The following best practices can be helpful when planning for and configuring Cloud VPN.
Use separate Google Cloud projects for networking resources
To make configuration of Identity and Access Management (IAM) roles and permissions easier, wherever possible, keep your Cloud VPN and Cloud Router resources in a project separate from your other Google Cloud resources.
Routing and failover
Choose dynamic routing
Choose a Cloud VPN gateway that uses dynamic routing and the Border Gateway Protocol (BGP). Google recommends using HA VPN and deploying on-premises devices that support BGP.
Use HA VPN whenever possible
To achieve the highest level of availability, use HA VPN whenever possible.
For more information, see types of VPN in the Cloud VPN overview.
Choose the appropriate tunnel configuration
Choose the appropriate tunnel configuration based on the number of HA VPN gateways:
If you have a single HA VPN gateway, use an active/passive tunnel configuration.
If you have more than one HA VPN gateway, use an active/active tunnel configuration.
For more information, see the following sections in the Cloud VPN overview:
Reliability
Configure your peer VPN gateway with only one cipher for each cipher role
Cloud VPN can act as an initiator or a responder to IKE requests depending on the origin of traffic when a new security association (SA) is needed.
When Cloud VPN initiates a VPN connection, Cloud VPN proposes the algorithms in the order shown in the supported cipher tables for each cipher role. The peer side receiving the proposal selects an algorithm.
If the peer side initiates the connection, then Cloud VPN selects a cipher from the proposal by using the same order shown in the table for each cipher role.
Depending on which side is the initiator or the responder, the selected cipher can be different. For example, the selected cipher might even change over time as new security associations (SAs) are created during key rotation. Because a change in cipher selection can impact important tunnel characteristics such as performance or MTU, ensure that your cipher selection is stable.
To prevent frequent changes in cipher selection, configure your peer VPN gateway to propose and accept only one cipher for each cipher role. This cipher must be supported by both Cloud VPN and your peer VPN gateway. Do not provide a list of ciphers for each cipher role. This best practice ensures that both sides of your Cloud VPN tunnel always select the same IKE cipher during IKE negotiation.
For HA VPN tunnel pairs, configure both HA VPN tunnels on your peer VPN gateway to use the same cipher and IKE Phase 2 lifetime values.
Security
Set up firewall rules for your VPN gateways
Create secure firewall rules for traffic that travels over Cloud VPN. For more information, see the VPC firewall rules overview.
Use strong pre-shared keys
Google recommends generating a strong pre-shared key for your Cloud VPN tunnels.
Restrict IP addresses for your peer VPN gateways
By restricting which IP addresses can be specified for a peer VPN gateway, you can prevent unauthorized VPN tunnels from being created.
For more information, see Restrict IP addresses for peer VPN gateways.
Configure the strongest cipher on your peer VPN gateway
When configuring your peer VPN gateway, choose the strongest cipher for each cipher role that is supported by both your peer VPN gateway and Cloud VPN.
The listed proposal order for Cloud VPN is not ordered by strength.
For a list of supported IKE ciphers, see Supported IKE ciphers.
What's next
- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.