertised only in BGP sessions where IPv6 route exchange is enabled. IPv4 custom advertised routes are advertised only in BGP sessions where IPv4 route exchange is enabled.For configuration steps, see the overview for custom advertised routes.
Custom learned route configuration
If you want to configure custom learned routes, use the
--set-custom-learned-route-ranges
flag. You can also optionally use the--custom-learned-route-priority
flag to set a priority value of between0
and65535
(inclusive) for the routes. Each BGP session can have one priority value that applies to all the custom learned routes that you configured for the session. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Custom learned routes.gcloud compute routers add-bgp-peer my-router \ --interface my-router-i1-intf-v4 \ --region us-central1 \ --peer-name bgp-for-my-interconnect \ --peer-asn 65201 \ --set-custom-learned-route-ranges 1.2.3.4,6.7.0.0/16 \ --custom-learned-route-priority 200
MD5 authentication configuration
If you want to use MD5 authentication, add the
md5-authentication-key
flag. For more information about this feature, see Use MD5 authentication.gcloud compute routers add-bgp-peer my-router \ --interface my-router-i1-intf-v4 \ --region us-central1 \ --peer-name bgp-for-my-interconnect \ --peer-asn 65201 \ --md5-authentication-key 'secret_key_value'
Bidirectional Forwarding Detection (BFD)
If you want to add Bidirectional Forwarding Detection (BFD) for Cloud Router, you can configure your BGP peer with a BFD session. BFD detects forwarding path outages such as link down events, allowing for more resilient hybrid networks. To update your BGP session to use BFD, see Configuring BFD for Cloud Router.
If you're building redundancy with a duplicate Dedicated Interconnect connection, repeat these steps for the second connection and specify the same Cloud Router. For more information, see Redundancy and SLA.
Create encrypted VLAN attachments
Console
In the Google Cloud console, go to the Cloud Interconnect VLAN attachments tab.
Click Create VLAN attachments.
Select Dedicated Interconnect connection.
In the Encrypt interconnect section, select Set up HA VPN over Interconnect, and then click Continue.
In the Select interconnects section, select two existing Dedicated Interconnect connections where you want to deploy HA VPN over Cloud Interconnect.
- To use connections in the current project, select In this project.
- To use connections in another project, select In another project, and then enter the Project ID of the project.
- In the Interconnect 1 field, select the first connection.
- In the Interconnect 2 field, select the second
connection. Make sure that you select a connection that is hosted in the
same metropolitan area (metro) but in a different edge availability
domain than the first connection. For example, if the first
connection is in
ord-zone1
, make sure that the second connection is inord-zone2
.
After you select two existing Dedicated Interconnect connections, click Continue.
On the Create VLAN attachments page, select VPC Network.
In the Encrypted interconnect router field, select a Cloud Router to associate with both encrypted VLAN attachments. The Cloud Router must be in the VPC network that you want to connect to. In addition, the Cloud Router that you specify can only be used with encrypted VLAN attachments. This router only advertises the routes for HA VPN and peer VPN tunnel interfaces.
If you don't have an existing encrypted Cloud Router that you can use, select Create new router, and specify a Region.
For the BGP AS number, use any private ASN (
64512-65535
or4200000000-4294967294
) or16550
.Configure the two VLAN attachments. For VLAN attachment 1 and VLAN attachment 2, configure the following fields:
- Name: A name for the attachment. This name is displayed
in the Google Cloud console and is used by the Google Cloud CLI to
reference the attachment—for example,
my-attachment
. - Description: Enter an optional description.
- Name: A name for the attachment. This name is displayed
in the Google Cloud console and is used by the Google Cloud CLI to
reference the attachment—for example,
To configure a VLAN ID or a specific IP address range for the BGP session, click VLAN ID, BGP IPs.
- To specify a VLAN ID, in the VLAN ID section, select Customize.
- To specify an IPv4 address range for the BGP session, in the Allocate BGP IP address section, select Manually.
If you don't specify a VLAN ID or manually allocate BGP IPv4 addresses, Google Cloud automatically assigns these values for you.
In the Capacity field, select the maximum bandwidth for each VLAN attachment. The value that you select for VLAN attachment 1 is automatically applied to VLAN attachment 2. If you don't select a value, Cloud Interconnect uses 10 Gbps. The capacity that you select determines how many HA VPN tunnels you need to deploy.
In the VPN Gateway IP addresses section, select the type of IP addresses to use for your HA VPN tunnel interfaces.
- If you select Internal regional IP addresses, click
Add new IP address range, and enter a Name and IP range.
For the IP range, specify a regional internal IPv4 range with a
prefix length between
26
and29
. The prefix length determines the number of IPv4 addresses available for the VPN tunnel interfaces and must be based on the capacity of the attachment. For more information, see Assign internal IP address ranges to HA VPN gateways. - If you select External regional IP addresses, Cloud Interconnect automatically assigns regional external IP addresses to the HA VPN tunnel interfaces that you create on your VLAN attachment.
Both VLAN attachments must use the same type of addressing, either internal or external, for their VPN gateway IPv4 addresses.
- If you select Internal regional IP addresses, click
Add new IP address range, and enter a Name and IP range.
For the IP range, specify a regional internal IPv4 range with a
prefix length between
When you have created both VLAN attachments, click Create. The attachments take a few moments to create.
The Configure interconnect router page shows each VLAN attachment and its configuration status.
For each VLAN attachment, to create a BGP session to exchange routes between your Cloud Router network and your on-premises router, click Configure, and then enter the following information:
- Name: A name for the BGP session.
- Peer ASN: The public or private ASN of your on-premises router.
Advertised route priority (MED) (optional): The base value that Cloud Router uses to calculate route metrics. All routes advertised for this session use this base value. For more information, see Advertised prefixes and priorities.
This Cloud Router only advertises routes for HA VPN and peer VPN tunnel interfaces.
BGP peer: Lets you enable or disable the BGP session with this peer. If disabled, this Cloud Router does not send BGP connection requests and rejects all BGP connection requests from this peer.
MD5 authentication (optional): Lets you authenticate BGP sessions between Cloud Router and its peers. For instructions about how to use MD5 authentication, see Use MD5 authentication.
Don't enable Bidirectional Forwarding Detection (BFD). Enabling BFD at the Cloud Interconnect level does not provide faster failure detection for HA VPN tunnel traffic.
Click Save and continue.
After you add BGP sessions for all your VLAN attachments, click Save configuration. The BGP sessions that you configured are inactive until you configure BGP on your on-premises router.
On the Create VPN gateways page, complete the HA VPN over Cloud Interconnect deployment by configuring HA VPN for your VLAN attachments (see Configure HA VPN over Cloud Interconnect), and then click Create & continue.
On the Create VPN tunnels page, create two VPN tunnels for each HA VPN gateway, one tunnel on each interface. Specify the peer side of the VPN tunnel as the corresponding interface on the peer VPN gateway, and then click Create & continue.
On the Configure VPN router page, click Configure BGP session to set up the BGP session on the Cloud Router for each HA VPN tunnel (see Specify and manage custom learned routes).
gcloud
Create an encrypted Cloud Router for Cloud Interconnect.
Create the Cloud Router in the network and region that you want to reach from your on-premises network. Specify the
--encrypted-interconnect-router
flag to identify this router to use with the HA VPN over Cloud Interconnect deployment. The Cloud Router must have a BGP ASN of16550
, or you can use any private ASN (64512-65535
or4200000000-4294967294
).The following example creates a router called
interconnect-router
in the regionus-central1
with an ASN of65001
.gcloud compute routers create interconnect-router \ --region us-central1 \ --network network-a \ --asn 65001 \ --encrypted-interconnect-router
Optional: Reserve a regional internal IPv4 range with a prefix length between
26
and29
.The prefix length determines the number of IPv4 addresses available for the VPN gateway interfaces. The number of IPv4 addresses you need to reserve depends on the capacity of the associated VLAN attachment.
For example, to reserve a range for the first VLAN attachment with a 10-Gbps capacity:
gcloud compute addresses create ip-range-1 \ --region us-central1 \ --addresses=192.168.1.0 \ --prefix-length=29 \ --network=network-a \ --purpose=IPSEC_INTERCONNECT
To reserve an address range for the second VLAN attachment:
gcloud compute addresses create ip-range-2 \ --region us-central1 \ --addresses=192.168.2.0 \ --prefix-length=29 \ --network=network-a \ --purpose=IPSEC_INTERCONNECT
For more information about reserving regional internal addresses, see Assign internal IP address ranges to HA VPN gateways.
Create the first encrypted VLAN attachment, specifying the names of your first connection and the encrypted Cloud Router.
The following example creates an encrypted attachment for the connection
my-interconnect-ead-1
that connects to the encrypted Cloud Routerinterconnect-router
in regionus-central1
. The command also specifies the regional internal IPv4 address range,ip-range-1
, to use for all HA VPN tunnel interfaces that are created on this attachment.gcloud compute interconnects attachments dedicated create ha-vpn-attachment-1 \ --region us-central1 \ --router interconnect-router \ --interconnect my-interconnect-ead-1 \ --bandwidth=10g \ --encryption IPSEC \ --ipsec-internal-addresses ip-range-1
If you want to use regional external IPv4 addresses for the HA VPN gateway interfaces on your attachment, omit the
--ipsec-internal-addresses
flag. All HA VPN gateway interfaces are automatically assigned regional external IPv4 addresses.gcloud compute interconnects attachments dedicated create my-attachment-1 \ --region us-central1 \ --router interconnect-router \ --interconnect my-interconnect-ead-1 \ --bandwidth=10g \ --encryption IPSEC
You cannot set a custom MTU (
--mtu
) with encrypted VLAN attachments. All encrypted VLAN attachments must use an MTU of 1440 bytes, which is the default value.In addition, you can't create dual-stack VLAN attachments for HA VPN over Cloud Interconnect. Encrypted VLAN attachments only support the
IPV4_ONLY
(single stack) stack type.Create the second encrypted VLAN attachment, specifying the names of your second Cloud Interconnect connection and the Cloud Router for Cloud Interconnect.
The following example creates an encrypted attachment for the Dedicated Interconnect connection
my-interconnect-ead-2
that connects to the encrypted Cloud Routerinterconnect-router
in regionus-central1
. The command also specifies the regional internal IPv4 address range,ip-range-2
, to use for all HA VPN gateway interfaces that are created on this attachment.gcloud compute interconnects attachments dedicated create my-attachment-2 \ --region us-central1 \ --router interconnect-router \ --interconnect my-interconnect-ead-2 \ --bandwidth=10g \ --encryption IPSEC \ --ipsec-internal-addresses ip-range-2
When creating the second VLAN attachment, specify the same type of IPv4 addressing scheme, either internal or external, that you used when you created the first attachment. If you specified an internal address range for the first attachment, specify a different reserved internal IPv4 address range.
Describe the attachment to retrieve the resources that it allocated, such as the VLAN ID and BGP peering IPv4 addresses, as shown in the following example. Use these values to configure your Cloud Router and your on-premises router.
For the first VLAN attachment:
gcloud compute interconnects attachments describe my-attachment-1 \ --region us-central1
Output:
adminEnabled: true bandwidth: BGP_10G cloudRouterIpAddress: 169.254.61.89/29 creationTimestamp: '2022-05-22T10:31:40.829-07:00' customerRouterIpAddress: 169.254.61.90/29 dataplaneVersion: 2 encryption: IPSEC id: '2973197662755397267' interconnect: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-ead-1 kind: compute#interconnectAttachment name: my-attachment-1 operationalStatus: OS_ACTIVE privateInterconnectInfo: tag8021q: 1000 region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1 router: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/routers/interconnect-router selfLink: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/interconnectAttachments/my-attachment-1 stackType: IPV4_ONLY state: ACTIVE type: DEDICATED vlanTag8021q: 1000
For the second VLAN attachment:
gcloud compute interconnects attachments describe my-attachment-2 \ --region us-central1
Output:
adminEnabled: true bandwidth: BGP_10G cloudRouterIpAddress: 169.254.116.185/29 creationTimestamp: '2022-05-22T10:31:40.829-07:00' customerRouterIpAddress: 169.254.116.186/29 dataplaneVersion: 2 encryption: IPSEC id: '2973197662755397269' interconnect: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnects/my-interconnect-ead-2 kind: compute#interconnectAttachment name: my-attachment-2 operationalStatus: OS_ACTIVE privateInterconnectInfo: tag8021q: 1000 region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1 router: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/routers/interconnect-router selfLink: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/interconnectAttachments/my-attachment-2 stackType: IPV4_ONLY state: ACTIVE type: DEDICATED vlanTag8021q: 1000
- The VLAN tag (
1000
) identifies traffic that goes across this attachment. You need this value to configure a tagged VLAN subinterface on your on-premises router. - The Cloud Router IPv4 addresses (
169.254.61.89/29
and169.254.116.185/29
) are link-local IPv4 addresses. When you create Cloud Router interfaces for these attachments, the interfaces use these IPv4 addresses. You use these same addresses for the BGP neighbors on your on-premises router. - The customer router IPv4 addresses (
169.254.61.90/29
and169.254.116.186/29
) are also link-local IPv4 addresses. On the Cloud Router, configure two BGP peers with these addresses over the interfaces that have the Cloud Router address assigned to it. You assign these addresses to the VLAN subinterfaces on your on-premises router.
- The VLAN tag (
On your Cloud Router, add two interfaces.
Each interface connects to one of the VLAN attachments. The interface IP address is automatically configured by using your attachment's
cloudRouterIpAddress
.gcloud compute routers add-interface interconnect-router \ --region us-central1 \ --interface-name interconnect-router-int-1 \ --interconnect-attachment my-attachment-1
gcloud compute routers add-interface interconnect-router \ --region us-central1 \ --interface-name interconnect-router-int-2 \ --interconnect-attachment my-attachment-2
Add BGP peers to the interfaces.
For the peer ASN values, use the same number that you configure on your on-premises router. The peer IPv4 addresses are automatically configured by using the
customerRouterIpAddress
of your attachments.gcloud compute routers add-bgp-peer my-router \ --interface interconnect-router-int-1 \ --region us-central1 \ --peer-name bgp-for-my-interconnect-1 \ --peer-asn 65201
To specify a base priority value, use the
--advertised-route-priority
flag. Cloud Router uses this value to calculate route metrics for all routes that it advertises for this session. For more information, see Advertised prefixes and priorities in the Cloud Router documentation.If you want to configure custom learned routes, use the
--set-custom-learned-route-ranges
flag. You can also optionally use the--custom-learned-route-priority
flag to set a priority value of between0
and65535
(inclusive) for the routes. Each BGP session can have one priority value that applies to all the custom learned routes that you configured for the session. When you use this feature, the Cloud Router behaves as if it learned these routes from the BGP peer. For more information, see Custom learned routes.gcloud compute routers add-bgp-peer my-router \ --interface interconnect-router-int-1 \ --region us-central1 \ --peer-name bgp-for-my-interconnect-1 \ --peer-asn 65201 \ --set-custom-learned-route-ranges 1.2.3.4,6.7.0.0/16 \ --custom-learned-route-priority 200
If you want to use MD5 authentication, add the
md5-authentication-key
flag. For more information about this feature, see Use MD5 authentication.Do not enable Bidirectional Forwarding Detection (BFD). Enabling BFD at the Cloud Interconnect level does not provide faster failure detection for HA VPN tunnel traffic.
Complete the HA VPN over Cloud Interconnect deployment by configuring HA VPN for your VLAN attachments.
Restrict Dedicated Interconnect usage
By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For more information, see Restrict Cloud Interconnect usage.What's next
- To modify VLAN attachments, see Modify VLAN attachments.
- To configure on-premises routers for Dedicated Interconnect, see Configure on-premises routers.