[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-08 (世界標準時間)。"],[],[],null,["# Add an HA VPN gateway to HA VPN over Cloud Interconnect\n\nThis page provides instructions for adding HA VPN\ngateways to your existing\n[HA VPN over Cloud Interconnect](/network-connectivity/docs/interconnect/concepts/ha-vpn-interconnect) deployment.\n\nHA VPN over Cloud Interconnect lets you encrypt\nthe traffic that traverses your Dedicated Interconnect or\nPartner Interconnect connections. Learn how to\n[deploy HA VPN over Cloud Interconnect](/network-connectivity/docs/interconnect/how-to/ha-vpn-interconnect-deploy-process).\n\nYou might need to add HA VPN tunnels to your\nHA VPN over Cloud Interconnect deployment after you have increased the capacity\nof your VLAN attachments. Another scenario for adding tunnels is when\nyour Cloud VPN monitoring alerts have detected that your existing VPN tunnels\nhave exceeded the recommended 50% utilization threshold. This threshold ensures\nthat you have sufficient capacity for tunnel failover in the event of VLAN attachment\nfailure.\n\nTo increase the capacity in your HA VPN over Cloud Interconnect deployment,\nyou must add HA VPN tunnels. Use the\nsame procedures that you would normally use to add an\nHA VPN tunnel between an existing\nHA VPN gateway and an external peer VPN gateway.\nFor more information, see\n[Add a tunnel from an HA VPN gateway to a peer VPN gateway](/network-connectivity/docs/vpn/how-to/adding-a-tunnel#add-tunnel-from-ha-vpn-to-peer).\n\nYou only need to add one or more HA VPN gateways if all\nexisting HA VPN gateway interfaces are already connected\nto all available peer VPN gateway interfaces. As an alternative,\nyou can also add one or more peer VPN gateways to your\non-premises network.\n\nYou can only associate HA VPN gateways with encrypted\nVLAN attachments by using the Google Cloud CLI or the HA VPN API.\nYou can't perform this action with the Google Cloud console after you complete the initial\ndeployment of HA VPN over Cloud Interconnect.\n\nTo create an HA VPN gateway, perform the following steps.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `compute.vpnGateways.create`\n- `compute.vpnGateways.delete`\n- `compute.vpnGateways.get`\n- `compute.vpnGateways.list`\n- `compute.vpnGateways.use`\n- `compute.vpnGateways.setLabels`\n\n**Roles**\n\n- `roles/compute.networkAdmin` \n\n### gcloud\n\n1. Create an HA VPN gateway.\n\n For example, the following command creates an HA VPN\n gateway and assigns the gateway interfaces to your encrypted VLAN attachments: \n\n ```\n gcloud compute vpn-gateways create vpn-gateway-c \\\n --network NETWORK_NAME \\\n --region REGION \\\n --interconnect-attachments \\\n ATTACHMENT_1[,ATTACHMENT_2]\n ```\n\n For the `--interconnect-attachments` parameter, you can list up to two\n VLAN attachments. The first VLAN attachment is assigned\n to interface 0 (`if0`) of the HA VPN gateway. If you\n specify the optional second VLAN attachment, it is assigned to\n interface 1 (`if1`).\n\n An example command might look like the following: \n\n ```\n gcloud compute vpn-gateways create vpn-gateway-c \\\n --network network-a \\\n --region us-central1 \\\n --interconnect-attachments \\\n attachment-a-zone1,attachment-a-zone2\n ```\n2. If you configured the encrypted VLAN attachments to use regional internal IP\n addresses for your HA VPN gateways, view the gateway's\n details. Two internal IP addresses from your reserved ranges are\n automatically assigned to the gateway.\n\n To view the regional internal IP addresses assigned to your\n HA VPN gateway's interfaces, use the following command: \n\n ```\n gcloud compute vpn-gateways describe VPN_GATEWAY_NAME\n ```\n\n The output might look similar to the following: \n\n ```\n creationTimestamp: '2022-10-14T16:22:31.748-07:00'\n id: '678310480370225624'\n kind: compute#vpnGateway\n labelFingerprint: 2345567=\n name: vpn-gateway-c\n network: https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a\n region: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1\n selfLink: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/vpn-gateway-c\n stackType: IPV4_ONLY\n vpnInterfaces:\n – id: 0\n interconnectAttachment: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone1\n ipAddress: 192.168.20.3\n – id: 1\n interconnectAttachment: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone2\n ipAddress: 192.168.21.3\n ```\n\n### API\n\nTo create the full configuration for an HA VPN gateway,\nuse the API commands in the following sections. All field values used in\nthese sections are example values.\n\nTo create an HA VPN gateway, make a `POST` request\nby using the\n[`vpnGateways.insert` method](/compute/docs/reference/rest/v1/vpnGateways/insert): \n\n```\nPOST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways\n {\n \"name\": \"vpn-gateway-c\",\n \"network\": \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME\",\n \"vpnInterfaces\": [\n {\n interconnectAttachment: \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/attachment-a-zone1\"\n },\n {\n interconnectAttachment: \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/attachment-a-zone2\"\n }\n ]\n }\n```\n\nIf you configured the encrypted VLAN attachments to use regional internal IP\naddresses for your HA VPN gateways, then internal IP\naddresses from your reserved ranges are automatically assigned to the gateway.\n\nTo view the regional internal IP addresses assigned to your\nHA VPN gateway, use the\n[`vpnGateways.get` method](/compute/docs/reference/rest/v1/vpnGateways/get): \n\n```\nGET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/VPN_GATEWAY_NAME\n```\n\nThe output might look similar to the following: \n\n```\n{\n\"kind\": \"compute#vpnGateway\",\n\"id\": \"678310480370225624\",\n\"creationTimestamp\": \"2022-10-14T16:22:31.748-07:00\",\n\"name\": \"vpn-gateway-c\",\n\"region\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1\",\n\"network\": \"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a\",\n\"selfLink\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/vpngw-test\",\n\"labelFingerprint\": \"2345567=\",\n\"vpnInterfaces\": [\n {\n \"id\": 0,\n \"ipAddress\": \"192.168.20.3\",\n \"interconnectAttachment\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone1\"\n },\n {\n \"id\": 1,\n \"ipAddress\": \"192.168.21.3\",\n \"interconnectAttachment\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone2\"\n }\n ],\n\"stackType\": \"IPV4_ONLY\"\n}\n```\n\n\u003cbr /\u003e\n\nWhat's next?\n------------\n\n- If you need to add more HA VPN tunnels,\n see [Add a VPN tunnel](/network-connectivity/docs/vpn/how-to/adding-a-tunnel).\n\n- To learn about HA VPN monitoring,\n see [View logs and metrics](/network-connectivity/docs/vpn/how-to/viewing-logs-metrics)."]]
