Connecting two branch offices using Cloud VPN spokes

This tutorial describes how to use a Network Connectivity Center hub and Cloud VPN spokes to set up data transfer between two branch offices. To create this configuration, you attach a pair of HA VPN tunnels from the Cloud VPN gateway for each branch office to each office's spoke.

For more information about creating hubs and spokes, see Working with hubs and spokes.

Before you begin

To make it easier to configure Network Connectivity Center, set up the following items in Google Cloud:

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Install and initialize the Cloud SDK.
  1. If you are using the gcloud command-line tool, set your project ID with the following command. The gcloud tool instructions on this page assume that you have already set your project ID.
          gcloud config set project PROJECT_ID
        
  1. You can also view a project ID that has already been set:
          gcloud config list --format='text(core.project)'
        

API considerations

Using locations versus region in API commands

The Network Connectivity API uses the locations field to indicate Google Cloud regions or zones. The Compute Engine API uses regions or zones to represent these resources.

Specifying hubs or spoke resources with names or URIs

When entering commands, you can specify the following Network Connectivity Center resources by their name or by their full URI:

  • A hub
  • A resource attached to a spoke

This practice applies to the gcloud command-line tool and to the Network Connectivity API.

For example, you can refer to an HA VPN tunnel attached to a spoke as TUNNEL_NAME or as projects/PROJECT_NAME/regions/REGION/vpnTunnels/TUNNEL_NAME.

The following example describes how you would specify adding two HA VPN tunnels to a spoke by using their URIs.

--vpn-tunnel="https://www.googleapis.com/compute/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME","https://www.googleapis.com/compute/projects/PROJECT_ID/regions/REGION/vpnTunnels/TUNNEL_NAME"

Resources used in this tutorial

The following diagram describes the sample Google Cloud resources used in this tutorial.

Topology for Network Connectivity Center tutorial.
Topology for Network Connectivity Center tutorial (click to enlarge)


Configuring data transfer connectivity

To set up data transfer connectivity, follow these steps:

  1. Create Google Cloud resources such as a Virtual Private Cloud (VPC) network, HA VPN gateways and tunnels, and Cloud Routers.
  2. Create a Network Connectivity Center hub resource.
  3. Define a spoke resource for each branch office.
  4. Attach two HA VPN tunnels from the Cloud VPN gateway for each branch office to each spoke.
  5. Verify the configuration.

When using the Network Connectivity API to configure a hub and its spokes, you can create spokes at the same time that you create the hub. You don't need to make additional API calls to add spokes unless you want to add more spokes later.

Create Google Cloud resources

This tutorial assumes that you have already created the following Google Cloud resources:

  • A VPC network
  • In the region closest to Office1, a subnet, an HA VPN gateway, a Cloud Router, and one tunnel on each gateway interface
  • In the region closest to Office2, a subnet, an HA VPN gateway, a Cloud Router, and one tunnel on each gateway interface

If you need to create these resources, see the following documents for steps:

After you identify existing Google Cloud resources or create new ones, continue to the next section.

Create the hub

Create a hub that contains spokes for both office locations.

Console

  1. In the Cloud Console, go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Enter a Hub name—in this case, my-hub.

  4. Enter an optional Description.

  5. Verify the Project ID. If the project ID is incorrect, select a different project by using the pull-down menu at the top of the screen.

  6. Click Continue.

  7. To add the Office1 spoke to the hub, continue to Create the spoke for Office 1.

gcloud

To create a hub, enter the following command:

  gcloud alpha network-connectivity hubs create HUB_NAME \
     --description=DESCRIPTION \
     --project=PROJECT_ID

Replace the following values:

  • HUB_NAME: the name of the new hub—in this case, my-hub
  • DESCRIPTION: optional text that describes the hub
  • PROJECT_ID: the project ID of the project that contains the new hub—in the example diagram, the project is my-project

To add the Office1 spoke to the hub, continue to Create the spoke for Office 1.

API

To create a hub, use the networkconnectivity.hubs.create method:

  POST https://networkconnectivity.googleapis.com/v1alpha1/projects/PROJECT_ID/locations/global/hubs
  {
    "name": "HUB_NAME",
    "description": "DESCRIPTION"
  }

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the new hub—in the example diagram, the project is my-project
  • HUB_NAME: the name of the new hub—in this case, my-hub
  • DESCRIPTION: optional text that describes the hub

To add the Office1 spoke to the hub, continue to Create the spoke for Office 1.

Create the spoke for Office 1

Create a spoke for Office1. The spoke contains two HA VPN tunnels, one from each interface of the HA VPN gateway you are using. In the sample diagram, this gateway is represented as vpn-office1. We recommend that you choose a gateway located in the Google Cloud region that is closest to the office.

Console

The following steps are continued from Create the hub. They explain how to create a spoke immediately after specifying the hub name and description.

  1. In the Add spokes form, select the Network that contains the resources that you are attaching to the spoke—in the example diagram, this network is represented as network-a.
  2. In the New spoke form, enter a Spoke name—in this case, office-1-spoke.
  3. Optionally, enter a Description of the spoke.
  4. In the Spoke type drop-down list, select VPN tunnel.
  5. Select the Region for the spoke—in the example diagram, the spoke is located inus-west1.
  6. Choose a tunnel:
    1. Click Add tunnel.
    2. From the VPN tunnels drop-down menu, select an existing tunnel.
  7. To add more tunnels to the spoke, repeat the preceding step. In the example diagram, two tunnels are used: vpn-tunnel1-office1 and vpn-tunnel2-office1. When you are finished adding tunnels, click Done.
  8. Click Create.

The Network Connectivity Center page updates to show details about spokes you've created. To add the Office2 spoke to the hub, continue to Create the spoke for Office 2.

gcloud

To create the spoke, enter the following command:

  gcloud alpha network-connectivity spokes create SPOKE_NAME \
    --hub=HUB_NAME \
    --description=DESCRIPTION \
    --vpn-tunnel=TUNNEL1_NAME,TUNNEL2_NAME \
    --region=REGION \
    --project=PROJECT_ID
 

Replace the following values:

  • SPOKE_NAME: the name of the spoke—in this case, office-1-spoke
  • HUB_NAME: the name of the hub that you are attaching the spoke to—in this case, my-hub
  • DESCRIPTION: optional text that describes the spoke
  • TUNNEL_NAME: the name of one or more HA VPN tunnels to add to the spoke—in the example diagram, these tunnels are vpn-tunnel1-office1 and vpn-tunnel2-office1
  • REGION: the Google Cloud region where the spoke is located—in the example diagram, the spoke is located inus-west1
  • PROJECT_ID: the project ID of the project that contains the hub—in the example diagram, the project is my-project

To add the Office2 spoke to the hub, continue to Create the spoke for Office 2.

API

To create the spoke, use the networkconnectivity.spokes.create method:

  POST https://networkconnectivity.googleapis.com/v1alpha1/projects/PROJECT_ID/locations/REGION/spokes
  {
    "name": "SPOKE_NAME",
    "hub": "HUB_NAME",
    "linkedVpnTunnels": ["TUNNEL1_NAME","TUNNEL2_NAME"]
  }

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the hub—in the example diagram, the project is my-project
  • REGION: the Google Cloud region where the spoke is located—in the example diagram, the spoke is located inus-west1
  • SPOKE_NAME: the name of the spoke—in this case, office-1-spoke
  • HUB_NAME: the hub that you are attaching the spoke to—in this case, my-hub
  • TUNNEL_NAME: the name of one or more HA VPN tunnels, in URI format, to add to the spoke—in the example diagram, these tunnels are vpn-tunnel1-office1 and vpn-tunnel2-office1

To add the Office 2 spoke to the hub, continue to Create the spoke for Office 2.

Create the spoke for Office 2

Create a spoke for Office2. The spoke contains two HA VPN tunnels, one from each interface of the HA VPN gateway you are using. In the sample diagram, this gateway represented as vpn-office2. We recommend that you choose a gateway located in the Google Cloud region that is closest to the office.

Console

To create the second spoke, do the following:

  1. Go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Click the Spokes tab.

  4. Click Add spokes to open the Add spokes page.

  5. In the Network field, select a network—in the example diagram, the network is network-a.

  6. In the New spoke form, enter a Spoke name—in this case, office-2-spoke.

  7. Optionally, enter a Description of the spoke.

  8. In the Spoke type drop-down list, select VPN tunnel.

  9. Select the Region for the spoke—in the example diagram, the spoke is located inus-east1.

  10. Choose a tunnel:

    1. Click Add tunnel.
    2. From the VPN tunnels drop-down menu, select an existing tunnel.
  11. To add more tunnels to the spoke, repeat the preceding step. In the example diagram, two tunnels are used: vpn-tunnel1-office2 and vpn-tunnel2-office2. When you are finished adding tunnels, click Done.

  12. Click Create.

gcloud

To create the second spoke, enter the following command:

  gcloud alpha network-connectivity spokes create SPOKE_NAME \
    --hub=HUB_NAME \
    --description=DESCRIPTION \
    --vpn-tunnel=TUNNEL1_NAME,TUNNEL2_NAME \
    --region=REGION \
    --project=PROJECT_ID

Replace the following values:

  • SPOKE_NAME: the name of the spoke—in this case, office-2-spoke
  • HUB_NAME: the name of the hub that you are attaching the spoke to; in this case, my-hub
  • DESCRIPTION: optional text that describes the spoke
  • TUNNEL_NAME: the name of one or more HA VPN tunnels to add to the spoke—in the example diagram, two tunnels are used: vpn-tunnel1-office2 and vpn-tunnel2-office2
  • REGION: the Google Cloud region where the spoke is located—in the example diagram, the spoke is located inus-east1
  • PROJECT_ID: the project ID of the project that contains the hub—in the example diagram, the project is my-project

API

To create the spoke, use the networkconnectivity.spokes.create method:

  POST https://networkconnectivity.googleapis.com/v1alpha1/projects/PROJECT_ID/locations/REGION/spokes
  {
    "name": "SPOKE_NAME",
    "hub": "HUB_NAME",
    "linkedVpnTunnels": ["TUNNEL1_NAME","TUNNEL2_NAME"]
  }

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the new spokes—in the example diagram, the project is my-project
  • REGION: the Google Cloud region where the spoke is located—in the example diagram, the region is us-east1
  • SPOKE_NAME: the name of the spoke—in this case, office-2-spoke
  • HUB_NAME: the hub that you are attaching the spoke to—in this case, my-hub
  • TUNNEL_NAME: the name of one or more HA VPN tunnels to add to the spoke—in the example diagram, two tunnels are used: vpn-tunnel1-office2 and vpn-tunnel2-office2

Verify the configuration

After configuring the hub and its spokes, you should be able to pass traffic from the virtual machine (VM) instance in one office to the VM instance in the other office. To do this, each VM must have access to the VPN tunnel in its region.

Clean up the configuration

Use the steps in the following sections to clean up your sample configuration. You can avoid continued billing by deleting the resources that you created.

Delete the project

If you want to delete the project that you created, use the following steps.

Alternatively, if you want to retain the project, you can go to the following sections and delete individual resources.

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete both spokes

You must delete the spokes before you delete the hub.

Console

  1. Go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Click the Spokes tab.

  4. View the list of Spoke names for the project.

  5. Select the checkboxes for the spokes you want to delete—in this case, office-1-spoke and office-2-spoke.

  6. Click Delete spokes.

  7. In the confirmation dialog, click Delete.

gcloud

Use the following command twice, once to delete office-1-spoke and once to delete office-2-spoke.

  gcloud alpha network-connectivity spokes delete SPOKE_NAME \
    --region=REGION \
    --project=PROJECT_ID

Replace the following values:

  • SPOKE_NAME: the name of the spoke to delete—in this case, office-1-spoke and office-2-spoke
  • REGION: the Google Cloud region where the spoke is located
  • PROJECT_ID: the project ID of the project that contains the spokes—in the example diagram, the project is my-project

API

Use the networkconnectivity.spokes.delete method twice, once to delete office-1-spoke and once to delete office-2-spoke.

  DELETE https://networkconnectivity.googleapis.com/v1alpha1/projects/PROJECT_ID/locations/REGION/spokes/SPOKE_NAME

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the spoke—in the example diagram, the project is my-project
  • REGION: the Google Cloud region where the spoke is located
  • SPOKE_NAME: the name of the spoke to delete—in this case, office-1-spoke and office-2-spoke

Delete the hub

After you have deleted the spokes, you can delete the hub.

Console

  1. In the Cloud Console, go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project pull-down menu, select a project—in the example diagram, the project is my-project.

  3. Click Delete hub.

  4. In the confirmation dialog, click Delete to delete the hub.

gcloud

Use the following command to delete the hub:

  gcloud alpha network-connectivity hubs delete HUB_NAME /
    --project=PROJECT_ID

Replace the following values:

  • HUB_NAME: the name of the hub to delete—in this case, my-hub.
  • PROJECT_ID: the project ID of the project that contains the hub;in the example diagram, the project is my-project

API

To delete the hub, use the networkconnectivity.hubs.delete method.

  DELETE https://networkconnectivity.googleapis.com/v1alpha1/projects/PROJECT_ID/locations/global/hubs/HUB_NAME

Replace the following values:

  • PROJECT_ID: the project ID of the project that contains the hub;in the example diagram, the project is my-project
  • HUB_NAME: the name of the hub to delete

Delete the VPC network and subnet

Delete the VPC network and subnet that you configured for this tutorial.

What's next