This page describes how custom routes with next hops of Cloud VPN tunnels work in Google Cloud.
For background information about Google Cloud routes, including route applicability and order and static route parameters, see the Virtual Private Cloud (VPC) routes overview.
Route types
A Cloud VPN tunnel can be a next hop for a custom route in your VPC network. Each custom route with a next hop Cloud VPN tunnel defines an egress path for packets leaving your VPC network:
A Cloud Router always manages a Classic VPN tunnel that uses dynamic routing or an HA VPN tunnel. The Cloud Router receives BGP advertisements from and sends BGP messages to a peer VPN gateway. Cloud Router automatically creates and removes dynamic routes in your VPC network—that is, the routes with destinations in a peer network. It also advertises routes to a peer network—that is, routes to the IP ranges of subnets in your VPC network or to custom destinations that you specify in a Cloud Router configuration. The dynamic routing mode of your VPC network controls the set of routes that Cloud Router imports and exports.
A policy-based or route-based Classic VPN tunnel uses static routing. If you use the Google Cloud console to create one of these tunnels, Google Cloud automatically creates static routes based on the remote IP ranges that you specify in the Cloud VPN configuration. If you use the Google Cloud CLI to create one of these tunnels, you must manually create the static routes that use the tunnel as a next hop.
Example scenarios
Google Cloud follows a well-defined applicability and order when selecting the next hop to which a packet should be sent. The following examples demonstrate common interactions between routes and Cloud VPN.
Interaction with subnet routes
The following table demonstrates how subnet routes and custom routes interact.
Each row represents a possible IP range of a subnet in a VPC
network. The on-premises ranges are 10.2.0.0/16
for IPv4 and fd20:a:b:c::/64
for IPv6.
IPv6 traffic is supported only by HA VPN gateways that are configured with a dual stack type of IPv4 and IPv6.
VPC network | Cloud VPN tunnel routing | |
---|---|---|
IP range of Google Cloud subnet | Static (policy-based, route-based) Classic VPN only |
Dynamic (BGP) Classic VPN or HA VPN |
10.2.0.0/16 Same as on-premises IP range |
Google Cloud does not let you create a static route
whose destination is 10.2.0.0/16 and whose next hop is a
Cloud VPN tunnel. |
The tunnel's associated Cloud Router ignores any advertised
routes with a destination of 10.2.0.0/16 . Traffic destined for
10.2.0.0/16 remains in your VPC network. |
fd20:a:b:c::/64 Same as on-premises IP range |
Classic VPN does not support IPv6. | The tunnel's associated Cloud Router ignores any advertised
routes with a destination of fd20:a:b:c::/64 . Traffic destined for
fd20:a:b:c::/64 remains in your VPC network. |
10.0.0.0/8 Broader than on-premises IP range (smaller subnet mask) |
Google Cloud does not let you create a static route
whose destination is 10.2.0.0/16 and whose next hop is a
Cloud VPN tunnel. |
The tunnel's associated Cloud Router ignores any advertised
routes whose destinations match or fit within 10.0.0.0/8 ,
including 10.2.0.0/16 . Traffic destined for
10.0.0.0/8 remains in your VPC network. |
fd20:a:b::/48 Broader than on-premises IP range (smaller subnet mask) |
Classic VPN does not support IPv6. | The tunnel's associated Cloud Router ignores any advertised
routes whose destinations match or fit within fd20:a:b::/48 ,
including fd20:a:b:c::/64 . Traffic destined for
fd20:a:b::/48 remains in your VPC network. |
10.2.99.0/24 Narrower than on-premises IP range (longer subnet mask) |
Google Cloud lets you create a static route with the
10.2.0.0/16 destination and next hop Cloud VPN
tunnel; however, traffic to IP addresses in 10.2.99.0/24
remains inside your VPC network. |
The tunnel's associated Cloud Router accepts an advertised
route whose destination is 10.2.0.0/16 ; however, traffic to
IP addresses in 10.2.99.0/24 remains inside your
VPC network. |
fd20:a:b:c::/80 Narrower than on-premises IP range (longer subnet mask) |
Classic VPN does not support IPv6. | The tunnel's associated Cloud Router accepts an advertised
route whose destination is fd20:a:b:c::/64 ; however, traffic to
IP addresses in fd20:a:b:c::/80 remains inside your
VPC network.
|
When tunnels are down
Dynamic (BGP) routing
When a Classic VPN tunnel that uses dynamic routing or an HA VPN tunnel goes down, the Cloud Router managing it automatically removes the learned routes. The length of time that it takes to detect the breakage varies depending on whether Bidirectional Forwarding Detection (BFD) is enabled. If BFD is enabled, the detection occurs when the BGP holddown timer expires. Otherwise, detection occurs in less than 60 seconds. The learned routes can be re-added when the tunnel is re-established.
This process is fully automatic, but can still result in some packet loss during the time that it takes for Cloud Router to remove the affected routes.
Static routing
Google Cloud never considers a Cloud VPN tunnel as a valid next hop that has not established an IKE security association (SA). If a Cloud VPN tunnel has established an IKE SA, Google Cloud considers it operational. An operational Cloud VPN tunnel only passes traffic if it is selected as the next hop according to the routing order. The next hop for a different route, with either a more specific destination or with a higher priority, might be used instead.
The following scenarios demonstrate expected behaviors:
If you have multiple static routes for the same destination, each having a different next hop Cloud VPN tunnel, Google Cloud only considers those tunnels that have established IKE SAs (Phase 1). Tunnels that are down—that is, that do not have valid IKE SAs—are disregarded before considering route priority.
For example, suppose that you have three static routes for the
192.168.168.0/24
destination: one with priority10
whose next hop Cloud VPN tunnel is down, a second with priority20
whose next hop tunnel is up, and a third with priority30
whose next hop tunnel is also up. Google Cloud sends traffic to the second next hop, even though its route has a lower priority than the route whose next hop is down. If the first tunnel is re-established, then Google Cloud considers it a valid next hop and uses that route instead.Traffic is dropped if all Cloud VPN tunnels serving as next hops for static routes with the same destination are down. Traffic is dropped even if there is a static route for a broader destination with an operational next hop tunnel.
For example, suppose that you have a static route for
192.168.168.0/24
whose next hop Cloud VPN tunnel is down (no valid IKE SA). Even if you have a route for192.168.0.0/16
whose next hop is an operational Cloud VPN tunnel, traffic to192.168.168.0/24
is dropped. This is because Google Cloud always selects routes with the most specific destinations.
When traffic switches from one next hop Cloud VPN tunnel to another, you should still expect packet loss. In-flight packets might be dropped and need to be re-transmitted.
ECMP over tunnels
For both dynamic and static routing, if more than one custom route exists for the same destination and has the same priority and an active (IKE SA established) next hop tunnel, Google Cloud uses equal-cost multipath (ECMP) routing to distribute packets among the tunnels.
This balancing method is based on a hash, so all packets from the same flow use the same tunnel as long as that tunnel is up.
To test ECMP behavior, use iperf3
to send multiple simultaneous TCP streams, ideally from multiple
Google Cloud virtual machine (VM) instances,
through Cloud VPN tunnels. If you need to validate ECMP behavior, do
not use ICMP (ping
) to perform tests. A ping
test from one VM instance isn't
sufficient to test ECMP-based egress through Cloud VPN tunnels
because only one tunnel is selected when you have a fixed source and destination.
ICMP has no concept of ports and is a fixed protocol, so the hash is only
calculated from two pieces of information: the source and destination addresses
(a two-tuple hash).
What's next
- To learn about the basic concepts of Cloud VPN, see the Cloud VPN overview.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.