HA VPN topologies

This page describes recommended topologies and the corresponding availability Service Level Agreement (SLA) for each HA VPN topology. For Classic VPN topologies, see Classic VPN topologies. For more information about Cloud VPN, including both VPN types, see the Cloud VPN overview.

For definitions of terms used on this page, see Key terms.

Overview

HA VPN supports site-to-site VPN in one of the following recommended topologies:

  • HA VPN to third-party peer VPN gateways. This topology requires two VPN tunnels from the perspective of the HA VPN gateway to achieve the high availability SLA. In this configuration, HA VPN has three typical peer gateway configurations:

    • Two separate peer VPN devices, each with its own IP address.
    • One peer VPN device with two separate IP addresses.
    • One peer VPN device with one IP address.

    To determine which topology is most appropriate, check with the vendor of your peer VPN gateway.

  • HA VPN between Google Cloud VPC networks. In this topology, you can connect two Google Cloud VPC networks by using an HA VPN gateway in each network. The VPC networks can be in the same region or multiple regions.

  • HA VPN to Compute Engine VM instances. In this topology, you connect an HA VPN gateway to a Compute Engine virtual machine (VM) instance. Your VM instances can be in one zone or multiple zones.

  • HA VPN over Cloud Interconnect In this topology, you create HA VPN tunnels to carry IPsec-encrypted traffic over VLAN attachments of either Dedicated Interconnect or Partner Interconnect. You can reserve regional internal IP address ranges for your HA VPN gateways. Your peer VPN devices can also have internal IP addresses. For more information and architecture diagrams, see HA VPN over Cloud Interconnect deployment architecture.

Configurations that support 99.99% availability

Topology Description Availability SLA
HA VPN to peer VPN gateways Connect an HA VPN gateway to one or two separate peer VPN devices 99.99%
HA VPN between two Google Cloud networks Connect two Google Cloud VPC networks in a single region by using an HA VPN gateway in each network 99.99%

To configure for 99.99% availability for HA VPN connections, configure two or four tunnels from your HA VPN gateway to your peer VPN gateway or to another HA VPN gateway. Ensure that the peer VPN gateway is also configured to receive 99.99% availability SLA.

Proper configuration means that VPN tunnels must supply adequate redundancy by connecting to all interfaces of the HA VPN gateway and to all interfaces of the peer VPN gateway or other HA VPN gateway.

Configurations that support 99.9% availability

Topology Description Availability SLA
HA VPN to Compute Engine VM instances in multiple zones Connect an HA VPN gateway to Compute Engine VM instances with external IP addresses 99.9%
HA VPN to a single Compute Engine VM instance Connect an HA VPN gateway to only one Compute Engine VM instance with an external IP address The availability SLA is determined by the availability SLA provided for a single VM instance of memory-optimized machine family for Compute Engine. For more information, see Compute Engine Service Level Agreement (SLA).

To configure for a 99.9% availability SLA for HA VPN connections in these topologies, configure two or four tunnels from your HA VPN gateway to your peer VPN gateway or to other Google Cloud resources.

Configure HA VPN for more bandwidth

To increase the bandwidth of your HA VPN gateways, add more HA VPN tunnels.

To calculate the number of tunnels you need, use 250,000 packets per second as the sum of inbound and outbound capacity for each tunnel. For example, if you need 600,000 packets per second for a sum of inbound and outbound traffic, you need 3 pairs of HA VPN tunnels (6 tunnels) to ensure the required bandwidth and failover capacity.

For more information about VPN bandwidth calculations, see Network bandwidth.

Consider the following guidelines when increasing HA VPN bandwidth.

  • Check VPN tunnel quotas

    Unless you are connecting an HA VPN gateway to another HA VPN gateway, each HA VPN gateway supports an unlimited number of VPN tunnels on each interface.

    However, the VPN tunnels quota limits the total number of VPN tunnels in your project.

  • Add HA VPN gateways to add tunnels between two HA VPNs

    When you connect an HA VPN gateway to another HA VPN gateway, you can only connect one tunnel per interface, 0 or 1, to the corresponding interface, 0 or 1, on the other HA VPN gateway. In other words, between a pair of HA VPN gateways, you have a maximum of two HA VPN tunnels.

    Therefore, to increase the number of VPN tunnels between HA VPN gateways, you must create additional pairs of HA VPN gateways.

  • Add pairs of VPN tunnels

    To increase the bandwidth between HA VPN and an on-premises peer VPN gateway, add VPN tunnel pairs.

    For example, to double the bandwidth of an HA VPN gateway that connects to an on-premises peer VPN gateway with two tunnels (one active, one passive), add two more VPN tunnels. Add one more "active" tunnel and one more "passive" tunnel.

    The BGP sessions for all four tunnels receive the same prefixes. The two active tunnels receive the prefixes with the same higher priority, and the two passive tunnels receive the prefixes with the same lower priority.

  • Match interfaces on the peer VPN gateway

    You must match the interfaces on your peer VPN gateway to continue receiving an availability SLA.

    When doubling the bandwidth of an HA VPN gateway that connects to an on-premises VPN gateway, match the tunnels to the interfaces on the peer VPN gateway. Place the two active tunnels on interface 0 and the two passive tunnels on interface 1. Alternatively, place the two active tunnels on interface 1 and the two passive tunnels on interface 0.

HA VPN to peer VPN gateways

There are three typical peer gateway configurations for HA VPN:

  • An HA VPN gateway to two separate peer VPN devices, each with its own IP address
  • An HA VPN gateway to one peer VPN device that uses two separate IP addresses
  • An HA VPN gateway to one peer VPN device that uses one IP address

To set up any of these configurations, see Create an HA VPN to a peer VPN gateway.

If you deploy an HA VPN gateway with an IPv4 and IPv6 dual-stack type, then your VPN tunnels can support the exchange of IPv6 traffic. IPv6 must also be enabled in the BGP sessions that you create for the VPN tunnels. In this scenario, you can assign IPv6 addresses to the on-premises subnets and VPC subnets in the following topologies.

Two peer VPN devices

If your peer-side gateway is hardware-based, having a second peer-side gateway provides redundancy and failover on that side of the connection. A second physical gateway lets you take one of the gateways offline for software upgrades or other scheduled maintenance. It also protects you if there is a failure in one of the devices.

In this topology, one HA VPN gateway connects to two peer devices. Each peer device has one interface and one external IP address. The HA VPN gateway uses two tunnels, one tunnel to each peer device.

In Google Cloud, the REDUNDANCY_TYPE for this configuration takes the value TWO_IPS_REDUNDANCY.

The following example provides 99.99% availability.

HA VPN to two peer (on-premises) devices.
HA VPN to two peer (on-premises) devices (click to enlarge).

One peer VPN device with two IP addresses

This topology describes one HA VPN gateway that connects to one peer device that has two separate external IP addresses. The HA VPN gateway uses two tunnels, one tunnel to each external IP address on the peer device.

In Google Cloud, the REDUNDANCY_TYPE for this configuration takes the value TWO_IPS_REDUNDANCY.

The following example provides 99.99% availability.

HA VPN to one peer (on-premises) device with two IP addresses.
HA VPN to one peer (on-premises) device with two IP addresses (click to enlarge).

One peer VPN device with one IP address

This topology describes one HA VPN gateway that connects to one peer device that has one external IP address. The HA VPN gateway uses two tunnels, both tunnels to the single external IP address on the peer device.

In Google Cloud, the REDUNDANCY_TYPE for this configuration takes the value SINGLE_IP_INTERNALLY_REDUNDANT.

The following example provides 99.99% availability.

HA VPN to one peer (on-premises) device with one IP address.
HA VPN to one peer (on-premises) device with one IP address (click to enlarge).

Configure for 99.99% availability

To meet the 99.99% availability SLA on the Google Cloud side, there must be a tunnel from each of the two interfaces on the HA VPN gateway to the corresponding interfaces on the peer gateway.

If the peer gateway has two interfaces, then configuring two tunnels, one from each peer interface to each HA VPN gateway interface, meets the requirements for the 99.99% availability SLA. A full mesh configuration is not required for 99.99% availability SLA on the Google Cloud side. In this case, a full mesh is defined as two tunnels from each HA VPN interface to each of the two interfaces on the peer gateway, for a total of four tunnels from the Google Cloud side. To confirm if your VPN vendor recommends a full mesh configuration, see the documentation for your peer (on-premises) VPN device or contact your VPN vendor.

In configurations with two peer interfaces, tunnels on each of the following interfaces on the HA VPN gateway match the corresponding interfaces on the peer gateway or gateways:

  • HA VPN interface 0 to peer interface 0
  • HA VPN interface 1 to peer interface 1

Examples are shown in the diagrams for two peer devices, two interfaces and one peer device, two interfaces.

If there is only one peer interface on one peer gateway, each tunnel from each HA VPN gateway interface must connect to the single peer interface. See the diagram for one peer device, one interface.

The following example does not provide 99.99% availability:

  • HA VPN interface 0 to peer interface 0
A topology that doesn't provide high availability.
A topology that doesn't provide high availability (click to enlarge).

HA VPN between Google Cloud networks

You can connect two Google Cloud VPC networks together by using an HA VPN gateway in each network.

If you deploy two HA VPN gateways with the IPv4 and IPv6 dual-stack type, then your VPN tunnels can support the exchange of IPv6 traffic. IPv6 must also be enabled in the BGP sessions that you create for the VPN tunnels. The HA VPN gateways must be in the same region. In this scenario, you can assign IPv6 addresses to the VPC subnets in the following topology.

The following example provides 99.99% availability.

HA VPN gateways between Google Cloud networks.
HA VPN gateways between Google Cloud networks (click to enlarge).

From the perspective of each HA VPN gateway, you create two tunnels so that both of the following are true:

  • interface 0 on one HA VPN gateway to interface 0 on the other HA VPN
  • interface 1 on one HA VPN gateway to interface 1 on the other HA VPN

To set up this configuration, see Create two fully configured HA VPN gateways that connect to each other.

Configure for 99.99% availability

To provide 99.99% availability for HA VPN to HA VPN gateways, the following interfaces on both gateways must match:

  • HA VPN interface 0 to HA VPN interface 0
  • HA VPN interface 1 to HA VPN interface 1

HA VPN to Compute Engine VM instances in multiple zones

HA VPN lets you connect a HA VPN gateway to Compute Engine virtual machine (VM) instances that work as a network virtual appliance and runs an IPsec VPN implementation. This topology provides 99.9% availability SLA when configured correctly.

In this topology, an HA VPN gateway can connect to two Compute Engine VM instances. The HA VPN gateway and the VMs are in two different VPCs. The two VMs are in different zones, with each VM having an external IP address. The VM instances behave like VPN peer devices.

This topology is especially useful when you want to connect HA VPN to a third-party network virtual appliance VM hosted in Google Cloud. For example, by using this topology, you can upgrade one of the network virtual appliance VMs without any downtime to the VPN connection.

In the diagram, the HA VPN gateway is in a Virtual Private Cloud network named network-a, and the two VMs are in network-b. Both Virtual Private Cloud networks are located in us-central1. The HA VPN gateway in network-a is configured with the external IP addresses of each of the VMs in network-b. You can also have the HA VPN gateway and the VMs in two different regions. We recommend that you use this topology to improve availability.

The following example provides 99.9% availability.

A topology that connects an HA VPN
        gateway to two Compute Engine VM instances with each VM in a different zone.
A topology that connects an HA VPN gateway to two Compute Engine VM instances with each VM in a different zone (click to enlarge).

Configure for 99.9% availability

To meet the 99.9% availability SLA, each HA VPN gateway interface must have two tunnels to each VM interface. We recommend that you use this topology to improve availability.

Two tunnels on each of the following interfaces on the HA VPN gateway connect to the interfaces on the VM:

  • Tunnel 0 from interface 0 to us-central1-vm-a in the us-central1-a zone
  • Tunnel 1 from interface 1 to us-central1-vm-a in the us-central1-a zone
  • Tunnel 2 from interface 0 to us-central1-vm-b in the us-central1-b zone
  • Tunnel 3 from interface 1 to us-central1-vm-b in the us-central1-b zone

HA VPN to a single Compute Engine VM instance

HA VPN lets you connect a HA VPN gateway to a Compute Engine virtual machine (VM) instance that works as a network virtual appliance and runs an IPsec VPN implementation. The HA VPN gateway and the VM are in two different VPCs. The VM has an external IP address.

Overall availability is determined by the availability SLA provided for a single VM instance of memory-optimized machine family for Compute Engine. For more information, see Compute Engine Service Level Agreement (SLA).

A topology that connects an HA VPN
        gateway to a Compute Engine VM.
A topology that connects an HA VPN gateway to a Compute Engine VM (click to enlarge).

Configure for 99.9% availability

To meet the 99.9% availability SLA, there must be two tunnels from each of the two interfaces on the HA VPN gateway to the interface of the Compute Engine VM.

Two tunnels on each of the following interfaces on the HA VPN gateway connect to the interfaces on VM:

  • Tunnel 0 from interface 0 to us-central1-vm-a in the us-central1-a zone
  • Tunnel 1 from interface 1 to us-central1-vm-a in the us-central1-a zone

What's next

  • To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.