Dynamic routing or Border Gateway Protocol (BGP) with Classic VPN tunnels will be deprecated on August 1, 2025. If you use dynamic routing (BGP) with Classic VPN for production workloads, we recommend that you migrate from Classic VPN to HA VPN.
For information about HA VPN, see the Cloud VPN overview.
The rest of this page helps you with planning and implementing your migration.
Deprecated configurations
You cannot create Classic VPN tunnels that use dynamic routing (BGP) that is managed by a Cloud Router.
Starting from August 1, 2025, you can't create Classic VPN tunnels that use dynamic routing (BGP), regardless of the gateway the tunnel connects to. This includes connections to VPN gateway software running inside a Compute Engine virtual machine (VM) instance or connections outside of Google Cloud.
After this date, existing tunnels with these configurations will no longer be supported. Tunnels that are in use will continue to function, but without an availability SLA.
What happens to deprecated configurations?
If you delete a tunnel configuration, you won't be able to recreate it. However, you will still be able to route traffic through your existing Classic VPN tunnels, unless you make changes that require you to switch to HA VPN.
Supported configurations
You can continue to create and receive support for the following Classic VPN configurations:
- Classic VPN tunnels using static routing from Classic VPN gateways to on-premises VPN gateways and from on-premises VPN gateways to Classic VPN gateways.
- Classic VPN tunnels using static routing from a Classic VPN gateway to and from a Compute Engine VM that is acting as a VPN gateway.
Recommendations
We recommend that you migrate your production traffic from Classic VPN to HA VPN wherever feasible.
We recommend that you retain Classic VPN when your on-premises VPN devices don't support BGP and thus can't be used with HA VPN. However, whenever possible, you should upgrade those devices to devices that support BGP. BGP is a more flexible and reliable solution than static routing.
For more information, see HA VPN topologies.
Billing changes
After instantiating and using the additional, redundant tunnel for HA VPN, you will see billing changes as described on the Cloud VPN pricing page.
To achieve high availability, HA VPN requires you to create VPN tunnels in pairs. Both tunnels are billed at the same hourly rate. If you use one tunnel solely for failover, outbound data transfer charges apply only to the active tunnel.
Starting August 1, 2025, traffic that you don't migrate to HA VPN still flows through your established Classic VPN gateways and tunnels, and is charged at the same rate that you are being charged for Classic VPN.
Move to HA VPN
To move to HA VPN, you might need to make some routing or infrastructure changes to support HA VPN. Your network administrators or site reliability engineers (SREs) need to schedule a maintenance window to perform the migration.
To plan and prepare, watch the following video, Upgrade to Google's HA VPN, for guidance on key use cases.
When your organization is ready to switch your production workflows from Classic VPN to HA VPN, use the checklists and instructions provided in Move to HA VPN.
Where to get help
If you have any questions or require assistance, contact Google Cloud Support.