Best practices for Cloud VPN

The following best practices can be helpful when planning for and configuring Cloud VPN.

Use separate Google Cloud projects for networking resources

To make configuration of Identity and Access Management (IAM) roles and permissions easier, wherever possible, keep your Cloud VPN and Cloud Router resources in a project separate from your other Google Cloud resources.

Routing and failover

Choose dynamic routing

Choose a Cloud VPN gateway that uses dynamic routing and the Border Gateway Protocol (BGP). Google recommends using HA VPN and deploying on-premises devices that support BGP.

Use HA VPN whenever possible

To achieve the highest level of availability, use HA VPN whenever possible.

For more information, see types of VPN in the Cloud VPN overview.

Choose the appropriate tunnel configuration

Choose the appropriate tunnel configuration based on the number of HA VPN gateways:

  • If you have a single HA VPN gateway, use an active/passive tunnel configuration.

  • If you have more than one HA VPN gateway, use an active/active tunnel configuration.

For more information, see the following sections in the Cloud VPN overview:


Set up firewall rules for your VPN gateways

Create secure firewall rules for traffic that travels over Cloud VPN. For more information, see the VPC firewall rules overview.

Use strong pre-shared keys

Google recommends generating a strong pre-shared key for your Cloud VPN tunnels.

Restrict IP addresses for your peer VPN gateways

By restricting which IP addresses can be specified for a peer VPN gateway, you can prevent unauthorized VPN tunnels from being created.

For more information, see Restrict IP addresses for peer VPN gateways.

What's next

  • To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.