Advanced configurations

This page describes advanced configuration details for the following scenarios:

  • High-availability VPNs
  • High-throughput VPNs
  • Multiple subnet VPNs

To learn about the basic concepts of Cloud VPN, see the Cloud VPN overview.

Order of routes

You can create a VPN tunnel that has the same IP range as another tunnel, a subset of the other tunnel's range, or a superset of the other tunnel's range.

For details, see Order of routes.

Configuring IKE, including multiple subnet support

In Supported IKE ciphers, you can find details about how Cloud VPN supports multiple IKE ciphers.

In Networks and tunnel routing, you can find information about supported Virtual Private Cloud (VPC) networks and routing options, including traffic selectors.

UDP encapsulation

Cloud VPN only supports one-to-one NAT by using UDP encapsulation for NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single external IP address.

When using one-to-one NAT, a peer VPN gateway must be configured to identify itself by using an external IP address, not its internal (private) address. When you configure a Cloud VPN tunnel to connect to a peer VPN gateway, you specify an external IP address. Cloud VPN expects an on-premises VPN gateway to use its external IP address for its identity.

For more details about VPN gateways behind one-to-one NAT, see On-premises gateways behind NAT on the Troubleshooting page.

Maximum transmission unit (MTU) considerations

The Cloud VPN MTU size is 1460 bytes. For a description of how to configure your peer VPN gateway to support this MTU size if required, see MTU considerations.

High-availability VPNs, high-throughput VPNs, and failover

HA VPN is the recommended method of implementing high-availability VPNs and high-throughput VPNs. If your peer VPN gateway supports BGP, you can configure an HA VPN gateway with a 99.99% uptime SLA by using an active/active or active/passive tunnel configuration.

For Classic VPN gateways, you can provide VPN redundancy and failover by using these throughput and load balancing options. However, with this configuration, you receive a 99.9% availability SLA.

What's next

  • To learn about the basic concepts of Cloud VPN, see the Cloud VPN overview.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.