Classic VPN partial deprecation

To provide you with more reliable high-availability VPN connections, Google is replacing most of the functionality of Classic VPN with HA VPN and encouraging customers to move to HA VPN, which became available in September 2019. For information about HA VPN, see the Cloud VPN overview.

The rest of this document helps you with planning and implementing your migration.

Deprecated configurations

Starting on October 31, 2021, you will no longer be able to do the following:

  • Use static routing (route-based or policy-based) to create Classic VPN tunnels that connect to another Classic VPN gateway.
  • Use static routing (route-based or policy-based) to create Classic VPN tunnels that connect a Google Cloud Virtual Private Cloud (VPC) network to another cloud provider's network.
  • Use dynamic routing (all configurations) to create new Classic VPN tunnels.

What happens on the deprecation date

If you make the following changes to deprecated configurations on and after the deprecation date of October 31, 2021, you'll see the following behavior:

  • If you delete one of the deprecated configurations after October 31, 2021, you won't be able to recreate it.
  • If you do nothing to existing deprecated Classic VPN gateways and tunnels, on the deprecation date of October 31, 2021, those resources will become unsupported and will no longer receive updates.

Supported configurations

You can continue to create the following configurations and get support for them:

  • VPN tunnels that use static routing from Classic VPN gateways to on-premises VPN gateways and from on-premises VPN gateways to Classic VPN gateways.
  • VPN tunnels that use static routing from a Classic VPN gateway to and from a Compute Engine virtual machine (VM) instance acting as a VPN gateway.

Reference table of deprecated and supported configurations

This section provides a reference table of deprecated and supported Classic VPN tunnel configurations.

  • HA VPN tunnels require dynamic, or Border Gateway Protocol (BGP), routing managed by a Cloud Router.
  • Classic VPN tunnels can optionally use dynamic (BGP) routing managed by a Cloud Router.
VPN tunnel routing method Gateway to which the Classic VPN tunnel connects Classic VPN deprecation status
Classic VPN tunnel that uses dynamic (BGP) routing Any Deprecated. Instead, use HA VPN tunnels. See Creating an HA VPN gateway to a peer VPN gateway.
Classic VPN tunnel that uses any routing method Another Classic VPN gateway Deprecated. Instead, use HA VPN tunnels to connect one HA VPN gateway to another HA VPN gateway. See Creating an HA VPN between Google Cloud networks.
Classic VPN tunnel that uses static routing
(policy-based or route-based VPN)
A VPN gateway in another cloud provider's network Deprecated. Instead, use HA VPN tunnels when other cloud providers support dynamic routing (BGP). For example, see Google Cloud HA VPN interoperability guide for AWS.
Classic VPN tunnel that uses static routing
(policy-based or route-based VPN)
An on-premises VPN gateway or other cloud provider VPN gateway that does not support BGP routing Supported. Because HA VPN requires dynamic (BGP) routing, this Classic VPN tunnel configuration remains an option to connect to a gateway that doesn't support BGP.
Classic VPN tunnel that uses static routing
(policy-based or route-based VPN)
VPN gateway software running inside a Compute Engine VM Supported.

Recommendations

Google encourages you to migrate your production traffic from Classic VPN to HA VPN.

Google also recommends retaining Classic VPN to and from your on-premises gateways only when your on-premises VPN devices don't support BGP and thus can't be used with HA VPN. Wherever feasible, we recommend upgrading those devices to devices that support BGP.

Billing changes

After instantiating and using the additional, redundant tunnel for HA VPN, you will see billing changes as described on the Cloud VPN pricing page.

To achieve high availability, HA VPN requires you to create VPN tunnels in pairs. Both tunnels are billed at the same hourly rate. If you use one tunnel solely for failover, egress charges apply only to the active tunnel.

After October 31, 2021, traffic that you don't migrate to HA VPN still flows through your established Classic VPN gateways and tunnels, and is charged at the same rate that you are currently being charged for Classic VPN.

For more information about topologies, see Cloud VPN topologies.

Moving to HA VPN

To move to HA VPN, you might need to make some routing or infrastructure changes to support HA VPN. Your network administrators or site reliability engineers (SREs) need to schedule a maintenance window to perform the migration.

To plan and prepare, watch the following video, Upgrade to Google's HA VPN, for guidance on key use cases.

When your organization is ready to switch your production workflows from Classic VPN to HA VPN, use the checklists and instructions provided in Moving to HA VPN.

Where to get help

If you have any questions or require assistance, contact Google Cloud Support.