Classic VPN partial deprecation

To provide you with more reliable and highly available VPN connections, Google is replacing most of the functionality of Classic VPN with HA VPN and encouraging customers to move to HA VPN, which became available in September 2019. For information about HA VPN, see the Cloud VPN overview.

The rest of this document helps you with planning and implementing your migration.

Deprecated configurations

Starting on October 31, 2021, you will no longer be able to do the following:

  • Create new Classic VPN tunnels using static routing (route based or policy based) that connect to another Classic VPN gateway
  • Create new Classic VPN tunnels using static routing (route based or policy based) that connect a Google Cloud Virtual Private Cloud (VPC) network to another cloud provider's network
  • Create new Classic VPN tunnels using dynamic routing (all configurations)

What happens on the deprecation date

If you make the following changes to deprecated configurations on and after the deprecation date of October 31, 2021, you'll see the following behavior:

  • If you delete one of the deprecated configurations after October 31, 2021, you won't be able to recreate it.
  • If you do nothing to existing deprecated Classic VPN gateways and tunnels, on the deprecation date of October 31, 2021, those resources will become unsupported and will no longer receive updates.

Supported configurations

You can continue to create the following configurations and get support for them:

  • VPN tunnels using static routing from Classic VPN gateways to on-premises VPN gateways and from on-premises VPN gateways to Classic VPN gateways
  • VPN tunnels using static routing from a Classic VPN gateway to and from a Compute Engine virtual machine (VM) acting as a VPN gateway

Reference table of deprecated and supported configurations

This section provides a reference table of deprecated and supported Classic VPN tunnel configurations.

  • HA VPN tunnels require dynamic (BGP) routing managed by a Cloud Router.
  • Classic VPN tunnels can optionally use dynamic (BGP) routing managed by a Cloud Router.
VPN tunnel routing method Gateway to which the Classic VPN tunnel connects Classic VPN deprecation status
Classic VPN tunnel using dynamic (BGP) routing Any Deprecated. Instead, use HA VPN tunnels. See Creating an HA VPN gateway to a Peer VPN gateway.
Classic VPN tunnel using any routing method Another Classic VPN gateway Deprecated. Instead, use HA VPN tunnels to connect one HA VPN gateway to another HA VPN gateway. See Creating Google Cloud to Google Cloud HA VPN gateways.
Classic VPN tunnel using static routing
(policy based or route based VPN)
A VPN gateway in another cloud provider's network Deprecated. Instead, use HA VPN tunnels when other cloud providers support dynamic routing (BGP). For example, see Google Cloud HA VPN interoperability guide for AWS.
Classic VPN tunnel using static routing
(policy based or route based VPN)
An on-premises VPN gateway or other cloud provider VPN gateway that does not support BGP routing Supported. Because HA VPN requires dynamic (BGP) routing, this Classic VPN tunnel configuration remains an option to connect to a gateway that doesn't support BGP.
Classic VPN tunnel using static routing
(policy based or route based VPN)
VPN gateway software running inside a Compute Engine VM Supported.

Recommendations

Google encourages you to migrate your production traffic from Classic VPN to HA VPN.

Google also recommends retaining Classic VPN to and from your on-premises gateways only when your on-premises VPN devices don't support Border Gateway Protocol (BGP) and thus can't be used with HA VPN. Wherever feasible, we recommend upgrading those devices to devices that support BGP.

Billing changes

After instantiating and using the additional, redundant tunnel for HA VPN, you will see billing changes as described on the Cloud VPN pricing page.

To achieve high availability, HA VPN requires you to create VPN tunnels in pairs. Both tunnels are billed at the same hourly rate. If you use one tunnel solely for failover, egress charges apply only to the active tunnel.

After October 31, 2021, traffic that you don't migrate to HA VPN still flows through your established Classic VPN gateways and tunnels, and is charged at the same rate that you are currently being charged for Classic VPN.

Moving to HA VPN

To move to HA VPN, you might need to make some routing or infrastructure changes to support HA VPN. Your network administrators or site reliability engineers (SREs) will need to schedule a maintenance window to perform the migration.

To plan and prepare, watch the following video, Migrating from Classic VPN to HA VPN, for guidance on key use cases.

When your organization is ready to switch your production workflows from Classic VPN to HA VPN, use the checklists and instructions provided in Moving to HA VPN.

Where to get help

If you have any questions or require assistance, contact Google Cloud Support.