Advanced configurations

This page describes advanced configuration details necessary for high-availability, high throughput, or multiple subnet VPN scenarios. The Cloud VPN overview describes the basic concepts of Cloud VPN.

Advanced settings and configurations

While you can configure the VPN types described in Choosing a Network Connectivity product, using only the steps outlined in the set-up instructions, the more advanced configurations listed above require additional details.

Order of routes

It is possible to create a VPN tunnel that has the same IP range as another tunnel, a subset of the other tunnel's range, or a superset of the other tunnel's range.

For details, see Configuring VPN tunnels with overlapping IP ranges.

Configuring IKE, including multiple subnet support

You can view detailed information about how Cloud VPN supports multiple IKE ciphers at Supported IKE ciphers.

You can view detailed information about how Cloud VPN supports multiple IP ranges in each traffic selector when using IKEv2 at Multiple IP ranges in Networks and tunnel routing.

UDP encapsulation

Cloud VPN only supports one-to-one NAT via UDP encapsulation for NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single external IP address.

When using one-to-one NAT, a peer VPN gateway must be configured to identify itself using an external IP address, not its internal (private) address. When you configure a Cloud VPN tunnel to connect to a peer VPN gateway, you specify an external IP address. Cloud VPN expects an on-premises VPN gateway to use its external IP address for its identity.

For more details about VPN gateways behind one-to-one NAT, refer to the troubleshooting page.

Maximum Transfer Unit (MTU) considerations

The Cloud VPN MTU size is 1460. See MTU Considerations for a description of how to configure your peer VPN gateway to support this MTU size, if required.

High availability, failover, and higher-throughput VPNs

HA VPN is the recommended method of implementing highly-available and higher-throughput VPNs. If your peer VPN gateway supports BGP, you can configure an HA VPN gateway with a 99.99% uptime SLA using an active/active or active/passive tunnel configuration.

For Classic VPN gateways, you can provide VPN redundancy and failover by using these options. However, you receive a 99.9% availability SLA for this configuration.

What's next?