Classic VPN dynamic routing partial deprecation

To provide you with more reliable high-availability VPN connections, Google has replaced the dynamic routing, or Border Gateway Protocol (BGP), functionality of Classic VPN with HA VPN.

Google encourages customers that use dynamic routing (BGP) to move to HA VPN, which became available in September 2019. For information about HA VPN, see the Cloud VPN overview.

The rest of this document helps you with planning and implementing your migration.

Deprecated configurations

You cannot create Classic VPN tunnels that use dynamic routing (BGP), managed by a Cloud Router, for connections outside of Google Cloud.

You can continue to create Classic VPN tunnels that use dynamic routing if the Classic VPN connects to VPN gateway software running inside a Compute Engine VM. This configuration is still supported.

What happens to deprecated configurations

If you delete a Classic VPN tunnel that uses an unsupported dynamic routing configuration, you cannot recreate it.

Existing Classic VPN gateways and tunnels that use dynamic routing, but do not connect to Compute Engine VMs, are unsupported and only receive maintenance updates.

Supported configurations

You can continue to create Classic VPN tunnels that use static (route-based or policy-based) routing.

You can also create Classic VPN tunnels that use dynamic routing and connect to VPN gateway software running inside a Compute Engine VM.

Because HA VPN requires dynamic (BGP) routing, a Classic VPN tunnel configuration remains an option for connecting to gateways that don't support BGP.

Recommendations

Google encourages you to migrate your production traffic from Classic VPN to HA VPN wherever feasible.

Google also recommends that you retain Classic VPN when your on-premises VPN devices don't support BGP and thus can't be used with HA VPN. However, whenever possible, you should upgrade those devices to devices that support BGP. BGP is a more flexible and reliable solution than static routing.

Billing changes

After instantiating and using the additional, redundant tunnel for HA VPN, you will see billing changes as described on the Cloud VPN pricing page.

To achieve high availability, HA VPN requires you to create VPN tunnels in pairs. Both tunnels are billed at the same hourly rate. If you use one tunnel solely for failover, outbound data transfer charges apply only to the active tunnel.

Traffic that you don't migrate to HA VPN still flows through your established Classic VPN gateways and tunnels, and is charged at the same rate that you are currently being charged for Classic VPN.

For more information about topologies, see Cloud VPN topologies.

Move to HA VPN

To move to HA VPN, you might need to make some routing or infrastructure changes to support HA VPN. Your network administrators or site reliability engineers (SREs) need to schedule a maintenance window to perform the migration.

To plan and prepare, watch the following video, Upgrade to Google's HA VPN, for guidance on key use cases.

When your organization is ready to switch your production workflows from Classic VPN to HA VPN, use the checklists and instructions provided in Move to HA VPN.

Where to get help

If you have any questions or require assistance, contact Google Cloud Support.