The following best practices can be helpful when planning for and configuring Cloud VPN.
Use separate Google Cloud projects for networking resources
To make configuration of Identity and Access Management (IAM) roles and permissions easier, wherever possible, keep your Cloud VPN and Cloud Router resources in a project separate from your other Google Cloud resources.
Routing and failover
Choose dynamic routing
Choose a Cloud VPN gateway that uses dynamic routing and the Border Gateway Protocol (BGP). Google recommends using HA VPN and deploying on-premises devices that support BGP.
Use an active/passive tunnel configuration
Use HA VPN and an active/passive tunnel configuration wherever possible.
For more information, see the recommended routing option in the Cloud VPN overview.
Set up firewall rules for your VPN gateways
Create secure firewall rules for traffic that travels over Cloud VPN. For more information, see the VPC firewall rules overview.
Use strong pre-shared keys
Google recommends generating a strong pre-shared key for your Cloud VPN tunnels.
- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.