With Classic VPN, your on-premises hosts communicate through one or more IPsec VPN tunnels to Compute Engine virtual machine (VM) instances in your project's Virtual Private Cloud (VPC) networks.
Classic VPN supports site-to-site VPN as the simple topology shown on this page or with redundancy options.
Redundancy and failover options
You can provide redundancy and failover for Classic VPN gateways by either moving to HA VPN or by using a second Classic VPN gateway.
Option 1: Moving to HA VPN
Option 2: Using a second peer VPN gateway
For Classic VPN, if your on-premises side is hardware based, having a second peer VPN gateway provides redundancy and failover on that side of the connection. A second physical gateway allows you to take one of the gateways offline for software upgrades or other scheduled maintenance. It also protects you in case of an outright failure in one of the devices.
To configure a tunnel from your Cloud VPN gateway to a second on-premises-side VPN gateway, do the following:
- Configure a second on-premises VPN gateway and a tunnel.
- Set up a second tunnel on your Cloud VPN gateway pointing to the second on-premises gateway.
- Forward the same routes for the second tunnel as you did for the first. If you want both tunnels to balance traffic, set their route priorities to be the same. If you want one tunnel to be primary, set a lower priority on the second tunnel.
- If either VPN tunnel fails due to network issues along the path, or a problem with an on-premises gateway, the Cloud VPN gateway will continue sending traffic over the healthy tunnel and will automatically resume using both tunnels once the failed tunnel recovers.
For details about configuring redundancy with dynamic routing, see the Cloud Router redundancy page.
Increased throughput and load balancing options
There are three options for scaling a Cloud VPN configuration:
- Option 1: Scale the on-premises VPN gateway.
- Option 2: Scale the Cloud VPN gateway. If your on-premises VPN gateway's throughput capabilities are higher, and you want to scale higher throughput from the Cloud VPN gateway, you can set up a second Cloud VPN gateway.
- Option 3: Scale both the on-premises VPN gateway and the Cloud VPN gateway.
Option 1: Scale the on-premises VPN gateway
Set up a second on-premises VPN gateway device with a different external IP address. Create a second tunnel on your existing Cloud VPN gateway that forwards the same IP range, but pointing at the second on-premises gateway IP. Your Cloud VPN gateway automatically load balances between the configured tunnels. You can set up the VPN gateways to have multiple tunnels load balanced this way to increase the aggregate VPN connectivity throughput.
Option 2: Scale the Cloud VPN gateway
Add a second Cloud VPN gateway in the same region as the existing VPN gateway. The second Cloud VPN gateway can have a tunnel that points to the same IP address of the on-premises VPN gateway as the tunnel on the first gateway. Once configured, traffic to the on-premises VPN gateway is automatically load balanced between the two Cloud VPN gateways and tunnels.
Option 3: Scale both the on-premises VPN gateway and the Cloud VPN gateway
Combine options 1 and 2 mentioned above to scale throughput. If you have two on-premises VPN gateways and two Cloud VPN gateways, each Cloud VPN gateway can have a tunnel pointing at each on-premises VPN gateway external IP, giving you four load balanced tunnels between the VPN gateway, thereby potentially providing four times the bandwidth.
For more information, see the tutorial Building high-throughput VPNs. You can increase the number of tunnels up to your project's quota. ECMP is used to balance traffic between tunnels.
- To move to HA VPN, see Moving to HA VPN from Classic VPN.
- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.