Key terms

This page provides important terms that apply to Cloud VPN. Review these terms to better understand how Cloud VPN works.

For more information, see the Cloud VPN overview.

Cloud VPN terms

The following terms apply to Cloud VPN gateways and tunnels and gateways on your peer network.

Cloud VPN gateway
A virtual VPN gateway running in Google Cloud managed by Google, using a configuration that you specify in your project, and used only by you. Each Cloud VPN gateway is a regional resource that uses one or more regional external IP addresses. A Cloud VPN gateway can connect to a peer VPN gateway.
Classic VPN
The predecessor to HA VPN. For more information, see Types of Cloud VPN: Classic VPN.
HA VPN
Replaces Classic VPN with a gateway that provides a 99.99% availability SLA. For more information, see Types of Cloud VPN: HA VPN.
external VPN gateway
A gateway resource that you configure in Google Cloud for HA VPN that provides information to Google Cloud about your peer VPN gateway or gateways. Depending on the high availability recommendations from your peer VPN gateway vendor, you can create an external VPN gateway resource for the different types of peer VPN gateways described in Cloud VPN topologies.
peer VPN gateway
A gateway that is connected to a Cloud VPN gateway. A peer VPN gateway can be one of the following:
  • Another Cloud VPN gateway
  • A VPN gateway hosted by another cloud provider such as AWS or Microsoft Azure
  • An on-premises VPN device or VPN service
remote peer IP address

For an HA VPN gateway interface that connects to an external VPN gateway, the remote peer IP address is the IP address of the interface on the external VPN gateway that is used for the tunnel.

For an HA VPN gateway interface that connects to another HA VPN gateway, the remote peer IP address is the IP address of the other HA VPN gateway's interface that is used for the tunnel.

For Classic VPN, the remote peer IP address is the external IP address of the peer VPN gateway.

VPN tunnel
A VPN tunnel connects two VPN gateways and serves as a virtual medium through which encrypted traffic is passed. Two VPN tunnels must be established to create a connection between two VPN gateways: each tunnel defines the connection from the perspective of its gateway, and traffic can only pass after the pair of tunnels is established. A Cloud VPN tunnel is always associated with a specific Cloud VPN gateway resource.
connection
As defined for Google Cloud, a logical link between Cloud VPN and peer VPN locations as identified by a vpnGateway resource at one end, and an externalVpnGateway or another Google Cloud VpnGateway resource at the peer end. A connection also includes all the vpnTunnel resources and BGP sessions between the gateway resources.
Internet Key Exchange (IKE)
IKE is the protocol used for authentication and to negotiate a session key for encrypting traffic.
Cloud VPN gateway MTU
The size in bytes of the largest IP packet—including headers, data, and IPsec overhead—supported by a Cloud VPN tunnel.
Cloud VPN payload MTU
The size in bytes of the largest IP packet—including headers and data—that can be successfully encrypted and sent in a Cloud VPN tunnel without fragmentation. In other words, the original packet size not counting IPsec overhead.
HA VPN over Cloud Interconnect gateway MTU
The size in bytes of the largest IP packet—including headers, data, and IPsec overhead—supported by a HA VPN over Cloud Interconnect tunnel.
HA VPN over Cloud Interconnect payload MTU
The size in bytes of the largest IP packet—including headers and data—that can be successfully encrypted and sent in a HA VPN over Cloud Interconnect tunnel without fragmentation. In other words, the original packet size not counting Cloud Interconnect overhead and IPsec overhead.

Border Gateway Protocol (BGP) terms

The following terminology applies to the Border Gateway Protocol (BGP), which Cloud VPN and Cloud Interconnect use for dynamic routing.

Border Gateway Protocol (BGP)
An exterior gateway routing protocol standardized by the Internet Engineering Task Force (IETF) in RFC 1722. BGP automatically exchanges routing and reachability information among autonomous systems on the internet. Your device is BGP-capable if it can perform BGP routing, which means that you can enable the BGP protocol on it and assign it a BGP IP address and an autonomous system number. To determine if your device supports BGP, see the vendor information for your device or contact your device's vendor.
autonomous system (AS)
A collection of connected IP routing prefixes under the control of a single administrative entity or domain that presents a common routing policy to the internet, such as an internet service provider (ISP), a large company, or a university.
autonomous system number (ASN)
A unique identifier allocated to each autonomous system that uses BGP routing. For more information, see RFC 7300.
MD5 authentication
A method of BGP peer authentication that uses the MD5 message-digest algorithm. When you use this approach, BGP peers must use the same authentication key, or a connection cannot be established between them. Later, every segment routed between the peers is verified. For more information about MD5 authentication, see RFC 2385. To find out whether your device supports MD5 authentication, see the vendor information for the device or contact the vendor. To get support with using Cloud Router MD5 authentication, see Support.

Google Cloud terms

The following terminology applies to Google Cloud and its features.

Google Cloud
Google Cloud is a suite of public cloud computing services offered by Google. For more information, see Google Cloud products.
project ID
The ID of your Google Cloud project. A project contains networking resources such as networks, subnets, and Cloud VPN gateways as described in the VPC network overview. For a description of the difference between project name, project ID, and project number, see Identifying projects. You can view the project ID in the Google Cloud console.