Create a Cloud Router to connect a VPC network to a peer network

Learn how to set up Cloud Router to dynamically exchange routes between a Virtual Private Cloud (VPC) network and a peer network. The peer network can be an on-premises network, a network hosted by another cloud provider such as AWS or Azure, or even another VPC network in Google Cloud.

To connect a VPC network with a peer network by using Cloud Router, you must complete the following high-level tasks:

  1. Create a Cloud Router.
  2. Set up a network connectivity product in Google Cloud.
  3. Establish Border Gateway Protocol (BGP) sessions with a router on the peer network.

When you create a Cloud Router, you can use its default route advertisements or specify custom advertisements. By default, Cloud Router advertises subnets in its region for regional dynamic routing or all subnets in a VPC network for global dynamic routing. With custom route advertisements, you choose which routes the Cloud Router advertises, such as external static IP addresses or specific CIDR ranges.

For more information, see Route advertisement modes in the Cloud Router overview.

Before you begin

If you want to use the command-line examples in this guide, do the following:

  1. Install or update to the latest version of the Google Cloud CLI.
  2. Set a default region and zone.

If you want to use the API examples in this guide, set up API access.

Create a Cloud Router

To create a Cloud Router, follow these steps.

Console

  1. In the Google Cloud console, go to the Create a Cloud Router page.

    Go to Create a Cloud Router

  2. Specify the Cloud Router's details:

    • Name: The name of the Cloud Router. This name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the Cloud Router—for example, my-router.
    • Description (optional): A description of the Cloud Router.
    • Network: The VPC network that contains the instances that you want to reach—for example, my-network.
    • Region: The region where you want to locate the Cloud Router—for example, asia-east1.
    • Google ASN: The private ASN (64512-65534, 4200000000-4294967294) for the Cloud Router that you are configuring; it can be any private ASN that you aren't already using as a peer ASN in the same region and network—for example, 65001. Cloud Router requires you to use a private ASN, but your on-premises ASN can be public or private.
    • BGP peer keepalive interval: The interval between two successive BGP keepalive messages that are sent to the peer router. This value must be an integer between 20 and 60 that specifies the number of seconds for the interval. The default is 20 seconds. For more information, see Managing BGP timers.
  3. Optional: To specify custom route advertisements, go to the Advertised routes section. For more information about the following steps, see Custom route advertisements introduction.

    1. To specify custom Routes, select Create custom routes.
    2. Choose whether to advertise the subnets visible to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
    3. To add an advertised route, select Add custom route, and then configure it.
  4. To save your settings and create a Cloud Router, click Create. Your new Cloud Router appears on the Cloud Router listing page. To view its details and to configure a BGP session, select it.

gcloud

  • To create a Cloud Router in the region that contains the instances that you want to reach, run the create command:

    gcloud compute routers create ROUTER_NAME \
        --project=PROJECT_ID \
        --network=NETWORK \
        --asn=ASN_NUMBER \
        --region=REGION
    

    Replace the following:

    • ROUTER_NAME: the name of the Cloud Router
    • PROJECT_ID: the project ID for the project that contains the Cloud Router
    • NETWORK: the VPC network that contains the instances that you want to reach
    • ASN_NUMBER: any private ASN (64512-65534, 4200000000-4294967294) that you are not already using in the on-premises network; Cloud Router requires you to use a private ASN, but your on-premises ASN can be public or private.
    • REGION: the region where you want to locate the Cloud Router; the Cloud Router advertises all subnets in the region where it's located
  • To create a Cloud Router with custom route advertisements, set the --advertisement-mode to custom and use the --set-advertisement-ranges and --set-advertisement-groups flags to specify route advertisements.

    The --set-advertisement-ranges flag accepts a list of CIDR ranges. The --set-advertisement-groups flag accepts Google-defined groups that the Cloud Router dynamically advertises. Currently, the only valid value is all_subnets, which advertises subnets based on the VPC network's dynamic routing mode (similar to the default advertisements).

    The following example advertises subnets and the custom IP ranges 1.2.3.4 and 6.7.0.0/16:

    gcloud compute routers create ROUTER_NAME \
        --project=PROJECT_ID \
        --network=NETWORK \
        --asn=ASN_NUMBER \
        --advertisement-mode custom \
        --set-advertisement-groups all_subnets \
        --set-advertisement-ranges 1.2.3.4,6.7.0.0/16
    
  • To set the keepalive timer for a BGP peer, use the --keepalive-interval option, which sets the interval between BGP keepalive messages that are sent to the peer router. This value must be an integer between 20 and 60 that specifies the number of seconds for the interval. The default is 20 seconds.

API

  • Use the routers.insert method:

       POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
       {
         "bgp": {
           "asn": "ASN_NUMBER"
           "keepaliveInterval": KEEPALIVE_INTERVAL
         },
         "name": "ROUTER_NAME",
         "network": "NETWORK"
       }
    

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the VPC network
    • REGION: the region where you want to locate the Cloud Router
    • ASN_NUMBER: the private ASN (64512-65534, 4200000000-4294967294) for the Cloud Router that you are configuring; it can be any private ASN that you aren't already using as a peer ASN in the same region and network—for example, 65001 Cloud Router requires you to use a private ASN, but your on-premises ASN can be public or private.
    • KEEPALIVE_INTERVAL (optional): the keepalive timer for Cloud Router that sets the interval between BGP keepalive messages that are sent to the peer router.

      This value must be an integer between 20 and 60 that specifies the number of seconds for the interval. The default is 20 seconds.

    • ROUTER_NAME: the name of the Cloud Router; this name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the Cloud Router

    • NETWORK: the network that contains the instances that you want to reach

  • To create a Cloud Router with custom route advertisements, set the bgp.advertiseMode field to CUSTOM and use the bgp.advertisedGroups[] and bgp.advertisedIpRanges[] fields to specify route advertisements.

    The bgp.advertisedIpRanges[] field accepts an array of CIDR ranges. The bgp.advertisedGroups[] field accepts Google-defined groups that the Cloud Router dynamically advertises. Currently, the only valid value is ALL_SUBNETS, which advertises subnets based on the VPC network's dynamic routing mode (similar to the default advertisements).

    The following example advertises subnets and the custom IP address ranges 1.2.3.4 and 6.7.0.0/16:

       POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
       {
         "bgp": {
           "asn": "ASN_NUMBER",
           "advertiseMode": "CUSTOM",
           "advertisedGroups": [
             "ALL_SUBNETS"
           ],
           "advertisedIpRanges": [
             {
               "range": "1.2.3.4",
               "description": "First example range"
             },
             {
               "range": "6.7.0.0/16",
               "description": "Second example range"
             }
           ]
         },
         "name": "ROUTER_NAME",
         "network": "NETWORK"
       }
      

Terraform

Use a Terraform module.

module "cloud_router" {
  source  = "terraform-google-modules/cloud-router/google"
  version = "~> 0.4"

  name   = "my-router"
  region = "us-central1"

  bgp = {
    # The ASN (16550, 64512 - 65534, 4200000000 - 4294967294) can be any private ASN
    # not already used as a peer ASN in the same region and network or 16550 for Partner Interconnect.
    asn = "65001"
  }

  # project = "my-project-id"
  project = var.project
  # network = "my-network"
  network = var.network
}

Set up the network connectivity product

To exchange routes between a VPC network and a peer network, you must also set up at least one of the following Google Cloud network connectivity products in addition to Cloud Router:

Cloud Interconnect

To connect a VPC network to an on-premises network by using Cloud Interconnect and Cloud Router, you must first provision an Interconnect connection.

You configure Cloud Router and its BGP sessions when you create the VLAN attachments for your Interconnect connection. See Create VLAN attachments (Dedicated Interconnect) and Create VLAN attachments Partner Interconnect.

Cloud VPN

To connect a VPC network to an on-premises or multicloud network by using HA VPN and Cloud Router, see Creating an HA VPN gateway to a peer VPN gateway.

To connect a VPC network to another VPC network by using HA VPN and Cloud Router, see Creating an HA VPN between Google Cloud networks .

You configure Cloud Router and its BGP sessions when you create the HA VPN tunnels to the peer network.

Network Connectivity Center

To connect a VPC network to a peer network by using Router appliance, see Creating router appliance instances.

Establish BGP sessions

When you set up a network connectivity product with Cloud Router, you establish Border Gateway Protocol (BGP) sessions between the Cloud Router and the router on the peer network.

You can reuse the same Cloud Router with different network connectivity products. However, each BGP session is unique to the network connectivity product (VLAN attachment, Cloud VPN tunnel, or router appliance instance) that you configure to use with Cloud Router. Different network connectivity products cannot use the same BGP session. Sometimes, you might need to set up multiple BGP sessions for a network connectivity product to achieve sufficient redundancy. For example, you set up multiple BGP sessions when using Cloud Router with HA VPN.

To establish BGP sessions between your Cloud Router and the router on your peer network, see Establishing BGP sessions.

What's next