Connecting two branch offices using Cloud VPN spokes

This tutorial describes how to use a Network Connectivity Center hub and Cloud VPN spokes to set up data transfer between two branch offices.

For more information about creating hubs and spokes, see Working with hubs and spokes.

Before you begin

Before you begin, review the following sections.

Create or select a project

To make it easier to configure Network Connectivity Center, create a select a project by using the following steps:

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Install and initialize the Cloud SDK.
  5. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  7. Install and initialize the Cloud SDK.
  1. If you are using the gcloud command-line tool, set your project ID with the following command. The gcloud tool instructions on this page assume that you have already set your project ID.
          gcloud config set project PROJECT_ID
        
    You can also view a project ID that has already been set:
          gcloud config list --format='text(core.project)'
        

Conventions for identifying resources

When you reference resources by using the gcloud tool or the API, use the conventions described in the following table.

Convention Supported for Notes Example
Full URI All resources You must use one of these methods to reference router appliance instances.
"https://www.googleapis.com/compute/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME"

      
Relative resource name All resources
"projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME"

    
Name Regional and global resources This method can be used for hubs, spokes, VPN tunnels, and VLAN attachments.
 "HUB_NAME"

    

Sample topology

The following diagram describes the sample Google Cloud resources used in this tutorial.

Topology for Network Connectivity Center tutorial.
Topology for Network Connectivity Center tutorial (click to enlarge)


Configuring data transfer connectivity

To set up data transfer connectivity, follow these steps:

  1. Create Google Cloud resources such as a Virtual Private Cloud (VPC) network, HA VPN gateways and tunnels, and Cloud Routers.
  2. Create a hub.
  3. Define a spoke for the first and second branch office. Each spoke should use a VPN tunnel as its underlying resource.
  4. Verify the configuration.

Create Google Cloud resources

This tutorial assumes that you have already created the following Google Cloud resources:

  • A VPC network that has its dynamic routing mode set to global
  • In the region closest to Office1, a subnet, an HA VPN gateway, a Cloud Router, and a tunnel that connects the gateway interface to Office1
  • In the region closest to Office2, a subnet, an HA VPN gateway, a Cloud Router, and a tunnel that connects the gateway interface to Office2

If you need to create these resources, see the following documents:

After you identify existing Google Cloud resources or create new ones, continue to the next section.

Create the hub

First, you create a hub. Later, you attach spokes to this hub.

Console

  1. In the Cloud Console, go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Enter a Hub name—in this case, my-hub.

  4. Enter an optional Description.

  5. Verify the Project ID. If the project ID is incorrect, select a different project by using the pull-down menu at the top of the screen.

  6. Click Continue.

  7. To add the Office1 spoke to the hub, continue to Create the spoke for Office 1.

gcloud

To create a hub, enter the following command:

  gcloud network-connectivity hubs create HUB_NAME \
     --description="DESCRIPTION" \
     --labels="KEY"="VALUE"

Replace the following values:

  • HUB_NAME: the name of the new hub—in this case, my-hub
  • DESCRIPTION: optional text that describes the hub
  • KEY: the key in the key-value pair for the optional label text
  • VALUE: the value in the key-value pair for the optional label text

To add the Office1 spoke to the hub, continue to Create the spoke for Office 1.

API

To create a hub, use the networkconnectivity.hubs.create method:

  POST https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/global/hubs
  {
    "name":"HUB_NAME",
    "description":"DESCRIPTION",
    "labels": {
      "KEY": "VALUE"
    }
  }

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the new hub—for example, my-project
  • HUB_NAME: the name of the new hub—for example, my-hub
  • DESCRIPTION: optional text that describes the hub
  • KEY: the key in the key-value pair for the optional label text
  • VALUE: the value in the key-value pair for the optional label text

To add the Office1 spoke to the hub, continue to Create the spoke for Office 1.

Create the spoke for Office 1

Create a spoke for Office1. Use two HA VPN tunnels as the spoke's underlying resources. Each tunnel should originate from a HA VPN gateway in the region closest to the office. In the sample diagram, these tunnels are represented as vpn-tunnel1-office1 and vpn-tunnel2-office1.

Console

The following steps are continued from Create the hub. They explain how to create a spoke immediately after specifying the hub name and description.

  1. In the Add spokes form, select the Network that contains the resources that you are attaching to the spoke—in the example diagram, this network is represented as network-a.
  2. In the New spoke form, enter a Spoke name—in this case, office-1-spoke.
  3. Optionally, enter a Description of the spoke.
  4. In the Spoke type drop-down list, select VPN tunnel.
  5. Select the Region for the spoke—in the example diagram, the spoke is located inus-west1.
  6. Choose a tunnel:
    1. Click Add tunnel.
    2. From the VPN tunnels drop-down menu, select an existing tunnel.
  7. To add more tunnels to the spoke, repeat the preceding step. In the example diagram, two tunnels are used: vpn-tunnel1-office1 and vpn-tunnel2-office1. When you are finished adding tunnels, click Done.
  8. Click Create.

The Network Connectivity Center page updates to show details about spokes you've created. To add the Office2 spoke to the hub, continue to Create the spoke for Office 2.

gcloud

To create the spoke, use the gcloud network-connectivity spokes linked-vpn-tunnels create command.

  gcloud network-connectivity spokes linked-vpn-tunnels create SPOKE_NAME \
    --hub=HUB_NAME \
    --description="DESCRIPTION" \
    --vpn-tunnels=TUNNEL_NAME,TUNNEL_NAME_2 \
    --region=REGION \
    --labels="KEY"="VALUE" \
    --site-to-site-data-transfer

Replace the following values:

  • SPOKE_NAME: the name of the spoke—in this case, office-1-spoke
  • HUB_NAME: the name of the hub that you are attaching the spoke to—in this case, my-hub
  • DESCRIPTION: optional text that describes the spoke
  • TUNNEL_NAME: the name of the first HA VPN tunnel—in this case, vpn-tunnel1-office1
  • TUNNEL_NAME_2: the name of the redundant tunnel—in this case, vpn-tunnel2-office1; when including a second tunnel, do not use a space between the comma and the name of second tunnel
  • REGION: the Google Cloud region where the spoke is located—in this case, us-west1
  • KEY: the key in the key-value pair for the optional label text
  • VALUE: the value in the key-value pair for the optional label text

To add the Office2 spoke to the hub, continue to Create the spoke for Office 2.

API

To create the spoke, use the networkconnectivity.spokes.create method.

  POST https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/SPOKE_NAME
  {
    "hub": "HUB_NAME",
    "labels": {"KEY": "VALUE"},
    "linkedVpnTunnels": ["TUNNEL_NAME","TUNNEL_NAME_2"],
    "site_to_site_data_transfer": true
    }
  }

Replace the following values:

  • PROJECT_ID: the project ID of your project
  • REGION: the Google Cloud region where you want to locate the spoke—in this case, us-west1
  • SPOKE_NAME: the name for the spoke
  • HUB_NAME: the name of the hub that you are attaching the spoke to
  • KEY: the key in the key-value pair for the optional label text
  • VALUE: the value in the key-value pair for the optional label text
  • TUNNEL_NAME: the name of the first HA VPN tunnel—in this case, vpn-tunnel1-office1
  • TUNNEL_NAME_2: the name of the redundant tunnel—in this case, vpn-tunnel2-office1; when including a second tunnel, do not use a space between the comma and the name of second tunnel

Create the spoke for Office 2

Create a spoke for Office2. Use two HA VPN tunnels as the spoke's underlying resources. Each tunnel should originate from a HA VPN gateway in the region closest to the office. In the sample diagram, these tunnels are represented as vpn-tunnel1-office2 and vpn-tunnel2-office2.

Console

To create the second spoke, do the following:

  1. Go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Click the Spokes tab.

  4. Click Add spokes to open the Add spokes page.

  5. In the Network field, select a network—in the example diagram, the network is network-a.

  6. In the New spoke form, enter a Spoke name—in this case, office-2-spoke.

  7. Optionally, enter a Description of the spoke.

  8. In the Spoke type drop-down list, select VPN tunnel.

  9. Select the Region for the spoke—in the example diagram, the spoke is located inus-east1.

  10. Choose a tunnel:

    1. Click Add tunnel.
    2. From the VPN tunnels drop-down menu, select an existing tunnel.
  11. To add more tunnels to the spoke, repeat the preceding step. In the example diagram, two tunnels are used: vpn-tunnel1-office2 and vpn-tunnel2-office2. When you are finished adding tunnels, click Done.

  12. Click Create.

gcloud

To create the spoke, use the gcloud network-connectivity spokes linked-vpn-tunnels create command.

  gcloud network-connectivity spokes linked-vpn-tunnels create SPOKE_NAME \
    --hub=HUB_NAME \
    --description="DESCRIPTION" \
    --vpn-tunnels=TUNNEL_NAME,TUNNEL_NAME_2 \
    --region=REGION \
    --labels="KEY"="VALUE" \
    --site-to-site-data-transfer

Replace the following values:

  • SPOKE_NAME: the name of the spoke—in this case, office-2-spoke
  • HUB_NAME: the name of the hub that you are attaching the spoke to—in this case, my-hub
  • DESCRIPTION: optional text that describes the spoke
  • TUNNEL_NAME: the name of the first HA VPN tunnel—in this case, vpn-tunnel1-office2
  • TUNNEL_NAME_2: the name of the redundant tunnel—in this case, vpn-tunnel2-office2; when including a second tunnel, do not use a space between the comma and the name of second tunnel
  • REGION: the Google Cloud region where the spoke is located—in this case, inus-east1
  • KEY: the key in the key-value pair for the optional label text
  • VALUE: the value in the key-value pair for the optional label text

    To add the Office2 spoke to the hub, continue to Create the spoke for Office 2.

API

To create the spoke, use the networkconnectivity.spokes.create method.

  POST https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/SPOKE_NAME
  {
    "hub": "HUB_NAME",
    "labels": {"KEY": "VALUE"},
    "linkedVpnTunnels": ["TUNNEL_NAME","TUNNEL_NAME_2"],
    "site_to_site_data_transfer": true
    }
  }

Replace the following values:

  • PROJECT_ID: the project ID of your project
  • REGION: the Google Cloud region where you want to locate the spoke—in this case, us-east1
  • SPOKE_NAME: the name for the spoke
  • HUB_NAME: the name of the hub that you are attaching the spoke to
  • KEY: the key in the key-value pair for the optional label text
  • VALUE: the value in the key-value pair for the optional label text
  • TUNNEL_NAME: the name of the first HA VPN tunnel—in this case, vpn-tunnel1-office2
  • TUNNEL_NAME_2: the name of the redundant tunnel—in this case, vpn-tunnel2-office2;when including a second tunnel, do not use a space between the comma and the name of second tunnel

Verify the configuration

After configuring the hub and its spokes, you should be able to pass traffic from the virtual machine (VM) instance in one office to the VM instance in the other office. To do this, each VM must have access to the VPN tunnel in its region.

Clean up the configuration

Use the steps in the following sections to clean up your sample configuration. To avoid continued billing, delete the resources that you created.

Delete the project

If you want to delete the project that you created, use the following steps. Alternatively, you can retain the project and delete individual resources, as described in the following sections.

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete both spokes

You must delete all spokes before you can delete a hub.

Console

  1. Go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Click the Spokes tab.

  4. View the list of Spoke names for the project.

  5. Select the checkboxes for the spokes you want to delete—in this case, office-1-spoke and office-2-spoke.

  6. Click Delete spokes.

  7. In the confirmation dialog, click Delete.

gcloud

Use the following command twice, once to delete office-1-spoke and once to delete office-2-spoke.

  gcloud network-connectivity spokes delete SPOKE_NAME \
    --region=REGION

Replace the following values:

  • SPOKE_NAME: the name of the spoke to delete—in this case, office-1-spoke and office-2-spoke
  • REGION: the Google Cloud region where the spoke is located

API

Use the networkconnectivity.spokes.delete method twice, once to delete office-1-spoke and once to delete office-2-spoke.

  DELETE https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/spokes/SPOKE_NAME

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the spoke—in the example diagram, the project is my-project
  • REGION: the Google Cloud region where the spoke is located
  • SPOKE_NAME: the name of the spoke to delete—in this case, office-1-spoke and office-2-spoke

Delete the hub

After you have deleted the spokes, you can delete the hub.

Console

  1. In the Cloud Console, go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Click Delete hub.

  4. In the confirmation dialog, click Delete to delete the hub.

gcloud

Use the following command to delete the hub:

  gcloud network-connectivity hubs delete HUB_NAME /
    --project=PROJECT_ID

Replace the following values:

  • HUB_NAME: the name of the hub to delete—in this case, my-hub.
  • PROJECT_ID: the project ID of the project that contains the hub;in the example diagram, the project is my-project

API

To delete the hub, use the networkconnectivity.hubs.delete method.

  DELETE https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/global/hubs/HUB_NAME

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the hub;in the example diagram, the project is my-project
  • HUB_NAME: the name of the hub to delete

Delete the VPC network and subnet

Delete the VPC network and subnet that you configured for this tutorial.

What's next