When you deploy HA VPN over Cloud Interconnect, you have the option of using either regional internal IP addresses or regional external IP addresses for your HA VPN gateway interfaces. Unless you are required to use external IP addresses for your VPN tunnels (for example, to connect to another cloud provider), we recommend that you use regional internal IP addresses for HA VPN over Cloud Interconnect.
If you choose to use regional internal IP addresses (RFC 1918 only), you must reserve a private IPv4 address range for your VLAN attachment. The IP addresses from that range are used exclusively for your HA VPN gateway interfaces. HA VPN uses these IP addresses to communicate with one or more peer VPN gateways.
If you do not configure the VLAN attachments to use regional internal IP addresses, then Google Cloud selects two regional external IP addresses from its address pool and allocates an address to each interface.
Regardless of whether you choose regional internal or external IP addressing, HA VPN over Cloud Interconnect packets do not travel over the public internet at any point.
The IP address requirements for Cloud Router BGP interfaces remain the same as
those used in HA VPN deployments without
Cloud Interconnect. The BGP interfaces must be assigned link-local
IPv4 addresses from the 169.254.0.0/16 address space.
Prefix length and HA VPN gateway interfaces
When you reserve a regional internal IPv4 address range, you configure the prefix length. The prefix length determines the size of the range. For HA VPN over Cloud Interconnect, this configuration establishes how many regional internal IP addresses are available for your HA VPN gateway interfaces.
The prefix length (--prefix-length) must be set between 26 and 29. You cannot
modify the size of this range later.
When you specify the prefix length, choose the prefix length that matches your attachment's capacity. Reserve a large enough range for your VLAN attachment so that you can accommodate additional HA VPN gateways if you require them later.
| For a VLAN attachment with the capacity of... | ...reserve at least this many IP addresses for your HA VPN gateway interfaces | Use this prefix length |
|---|---|---|
| 2 Gbps or fewer | 1 | /29 |
| 5 Gbps | 2 | /29 |
| 10 Gbps | 4 | /29 |
| 20 Gbps | 7 | /28 |
| 50 Gbps | 17 | /26 |
Considerations
If you choose to reserve regional internal IP addresses for your HA VPN gateways, keep the following in mind:
- Different reserved ranges in the same Virtual Private Cloud (VPC) network cannot overlap.
- The reserved ranges cannot overlap with subnets used for virtual machine (VM) instances in the same virtual network.
- If you reserve an internal IP address range by using
--purpose=IPSEC_INTERCONNECT, then the prefix length for the range must be between 26 and 29. - If you are using Dedicated Interconnect, an error is thrown if you apply an address range with a prefix length that does not match the bandwidth of the VLAN attachments.
- For each VLAN attachment, you can only specify one internal IP address range.
- If you assign regional internal IP addresses to one VLAN attachment in your HA VPN over Cloud Interconnect deployment, then the other VLAN attachment in the deployment must match and also use internal IP addresses. The other VLAN attachment can't use regional external IP addresses.
Reserve regional internal IP ranges
These IP address ranges are used for allocating IP addresses for the HA VPN gateways.
Console
You have the option to create internal IP ranges when you create your encrypted VLAN attachments.
On the Create VLAN attachments page, select Internal regional IP addresses.
To create an encrypted VLAN attachment for Dedicated Interconnect, see Create encrypted VLAN attachments.
To create an encrypted VLAN attachment for Partner Interconnect, see Create encrypted VLAN attachments.
gcloud
To reserve a regional internal IP address range, use the following command:
gcloud compute addresses create ADDRESS_NAME \ --region REGION \ --addresses=IP_ADDRESS \ --prefix-length=PREFIX_LENGTH \ --network=NETWORK_NAME \ --purpose=IPSEC_INTERCONNECT
Replace the following:
ADDRESS_NAME: a name for the regional internal IP address range.REGION: the region where you plan to create the VLAN attachment and HA VPN gateways.IP_ADDRESS: the first IP address of the RFC 1918 internal IP address range that you are reserving.PREFIX_LENGTH: the correct CIDR prefix length between26and29for the capacity of your attachment. Refer to Prefix lengths and HA VPN gateway interfaces.NETWORK_NAME: the name of your VPC network.
For example, to reserve two regional internal IP address ranges with a prefix
length of 29, use the following commands:
gcloud compute addresses create ip-range-1 \ --region us-central1 \ --addresses=192.168.1.0 \ --prefix-length=29 \ --network=network-a \ --purpose=IPSEC_INTERCONNECT
gcloud compute addresses create ip-range-2 \ --region us-central1 \ --addresses=192.168.2.0 \ --prefix-length=29 \ --network=network-a \ --purpose=IPSEC_INTERCONNECT
Sample output:
Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/addresses/ip-range-1]. NAME REGION NETWORK ip-range-1 us-central1 network-a
Created https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/addresses/ip-range-2]. NAME REGION NETWORK ip-range-2 us-central1 network-a
What's next?
To choose a connection type for Cloud Interconnect, see Choosing a Network Connectivity product.
To learn about best practices when planning for and configuring Cloud Interconnect, see Best practices.