Best practices for Cloud VPN

The following best practices can be helpful when planning for and configuring Cloud VPN.

Use separate Google Cloud projects for networking resources

To make configuration of Identity and Access Management roles and permissions easier, keep your Cloud VPN and Cloud Router resources in a project separate from your other Google Cloud resources wherever possible.

Routing and failover

Choose dynamic routing

Choose a Cloud VPN gateway that uses dynamic routing and the Border Gateway Protocol (BGP). Google recommends using HA VPN and deploying on-premises devices that support BGP.

Use an active/passive tunnel configuration

Use HA VPN and an active/passive tunnel configuration wherever possible.

For more information, see the preferred routing option in the Cloud VPN overview.


Set up firewall rules for your VPN gateways

Create secure firewall rules for traffic that travels over Cloud VPN. To do this, see Firewall rules in Google Cloud.

Use strong pre-shared keys

Google recommends generating a strong pre-shared key for your Cloud VPN tunnels.

What's next