Classic VPN partial deprecation

To provide you with more reliable high-availability VPN connections, Google is replacing most of the functionality of Classic VPN with HA VPN and encouraging customers to move to HA VPN, which became available in September 2019. For information about HA VPN, see the Cloud VPN overview.

The rest of this document helps you with planning and implementing your migration.

Deprecated configurations

Starting on March 31, 2022, you will no longer be able to create new Classic VPN tunnels that use dynamic, or Border Gateway Protocol (BGP), routing managed by a Cloud Router unless specifically supported.

You can create a Classic VPN tunnel that uses dynamic routing if the Classic VPN connects to VPN gateway software running inside a Compute Engine VM. This configuration is still supported.

What happens on the deprecation date

If you make changes on or after the deprecation date, you'll see the following behavior:

  • If you delete a Classic VPN tunnel that uses an unsupported dynamic routing configuration after March 31, 2022, you won't be able to recreate it.
  • If you do nothing to existing Classic VPN gateways and tunnels that use dynamic routing but do not connect to Compute Engine VMs, those resources will become unsupported on March 31, 2022 and will only receive maintenance updates after that date.

Supported configurations

You can continue to create Classic VPN tunnels that use static (route-based or policy-based) routing.

You can also create Classic VPN tunnels that use dynamic routing and connect to VPN gateway software running inside a Compute Engine VM.

Because HA VPN requires dynamic (BGP) routing, a Classic VPN tunnel configuration remains an option for connecting to gateways that don't support BGP.


Google encourages you to migrate your production traffic from Classic VPN to HA VPN wherever feasible.

Google also recommends that you retain Classic VPN when your on-premises VPN devices don't support BGP and thus can't be used with HA VPN. However, whenever possible, you should upgrade those devices to devices that support BGP.

Billing changes

After instantiating and using the additional, redundant tunnel for HA VPN, you will see billing changes as described on the Cloud VPN pricing page.

To achieve high availability, HA VPN requires you to create VPN tunnels in pairs. Both tunnels are billed at the same hourly rate. If you use one tunnel solely for failover, egress charges apply only to the active tunnel.

After March 31, 2022, traffic that you don't migrate to HA VPN still flows through your established Classic VPN gateways and tunnels, and is charged at the same rate that you are currently being charged for Classic VPN.

For more information about topologies, see Cloud VPN topologies.

Move to HA VPN

To move to HA VPN, you might need to make some routing or infrastructure changes to support HA VPN. Your network administrators or site reliability engineers (SREs) need to schedule a maintenance window to perform the migration.

To plan and prepare, watch the following video, Upgrade to Google's HA VPN, for guidance on key use cases.

When your organization is ready to switch your production workflows from Classic VPN to HA VPN, use the checklists and instructions provided in Move to HA VPN.

Where to get help

If you have any questions or require assistance, contact Google Cloud Support.