Checking for VPN tunnel overutilization

This page describes how to check for VPN tunnel overutilization.

You can use the VPN tunnel utilization recommender to check for VPN tunnel overutilization. A recommender is a service in Google Cloud that provides usage recommendations for cloud resources. For more information, see the Recommender overview.

VPN tunnels have limits of 3 Gbps for bandwidth and 250,000 packets per second (pps) for the packet rate. The VPN tunnel utilization recommender generates recommendations when utilization is at 80% of these limits so that you can add a new VPN tunnel before a limit is reached. For more information, see the Limits section of the VPN quotas page.

As your amount of workloads or user traffic increases, you might reach the VPN tunnel limits without knowing. Reaching these limits can cause packet loss and degradation of application performance. Adding a VPN tunnel early can help you avoid extended periods of impact caused by an overutilized VPN tunnel.

This recommender can help with the following scenarios:

  • Identifying and linking application issues to VPN limits requires troubleshooting, which can take a considerable amount of time.
  • Setting up an additional VPN tunnel is often a lengthy process. It requires configuration and capacity on both sides of the connection. In on-premises environments, setting up another tunnel typically involves multiple teams and sometimes hardware procurement.
  • There might not be a quick workaround for an overutilized VPN tunnel because it might be infeasible to remove business critical traffic from the connection.

How it works

The VPN tunnel utilization recommender analyzes VPN tunnel utilization over the past seven days. When a VPN tunnel is overutilized, it generates the recommendations and insights described in the following table.

Insight Insight subtype Recommendation
Total sent and received bytes per second is higher than 300 MBps* HIGH_BYTES_THROUGHPUT Add a new VPN tunnel.
Total sent and received packets per second is higher than 200,000 pps HIGH_PACKETS_THROUGHPUT Add a new VPN tunnel.

*300 MBps is 80% of the 3-Gbps limit.
200,000 pps is 80% of the 250,000-pps limit.
For more information, see Network bandwidth.

For more information about the metrics used to generate these insights, see Monitoring metrics for Cloud VPN.

For general information, see Recommendations and Insights in the Recommender documentation.

To check for new recommendations and insights, see Viewing recommendations and insights.

Pricing

For pricing information, see the Recommender pricing page. There are no additional costs for the VPN tunnel utilization feature.

Before you begin

Before you can view recommendations and insights, you must do the following:

  • If you have not already, enable the Recommender API.
  • Make sure that you have one of the required roles for viewing VPN utilization recommendations:

    • Cloud VPN Recommender Admin (roles/recommender.vpnAdmin)
    • Cloud VPN Recommender Viewer (roles/recommender.vpnViewer)

    For more information about roles, see Understanding roles.

Viewing recommendations and insights

This section describes how to check for VPN overutilization by using the Google Cloud Console, the gcloud command-line tool, or the API to view recommendations and insights.

For more information about using the Cloud Console, see Getting started with Recommendation Hub.

For more information about using the gcloud tool or the API, see Using the API - Recommendations and Using the API - Insights.

Console

  1. In the Cloud Console, go to the Recommendation Hub.

    Go to the Recommendation Hub

  2. Check the Recommendation Hub dashboard for the Optimize Cloud VPN configuration recommendation.

    • If you do not see the recommendation, then there are no VPN tunnels approaching overutilization, and the rest of this procedure does not apply.
    • If you see the recommendation, click View all at the bottom of the recommendation to open the recommendations list. Each recommendation in the list corresponds to an overutilized VPN tunnel.
  3. Click a recommendation from the list to open the recommendation details page. The details page includes the following sections:

    • Insight: Displays the insights that caused the recommendation. Each insight includes the name of the VPN tunnel, utilization metrics, and the observation period for which the recommender analyzed utilization and generated the insight.
    • Recommendation: Provides a link to the VPN page of the Cloud Console, where you can create an additional VPN tunnel to share the load of the overutilized tunnel.
  4. Optional: If you want to add a VPN tunnel based on the recommendations and insights, see Adding a VPN tunnel.

gcloud

  1. To list all VPN tunnel recommendations, run the following command:

    gcloud recommender recommendations list \
        --project=PROJECT_ID \
        --location=LOCATION \
        --recommender=google.compute.vpnTunnel.Recommender
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    If the command does not return any recommendations, then currently there are no VPN tunnels approaching overutilization, and there are no insights.

  2. To list all VPN tunnel insights, run the following command:

    gcloud recommender insights list \
        --project=PROJECT_ID \
        --location=LOCATION \
        --recommender=google.compute.vpnTunnel.UtilizationInsight
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    Each insight includes the name of the VPN tunnel, utilization metrics, and the observation period for which the recommender analyzed utilization and generated the insight.

  3. Optional: If you want to add a VPN tunnel based on the recommendations and insights, see Adding a VPN tunnel.

API

  1. Call the recommendations.list method:

    GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.compute.vpnTunnel.Recommender/recommendations
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    If the API call does not return any recommendations, then currently there are no VPN tunnels approaching overutilization, and there are no insights.

  2. Call the insights.list method:

    GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.compute.vpnTunnel.UtilizationInsight/insights
    

    Replace the following:

    • PROJECT_ID: your project ID
    • LOCATION: a region, such as us-central1

    Each insight includes the name of the VPN tunnel, utilization metrics, and the observation period for which the recommender analyzed utilization and generated the insight.

  3. Optional: If you want to add a VPN tunnel based on the recommendations and insights, see Adding a VPN tunnel.

What's next