HA VPN topologies

With Cloud VPN, your on-premises hosts communicate through one or more IPsec VPN tunnels to Compute Engine virtual machine (VM) instances in your project's Virtual Private Cloud (VPC) networks.

This page describes recommended topologies for HA VPN. For Classic VPN topologies, see Classic VPN topologies. For more information about Cloud VPN, including both VPN types, see the Cloud VPN overview.

For definitions of terms used on this page, see Key terms.

Overview

HA VPN supports site-to-site VPN in one of the following recommended topologies or configuration scenarios. To determine the appropriate configuration scenario to use, check with the vendor of your peer VPN gateway:

  • An HA VPN gateway to peer VPN devices. The following topologies require two VPN tunnels from the perspective of the HA VPN gateway. To determine which topology is most appropriate, check with the vendor of your peer VPN gateway.
    • An HA VPN gateway to two separate peer VPN devices where each peer device has its own external IP address.
    • An HA VPN gateway to one peer VPN device that has two separate external IP addresses.
    • An HA VPN gateway to one peer VPN device that has one external IP address.
  • An HA VPN gateway to an Amazon Web Services (AWS) virtual private gateway, which is a peer gateway configuration with four interfaces.
  • Two HA VPN gateways connected to each other.

Configurations that support 99.99% availability

To guarantee a 99.99% availability SLA for HA VPN connections, properly configure two or four tunnels from your HA VPN gateway to your peer VPN gateway or to another HA VPN gateway.

Proper configuration means that VPN tunnels must supply adequate redundancy by connecting to all interfaces of the HA VPN gateway and to all interfaces of the peer VPN gateway or other HA VPN gateway.

Each of the following sections covers how to configure tunnels on both ends of the VPN connection to guarantee 99.99% availability.

Configuring HA VPN for more bandwidth

The preferred method of increasing bandwidth for HA VPN is scaling. To scale your HA VPN gateways, do the following:

Scale gateways instead of deploying multiple tunnels connected to each interface of an existing HA VPN gateway (a bow-tie configuration).

You can connect multiple HA VPN gateways to the same peer VPN gateway (external VPN gateway resource) with as many additional tunnels as the quotas and limits for Cloud VPN allow.

Following is an example of an HA VPN gateway with 10-Gbps throughput that uses the following Google Cloud resources:

  • 1 Cloud Router
  • 4 HA VPN gateways with two tunnels each, for a total of 8 VPN tunnels
  • 8 total BGP sessions

This configuration assumes an active/passive MED configuration for BGP sessions attached to interface 0 and interface 1 respectively on each gateway. That is, four interface 0 tunnels are active, and four interface 1 tunnels are passive.

Each Cloud VPN tunnel can support up to 3 Gbps total for ingress and egress. In this case, 3 Gbps is the maximum bandwidth and can only be achieved with an ideal traffic pattern; generally, we can safely say that 2.5 Gbps is ensured per tunnel. Therefore, the calculation is 4 * 2.5 = 10 Gbps. For more information, see Network bandwidth.

HA VPN to peer VPN gateways

There are three typical peer gateway configurations for HA VPN:

  • An HA VPN gateway to two separate peer VPN devices, each with its own IP address
  • An HA VPN gateway to one peer VPN device that uses two separate IP addresses
  • An HA VPN gateway to one peer VPN device that uses one IP address

To set up any of these configurations, see Creating an HA VPN to a peer VPN gateway.

Two peer VPN devices

If your peer-side gateway is hardware-based, having a second peer-side gateway provides redundancy and failover on that side of the connection. A second physical gateway lets you take one of the gateways offline for software upgrades or other scheduled maintenance. It also protects you if there is a failure in one of the devices.

In this topology, one HA VPN gateway connects to two peer devices. Each peer device has one interface and one external IP address. The HA VPN gateway uses two tunnels, one tunnel to each peer device.

In Google Cloud, the REDUNDANCY_TYPE for this configuration takes the value TWO_IPS_REDUNDANCY.

The following example provides 99.99% availability.

HA VPN to two peer (on-premises) devices.
HA VPN to two peer (on-premises) devices (click to enlarge)

One peer VPN device with two IP addresses

This topology describes one HA VPN gateway that connects to one peer device that has two separate external IP addresses. The HA VPN gateway uses two tunnels, one tunnel to each external IP address on the peer device.

In Google Cloud, the REDUNDANCY_TYPE for this configuration takes the value TWO_IPS_REDUNDANCY.

The following example provides 99.99% availability.

HA VPN to one peer (on-premises) device with two IP addresses.
HA VPN to one peer (on-premises) device with two IP addresses (click to enlarge)

One peer VPN device with one IP address

This topology describes one HA VPN gateway that connects to one peer device that has one external IP address. The HA VPN gateway uses two tunnels, both tunnels to the single external IP address on the peer device.

In Google Cloud, the REDUNDANCY_TYPE for this configuration takes the value SINGLE_IP_INTERNALLY_REDUNDANT.

The following example provides 99.99% availability.

HA VPN to one peer (on-premises) device with one IP address.
HA VPN to one peer (on-premises) device with one IP address (click to enlarge)

Guaranteeing 99.99% availability

To meet the 99.99% SLA on the Google Cloud side, there must be a tunnel from each of the two interfaces on the HA VPN gateway to the corresponding interfaces on the peer gateway.

If the peer gateway has two interfaces, then configuring two tunnels, one from each peer interface to each HA VPN gateway interface, meets the requirements for the 99.99% SLA. A full mesh configuration is not required for 99.99% SLA on the Google Cloud side. In this case, a full mesh is defined as two tunnels from each HA VPN interface to each of the two interfaces on the peer gateway, for a total of four tunnels from the Google Cloud side. To confirm if your VPN vendor recommends a full mesh configuration, see the documentation for your peer (on-premises) VPN device or contact your VPN vendor.

In configurations with two peer interfaces, tunnels on each of the following interfaces on the HA VPN gateway match the corresponding interfaces on the peer gateway or gateways:

  • HA VPN interface 0 to peer interface 0
  • HA VPN interface 1 to peer interface 1

Examples are shown in the diagrams for two peer devices, two interfaces and one peer device, two interfaces.

If there is only one peer interface on one peer gateway, each tunnel from each HA VPN gateway interface must connect to the single peer interface. See the diagram for one peer device, one interface.

The following example does not provide 99.99% availability:

  • HA VPN interface 0 to peer interface 0
A topology that doesn't provide high availability.
A topology that doesn't provide high availability (click to enlarge)

HA VPN to AWS peer gateways

When configuring an HA VPN external VPN gateway to Amazon Web Services (AWS), you can use either a transit gateway or a virtual private gateway. Only the transit gateway supports equal-cost multipath (ECMP) routing. When enabled, ECMP equally distributes traffic across active tunnels. The supported topology requires two AWS Site-to-Site VPN connections, A and B, each with two external IP addresses. This topology yields four external IP addresses in AWS: A1, A2, B1, and B2.

  1. Configure the four AWS IP addresses as a single external HA VPN gateway with FOUR_IPS_REDUNDANCY, where:
    • AWS IP 0=A1
    • AWS IP 1=A2
    • AWS IP 2=B1
    • AWS IP 3=B2
  2. Create four tunnels on the HA VPN gateway to meet the 99.99% SLA by using the following configuration:
    • HA VPN interface 0 to AWS interface 0
    • HA VPN interface 0 to AWS interface 1
    • HA VPN interface 1 to AWS interface 2
    • HA VPN interface 1 to AWS interface 3

Set up HA VPN with AWS:

  1. In Google Cloud, create an HA VPN gateway and a Cloud Router in the region that you want. This action creates two external IP addresses, one for each gateway interface. Record the external IP addresses for use in the next step.
  2. In AWS, create two customer gateways by using the following:
    • The Dynamic routing option
    • The Google ASN of the Cloud Router
    • The external IP addresses of the Google Cloud HA VPN gateway interfaces 0 and 1
  3. Complete the steps that correspond to the AWS VPN option that you are using:
    • Transit Gateway
      1. Create a transit gateway VPN attachment for the first customer gateway (interface 0), and use the Dynamic routing option.
      2. Repeat the previous step for the second customer gateway (interface 1).
    • Virtual Private Gateway
      1. Create a Site-to-Site VPN connection for the first customer gateway (interface 0) by using the following:
        • A Target Gateway Type of Virtual Private Gateway
        • The Dynamic routing option
      2. Repeat the previous step for the second customer gateway (interface 1).
  4. Download the AWS configuration files for both connections that you created. The files contain information that you need during the next steps in this procedure, including pre-shared authentication keys, outside tunnel IP addresses, and inside tunnel IP addresses.
  5. In Google Cloud, do the following:
    1. Create a new peer VPN gateway with four interfaces by using the AWS external IP addresses from the files that you downloaded in the previous step.
    2. Create four VPN tunnels on the HA VPN gateway that you created in step 1. For each tunnel, configure the HA VPN gateway interface with the appropriate peer VPN gateway interface and pre-shared keys by using the information in the AWS configuration files that you downloaded.
    3. Configure BGP sessions on the Cloud Router by using the BGP IP addresses from the downloaded AWS configuration files.

HA VPN between Google Cloud networks

You can connect two Google Cloud VPC networks together by using an HA VPN gateway in each network. The following example provides 99.99% availability.

HA VPN gateways between Google Cloud networks.
HA VPN gateways between Google Cloud networks (click to enlarge)

From the perspective of each HA VPN gateway, you create two tunnels so that both of the following are true:

  • interface 0 on one HA VPN gateway to interface 0 on the other HA VPN
  • interface 1 on one HA VPN gateway to interface 1 on the other HA VPN

To set up this configuration, see Creating two fully configured HA VPN gateways that connect to each other.

Guaranteeing 99.99% availability

To provide 99.99% availability for HA VPN to HA VPN gateways, the following interfaces on both gateways must match:

  • HA VPN interface 0 to HA VPN interface 0 and
  • HA VPN interface 1 to HA VPN interface 1

What's next

  • To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.