Establish BGP sessions

Cloud Router uses Border Gateway Protocol (BGP) to exchange routes between your Virtual Private Cloud (VPC) network and your on-premises network. On Cloud Router, you configure an interface and a BGP peer for your on-premises router. The interface and BGP peer configuration together form a BGP session.

Within Google Cloud, a Cloud Router interface connects to exactly one of the following Google Cloud resources:

  • A Classic VPN tunnel using dynamic routing
  • An HA VPN tunnel (using dynamic routing as required)
  • A VLAN attachment for Cloud Interconnect
  • A Router appliance instance

A Cloud Router supports multiple interfaces. You don't need to create a separate Cloud Router for each Cloud VPN tunnel or VLAN attachment. However, each Cloud Router uses the same ASN for all its BGP sessions. Because Partner Interconnect requires a public ASN, and all other types of interface require private ASNs, a Cloud Router that manages BGP sessions for a VLAN attachment on Partner Interconnect cannot manage BGP sessions for any other type of interface.

Supported BGP sessions

Cloud Router supports two types of BGP sessions:

  • IPv4 BGP sessions
  • IPv6 BGP sessions (Preview)

IPv4 BGP sessions

By default, when you create a BGP session in Cloud Router, you create an IPv4 BGP session. The IPv4 BGP session, by default, exchanges only IPv4 routes.

However, you can configure the IPv4 BGP session to exchange IPv6 routes by using multiprotocol BGP (MP-BGP). You might do this, for example, to exchange IPv6 traffic between your dual-stack Virtual Private Cloud subnets and the IPv6-addressed hosts in your other network.

To enable IPv6 route exchange on your IPv4 BGP session, you need to configure a dual-stack (IPv4 and IPv6) HA VPN tunnel or Dedicated Interconnect VLAN attachment.

Then you can enable IPv6 route exchange in your BGP peer.

For more information, see Configure multiprotocol BGP in IPv4 or IPv6 BGP sessions.

IPv6 BGP sessions

You can also create an IPv6 BGP session in Cloud Router.

IPv6 BGP sessions are in Preview.

By default, an IPv6 BGP session exchanges only IPv6 routes. Similar to IPv4 BGP sessions, you can also configure an IPv6 BGP session with multiprotocol BGP (MP-BGP). However, with MP-BGP over IPv6 BGP sessions, you exchange IPv4 routes over an IPv6 BGP session.

To enable IPv4 route exchange in your IPv6 BGP session, you need to configure a dual stack HA VPN tunnel or Dedicated Interconnect VLAN attachment.

Then you can enable IPv4 route exchange in your BGP peer.

For more information, see Configure multiprotocol BGP in IPv4 or IPv6 BGP sessions.

You can also establish both an IPv4 BGP session and an IPv6 BGP session in parallel.

Each session exchanges only routes for its own address family. IPv4 BGP sessions only exchange IPv4 routes, and IPv6 BGP sessions only exchange IPv6 routes. You can't use MP-BGP in individual BGP sessions.

You configure these BGP sessions by assigning two interfaces on Cloud Router, one IPv4 and one IPv6, to the same HA VPN tunnel or Cloud Interconnect VLAN attachment. You can only configure these BGP sessions for a dual-stack HA VPN tunnel or a dual-stack Dedicated Interconnect VLAN attachment.

This configuration ensures that the BGP sessions share the same fate with the dataplane and stay synchronized correctly with the status of the routes in terms of availability.

To illustrate the benefit of this parallel BGP session configuration, take the following example.

Suppose the dataplane experiences an IPv4-only traffic outage. With a parallel BGP session configuration, the IPv4 BGP session drops, which results in all IPv4 routes being withdrawn for this HA VPN tunnel or Dedicated Interconnect VLAN attachment. This withdrawal of IPv4 routes allows IPv4 traffic to be re-routed if possible. The IPv6 traffic, however, continues to use this HA VPN tunnel or Dedicated Interconnect VLAN attachment.

In the same situation, an IPv4 BGP session with MP-BGP withdraws the IPv4 routes, but also withdraws the IPv6 routes. This result is undesirable because the session can re-route or drop IPv6 traffic unnecessarily even though the IPv6 routes are still valid. An IPv6 BGP session with MP-BGP does not go down and does not withdraw any routes, either IPv4 or IPv6. Subsequently, only IPv4 traffic drops.

Limitations

Cloud Router has the following limitations:

  • iBGP between Cloud Routers in a single region doesn't work.

    Although you can create two Cloud Routers with the same ASN, iBGP isn't supported.

  • You can't send and learn MED values over a Layer 3 Partner Interconnect connection.

    If you are using a Partner Interconnect connection where a Layer 3 service provider handles BGP for you, Cloud Router can't learn MED values from your on-premises router or send MED values to that router. This is because MED values can't pass through autonomous systems. Over this type of connection, you can't set route priorities for routes advertised by Cloud Router to your on-premises router. In addition, you can't set route priorities for routes advertised by your on-premises router to your VPC network.

BGP authentication

When you configure BGP for some hybrid connectivity resources, you can optionally configure the router's peering sessions to use MD5 authentication. For a list of products that support MD5 authentication, see Use MD5 authentication.

BGP session configuration

The following sections provide links that describe how to configure BGP sessions for each type of interface.

Cloud VPN

Cloud Interconnect

Router appliance

  • For Router appliance instances, see Set up a Cloud Router in the Network Connectivity Center documentation.

What's next