Create a Cloud Router to connect a VPC network to a peer network

Learn how to set up Cloud Router to dynamically exchange routes between a Virtual Private Cloud (VPC) network and a peer network. The peer network can be an on-premises network, a network hosted by another cloud provider such as AWS or Azure, or even another VPC network in Google Cloud.

To connect a VPC network with a peer network by using Cloud Router, you must complete the following high-level tasks:

  1. Create a Cloud Router.
  2. Set up a network connectivity product in Google Cloud.
  3. Establish Border Gateway Protocol (BGP) sessions with a router on the peer network.

When you create a Cloud Router, you can use its default advertisement mode or custom advertisement mode. By default, Cloud Router advertises subnets in its region for regional dynamic routing or all subnets in a VPC network for global dynamic routing. With custom advertisement mode, you choose which routes the Cloud Router advertises, such as external static IP addresses or specific CIDR ranges.

For more information, see Route advertisement modes in the Cloud Router overview.

Before you begin

If you want to use the command-line examples in this guide, do the following:

  1. Install or update to the latest version of the Google Cloud CLI.
  2. Set a default region and zone.

If you want to use the API examples in this guide, set up API access.

Create a Cloud Router

To create a Cloud Router, follow these steps.

Console

  1. In the Google Cloud console, go to the Create a Cloud Router page.

    Go to Create a Cloud Router

  2. Specify the Cloud Router's details:

    • Name: The name of the Cloud Router. This name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the Cloud Router—for example, my-router.
    • Description (optional): A description of the Cloud Router.
    • Network: The VPC network that contains the instances that you want to reach—for example, my-network.
    • Region: The region where you want to locate the Cloud Router—for example, asia-east1.
    • Google ASN: The private ASN (64512-65534, 4200000000-4294967294) for the Cloud Router that you are configuring. The ASN can be any private ASN that you aren't already using as a peer ASN in the same region and network—for example, 65001. Cloud Router requires that you use a private ASN. However, your on-premises ASN can be public or private and can use either 16-bit or 32-bit values.
    • BGP peer keepalive interval: The interval between two successive BGP keepalive messages that are sent to the peer router. This value must be an integer between 20 and 60 that specifies the number of seconds for the interval. The default is 20 seconds. For more information, see Manage BGP timers.
  3. Optional: To specify custom advertised routes, go to the Advertised routes section. For more information about the following steps, see Custom advertisement mode.

    1. To specify custom Routes, select Create custom routes.
    2. Choose whether to advertise the subnets visible to the Cloud Router. Enabling this option mimics the Cloud Router's default behavior.
    3. To add an advertised route, select Add a custom route, and then configure it.
  4. To save your settings and create a Cloud Router, click Create. Your new Cloud Router appears on the Cloud Router listing page. To view its details and to configure a BGP session, select it.

gcloud

  • To create a Cloud Router in the region that contains the instances that you want to reach, run the create command:

    gcloud compute routers create ROUTER_NAME \
        --project=PROJECT_ID \
        --network=NETWORK \
        --asn=ASN_NUMBER \
        --region=REGION
    

    Replace the following:

    • ROUTER_NAME: the name of the Cloud Router
    • PROJECT_ID: the project ID for the project that contains the Cloud Router
    • NETWORK: the VPC network that contains the instances that you want to reach
    • ASN_NUMBER: any private ASN (64512-65534, 4200000000-4294967294) that you are not already using in the on-premises network; Cloud Router requires you to use a private ASN, but your on-premises ASN can be public or private.
    • REGION: the region where you want to locate the Cloud Router; the Cloud Router advertises all subnets in the region where it's located
  • To create a Cloud Router in custom advertisement mode, set the --advertisement-mode to custom and use the --set-advertisement-ranges and --set-advertisement-groups flags to specify custom advertised routes.

    The --set-advertisement-ranges flag accepts a list of CIDR ranges. The --set-advertisement-groups flag accepts Google-defined groups that the Cloud Router dynamically advertises. Currently, the only valid value is all_subnets, which advertises subnets based on the VPC network's dynamic routing mode (similar to the default advertisements).

    The following example advertises subnets and the custom IP ranges 1.2.3.4 and 6.7.0.0/16:

    gcloud compute routers create ROUTER_NAME \
        --project=PROJECT_ID \
        --network=NETWORK \
        --asn=ASN_NUMBER \
        --region=REGION \
        --advertisement-mode custom \
        --set-advertisement-groups all_subnets \
        --set-advertisement-ranges 1.2.3.4,6.7.0.0/16
    
  • To set the keepalive timer for a BGP peer, use the --keepalive-interval option, which sets the interval between BGP keepalive messages that are sent to the peer router. This value must be an integer between 20 and 60 that specifies the number of seconds for the interval. The default is 20 seconds. For more information, see keepalive timer.

  • To assign a BGP identifier range to a Cloud Router, use the --bgp-identifier-range option and specify a link-local IPv4 range from 169.254.0.0/16 with a size of at least /30. For example, 169.254.16.16/30. A BGP identifier is used to uniquely identify a Cloud Router. A Cloud Router requires an explicit 32-bit BGP identifier in order to host IPv6 BGP sessions (Preview).

    However, the BGP identifier range flag is not required because Google Cloud automatically assigns an unused identifier range to a Cloud Router when you configure an interface for an IPv6 BGP session for the first time.

    You only need to configure this option if you want to use a specific IP range for your BGP identifiers. You can also modify the BGP identifier range for a Cloud Router at a later time. For more information, see Configure the BGP identifier range.

  • To create a router for an HA VPN over Cloud Interconnect deployment, specify the --encrypted-interconnect-router option.

    The Cloud Router that you use for encrypted Cloud Interconnect is a special type of Cloud Router. These routers can only be used with the VLAN attachments that you deploy with HA VPN over Cloud Interconnect.

Terraform

Use the Google Cloud Terraform module for Cloud Router.

module "cloud_router" {
  source  = "terraform-google-modules/cloud-router/google"
  version = "~> 6.0"

  name   = "my-router"
  region = "us-central1"

  bgp = {
    # The ASN (16550, 64512 - 65534, 4200000000 - 4294967294) can be any private ASN
    # not already used as a peer ASN in the same region and network or 16550 for Partner Interconnect.
    asn = "65001"
  }

  project = var.project_id
  network = module.vpc.network_name
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

API

  • Use the routers.insert method:

       POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
       {
         "bgp": {
           "asn": "ASN_NUMBER",
           "keepaliveInterval": KEEPALIVE_INTERVAL,
           "identifierRange": BGP_IDENTIFIER_RANGE
         },
         "name": "ROUTER_NAME",
         "network": "NETWORK"
       }
    

    Replace the following:

    • PROJECT_ID: the ID of the project that contains the VPC network
    • REGION: the region where you want to locate the Cloud Router
    • ASN_NUMBER: the private ASN (64512-65534, 4200000000-4294967294) for the Cloud Router that you are configuring; it can be any private ASN that you aren't already using as a peer ASN in the same region and network—for example, 65001 Cloud Router requires you to use a private ASN, but your on-premises ASN can be public or private.
    • KEEPALIVE_INTERVAL: the interval between two successive BGP keepalive messages that are sent to the peer router. This placeholder is optional. The value must be an integer between 20 and 60 that specifies the number of seconds for the interval. The default is 20 seconds. For more information, see keepalive timer for Cloud Router.
    • BGP_IDENTIFIER_RANGE: a link-local IPv4 range from 169.254.0.0/16 with a size of at least /30. This placeholder is optional; if no value is provided, then Cloud Router is automatically assigned a BGP identifier instead. For more information, see Configure the BGP identifier range for a Cloud Router.
    • ROUTER_NAME: the name of the Cloud Router; this name is displayed in the Google Cloud console and is used by the Google Cloud CLI to reference the Cloud Router
    • NETWORK: the network that contains the instances that you want to reach
  • To create a Cloud Router with custom advertised routes, set the bgp.advertiseMode field to CUSTOM and use the bgp.advertisedGroups[] and bgp.advertisedIpRanges[] fields to specify the advertised routes.

    The bgp.advertisedIpRanges[] field accepts an array of CIDR ranges. The bgp.advertisedGroups[] field accepts Google-defined groups that the Cloud Router dynamically advertises. Currently, the only valid value is ALL_SUBNETS, which advertises subnets based on the VPC network's dynamic routing mode (similar to default advertisement mode).

    The following example advertises subnets and the custom IP address ranges 1.2.3.4 and 6.7.0.0/16:

       POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
       {
         "bgp": {
           "asn": "ASN_NUMBER",
           "advertiseMode": "CUSTOM",
           "advertisedGroups": [
             "ALL_SUBNETS"
           ],
           "advertisedIpRanges": [
             {
               "range": "1.2.3.4",
               "description": "First example range"
             },
             {
               "range": "6.7.0.0/16",
               "description": "Second example range"
             }
           ]
         },
         "name": "ROUTER_NAME",
         "network": "NETWORK"
       }
    

Set up the network connectivity product

To exchange routes between a VPC network and a peer network, you must also set up at least one of the following Google Cloud network connectivity products in addition to Cloud Router:

Cloud Interconnect

To connect a VPC network to an on-premises network by using Cloud Interconnect and Cloud Router, you must first provision a Cloud Interconnect connection.

You configure Cloud Router and its BGP sessions when you create the VLAN attachments for your Cloud Interconnect connection. See Create VLAN attachments for Dedicated Interconnect and Create VLAN attachments for Partner Interconnect.

If you are deploying HA VPN over Cloud Interconnect, you must deploy two Cloud Routers:

  • A special Cloud Router for Cloud Interconnect that you configure for the VLAN attachments. This Cloud Router makes sure that only traffic encrypted by the HA VPN gateways can be sent to the VLAN attachment.
  • A regular Cloud Router that you configure for HA VPN tunnels.

Cloud VPN

To connect a VPC network to an on-premises or multicloud network by using HA VPN and Cloud Router, see Create an HA VPN gateway to a peer VPN gateway.

To connect a VPC network to another VPC network by using HA VPN and Cloud Router, see Create an HA VPN between Google Cloud networks .

You configure Cloud Router and its BGP sessions when you create the HA VPN tunnels to the peer network.

Network Connectivity Center

To connect a VPC network to a peer network by using Router appliance, see Create router appliance instances.

Establish BGP sessions

When you set up a network connectivity product with Cloud Router, you establish Border Gateway Protocol (BGP) sessions between the Cloud Router and the router on the peer network.

You can reuse the same Cloud Router with different network connectivity products. However, each BGP session is unique to the network connectivity product (VLAN attachment, Cloud VPN tunnel, or router appliance instance) that you configure to use with Cloud Router. Different network connectivity products cannot use the same BGP session. Sometimes, you might need to set up multiple BGP sessions for a network connectivity product to achieve sufficient redundancy. For example, you set up multiple BGP sessions when using Cloud Router with HA VPN.

To establish BGP sessions between your Cloud Router and the router on your peer network, see Establish BGP sessions.

What's next