This page describes how to connect an HA VPN gateway to Compute Engine virtual machine (VM) instances with external IP addresses hosted in Google Cloud.
These instructions create the following HA VPN resources:
- An HA VPN gateway
- A peer VPN gateway
- A pair of VPN tunnels from the peer VPN gateway to each VM instance to help ensure high availability
For more information about Cloud VPN, see the following resources:
For diagrams of this topology, see HA VPN to Compute Engine VM instances in multiple zones and HA VPN to a Compute Engine VM instance.
For best practices to consider before setting up Cloud VPN, see Best practices.
For more information about Cloud VPN, see the Cloud VPN overview.
For definitions of terms used on this page, see Key terms.
Before you begin
Review information about how dynamic routing works in Google Cloud.
Ensure that your peer VPN gateway supports Border Gateway Protocol (BGP).
Ensure that you have one or two Compute Engine VMs with external IP addresses.
Set up the following items in Google Cloud to make it easier to configure Cloud VPN:
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you are using the Google Cloud CLI, set your project ID with the following command. The
gcloud
instructions on this page assume that you have set your project ID before issuing commands.gcloud config set project PROJECT_ID
-
You can also view a project ID that has already been set by running the following command:
gcloud config list --format='text(core.project)'
Create a custom VPC network and subnet
Before creating an HA VPN gateway and tunnel pair, create a Virtual Private Cloud (VPC) network and at least one subnet in the region where the HA VPN gateway resides:
- To create a custom mode VPC network (recommended), see Creating a custom mode VPC network.
- To create subnets, see Working with subnets.
To enable IPv6 for HA VPN gateways, you must enable the allocation of IPv6 internal addresses when you create the VPC. In addition, you must configure the subnets to use IPv6 internal addresses.
You must also configure IPv6 on the VMs in the subnet.
- To create a custom mode VPC network with internal IPv6 addresses, see Create a custom mode VPC network with at least one dual stack subnet.
- To create a subnet with IPv6 enabled, see Add a dual-stack subnet.
- To enable IPv6 in an existing subnet, see Convert an IPv4 subnet to a dual stack subnet.
- To create VMs with IPv6 enabled, see Configuring IPv6 for instances and instance templates.
The VPC subnet must be configured to use internal IPv6 addresses.
When you use the gcloud CLI, you configure the subnet with the
--ipv6-access-type=INTERNAL
flag. Cloud Router does not dynamically
advertise routes for subnets that are configured to use external IPv6 addresses
(--ipv6-access-type=EXTERNAL
).
For information about using internal IPv6 ranges in your VPC network and subnets, see Internal IPv6 specifications.
The examples in this document also use VPC global dynamic routing mode, which behaves in the following way:
- All instances of Cloud Router apply the
to on-premises
routes that they learn to all subnets of the VPC network. - Routes to all subnets in the VPC network are shared with on-premises routers.
Create an HA VPN gateway and tunnels to Compute Engine VM instances
Follow the instructions in this section to create an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.
Console
To create a VPN connection for the first time, use the VPN setup wizard. The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.
Create Cloud HA VPN gateway
In the Google Cloud console, go to the VPN page.
- If you are creating a gateway for the first time, click Create VPN connection.
- If you have existing Cloud VPN resources, click VPN setup wizard.
Select High-availability (HA) VPN.
Click Continue.
Specify a VPN gateway name.
In the Network list, select an existing network or the default network.
In the Region list, select the same region where your Compute Engine VMs are located.
Select a stack type for the VPN gateway, either IPv4 (single-stack) or IPv4 and IPv6 (dual-stack).
Click Create and continue.
The console page displays the gateway information. Two external IP addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.
Add VPN tunnels
- In the Peer VPN gateway list, select Compute Engine VMs with external IP addresses.
In the Peer VPN gateway name list, choose an existing peer gateway or click Create a new peer VPN gateway.
If you choose an existing peer gateway, the Google Cloud console selects the number of tunnels to configure based on the number of peer interfaces that you configured on the peer gateway.
To create a peer gateway, complete the following steps:
- Specify a name for the peer VPN gateway.
- In the Peer VPN gateway interfaces section, select one or two interfaces. You can connect a pair of tunnels to each Compute Engine VM instance. For examples of this topology, see HA VPN topologies.
- In the field for each peer VPN interface, specify the external IP address used for that interface.
In the Cloud Router list, select or create a Cloud Router by specifying the following options.
- To create a new Cloud Router, specify the following:
- A Name
- An optional Description
- A Google ASN for the new router
You can use any private ASN (
64512
through65534
,4200000000
through4294967294
) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router, and you cannot change the ASN later.- To create the router, click Create.
In the VPN tunnels section, expand each item to fill in the details of created VPN tunnels.
- In the Associated peer VPN gateway interface section, select the peer VPN gateway interface and IP address combination that you want to associate with this tunnel and with the HA VPN interface. This interface must match the interface on your actual peer router.
- Specify a Name for the tunnel.
- Specify an optional Description.
- Specify the IKE version. We recommend IKEv2, the default setting, if your peer router supports it. To allow IPv6 traffic, you must select IKEv2.
- Specify an IKE pre-shared key by using your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway. If you haven't configured a pre-shared key on your peer VPN gateway and want to generate one, click Generate and copy. Make sure that you record the pre-shared key in a secure location because it cannot be retrieved after you create your VPN tunnels.
- Click Done.
- On the Create a VPN page, repeat the tunnel creation steps for any remaining tunnel dialogs.
When you have configured all tunnels, click Create and continue.
Configure BGP sessions
- Click Configure BGP Session to set up the BGP session on the Cloud Router. For information about creating BGP sessions, see Create BGP sessions.
- Click Save BGP configuration.
The console page refreshes and displays the information about the HA VPN gateway, peer VPN gateway, and Cloud VPN tunnel information.
gcloud
Create an HA VPN gateway
To create an HA VPN gateway, run the following command. When the gateway is created, two external IPv4 addresses are automatically allocated, one for each gateway interface.
gcloud compute vpn-gateways create GW_NAME \ --network=NETWORK \ --region=REGION \ [--stack-type=IP_STACK]
Replace the following:
GW_NAME
: the name of the gatewayNETWORK
: the name of your Google Cloud networkREGION
: the Google Cloud region where you create the gateway and tunnelIP_STACK
: Optional: the IP stack to use. Specify eitherIPV4_ONLY
orIPV4_IPV6
. If you don't specify this flag, the default stack type isIPV4_ONLY
.
The gateway that you create looks similar to the following example output. An external IPv4 address is automatically assigned to each gateway interface:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a]. NAME INTERFACE0 INTERFACE1 NETWORK REGION ha-vpn-gw-a 203.0.113.16 203.0.113.23 network-a us-central1
Create a peer VPN gateway resource
Depending on the high availability needs, you can create one or a pair of peer VPN gateway resources.
To create the first peer VPN gateway, run the following command:
gcloud compute external-vpn-gateways create PEER_GW_NAME1 \ --interfaces 0=PEER_GW_IP_0,1=PEER_GW_IP_1
To create the second peer VPN gateway, run the following command:
gcloud compute external-vpn-gateways create PEER_GW_NAME2 \ --interfaces 0=PEER_GW_IP_1,1=PEER_GW_IP_0
Replace the following:
PEER_GW_NAME1
: a name representing the first peer VPN gatewayPEER_GW_NAME2
: a name representing the second peer VPN gatewayPEER_GW_IP_1
: the external IP address for the first Compute Engine virtual machinePEER_GW_IP_0
: the external IP address for the second Compute Engine virtual machine
The peer VPN gateway resource that you created looks like the
following example, and PEER_GW_IP_0
and
PEER_GW_IP_1
show the external IP addresses of the
Compute Engine virtual machines:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw]. NAME INTERFACE0 INTERFACE1 peer-gw-1 203.0.113.16 203.0.113.23 Peer-gw-2 203.0.113.23 203.0.113.16
Create a Cloud Router
To create a Cloud Router, run the following command:
gcloud compute routers create ROUTER_NAME \ --region=REGION \ --network=NETWORK \ --asn=GOOGLE_ASN
Replace the following:
ROUTER_NAME
: the name of the Cloud Router in the same region as the Cloud VPN gatewayREGION
: the Google Cloud region where you create the gateway and tunnelNETWORK
: the name of your Google Cloud networkGOOGLE_ASN
: any private ASN (64512
through65534
,4200000000
through4294967294
) that you are not already using in the peer network; the Google ASN is used for all BGP sessions on the same Cloud Router, and it cannot be changed later
The output is similar to the following:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a]. NAME REGION NETWORK router-a us-central1 network-a
Add VPN tunnels
Create four VPN tunnels, two for each interface on the HA VPN gateway. When creating VPN tunnels, specify the peer side of the VPN tunnels as the external VPN gateway that you created earlier.
One VPN tunnel must connect to interface 0
of the
external VPN gateway, and the other VPN tunnel must connect to
interface 1
of the external VPN gateway.
gcloud compute vpn-tunnels create TUNNEL_NAME_IF0 \ --peer-external-gateway=PEER_GW_NAME1 \ --peer-external-gateway-interface=PEER_EXT_GW_IF0 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_0
gcloud compute vpn-tunnels create TUNNEL_NAME_IF1 \ --peer-external-gateway=PEER_GW_NAME1 \ --peer-external-gateway-interface=PEER_EXT_GW_IF1 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_1
gcloud compute vpn-tunnels create TUNNEL_NAME_IF2 \ --peer-external-gateway=PEER_GW_NAME2 \ --peer-external-gateway-interface=PEER_EXT_GW_IF0 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_1
gcloud compute vpn-tunnels create TUNNEL_NAME_IF3 \ --peer-external-gateway=PEER_GW_NAME2 \ --peer-external-gateway-interface=PEER_EXT_GW_IF1 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_1
Replace the following:
TUNNEL_NAME_IF0
,TUNNEL_NAME_IF1
TUNNEL_NAME_IF2
, andTUNNEL_NAME_IF3
: a name for the tunnel; naming the tunnels by including the gateway interface name can help identify the tunnels laterPEER_GW_NAME
: a name of the external peer gateway created earlierPEER_EXT_GW_IF0
andPEER_EXT_GW_IF1
: the interface number configured earlier on the external peer gatewayIKE_VERS
:1
for IKEv1 or2
for IKEv2; if possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace--ike-version 2
with--ike-version 1
. To allow IPv6 traffic, you must specify IKEv2.SHARED_SECRET
: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway; for recommendations, see Generate a strong pre-shared keyGW_NAME
: the name of the HA VPN gatewayINT_NUM_0
: the number0
for the first interface on the HA VPN gateway that you created earlierINT_NUM_1
: the number1
for the second interface on the HA VPN gateway that you created earlierOptional: the
--vpn-gateway-region
is the region of the HA VPN gateway to operate on. Its value should be the same as--region
. If not specified, this option is automatically set. This option overrides the default compute or region property value for this command invocation.The command output looks similar to the following example:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-0 us-central1 ha-vpn-gw-a 0 peer-gw 0 Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-1 us-central1 ha-vpn-gw-a 1 peer-gw 1 Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-2 us-central1 ha-vpn-gw-b 0 peer-gw 0 Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-3 us-central1 ha-vpn-gw-b 1 peer-gw 1
Configure BGP sessions
For information about creating BGP sessions, see Create BGP sessions.
API
Create Cloud HA VPN gateway
To create an HA VPN gateway, make a POST
request
by using the
vpnGateways.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways { "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a", "stackType": "IPV4_IPV6" }
The stackType
field is optional. The only valid values are IPV4_IPV6
or
IPV4_ONLY
.
If you don't specify a stackType
, the default is IPV4_ONLY
.
Create a peer VPN gateway resource
To create an external VPN gateway resource, make a POST
request by using the
externalVpnGateways.insert
method.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways { "name": "my-peer-gateway", "interfaces": [ { "id": 0, "ipAddress": "192.0.2.1" }, { "id": 1, "ipAddress": "192.0.2.2" } { "id": 1, "ipAddress": "192.0.2.2" }, { "id": 0, "ipAddress": "192.0.2.1" } ], "redundancyType": "FOUR_IPS_REDUNDANCY" }
To create a peer VPN gateway with two interfaces, or two external VPN
gateways with one interface each, use the TWO_IPS_REDUNDANCY
setting.
To create a peer VPN gateway with four interfaces, specify four instances
of the interface ID and ipAddress
and use a redundancyType
of
FOUR_IPS_REDUNDANCY
.
Create a Cloud Router
To create a Cloud Router, make a POST
request by using the
routers.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers { "name": "router-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a" }
Add VPN tunnels
To create four VPN tunnels, two for each interface on the
HA VPN gateway, make a POST
request by using the
vpnTunnels.insert
method.
To get a 99.9% uptime SLA, you must create a tunnel
on each interface of your HA VPN gateway.
To create the first tunnel, run the following command:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels { "name": "ha-vpn-gw-a-tunnel-0", "ikeVersion": 2, "peerExternalGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/my-peer-gateway", "peerExternalGatewayInterface": 0, "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a", "sharedSecret": "SHARED_SECRET", "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a", "vpnGatewayInterface": 0 }
If you plan to enable IPv6 in the BGP session associated with this tunnel, you must specify
2
for theikeVersion
.To create the other tunnels, repeat this command, but change the following parameters:
name
peerExternalGatewayInterface
sharedSecret
orsharedSecretHash
(if needed)vpnGatewayInterface
: change to the value of the other HA VPN gateway interface—in this example, change this value to1
Configure BGP sessions
For information about creating BGP sessions, see Create BGP sessions.
API
To create the full configuration for an HA VPN gateway, use the API commands in the following sections. All field values used in these sections are example values.
To create an HA VPN gateway, make a POST
request
by using the
vpnGateways.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways { "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a", "stackType": "IPV4_IPV6" }
The stackType
field is optional. The only valid values are IPV4_IPV6
or
IPV4_ONLY
.
If you don't specify a stackType
, the default is IPV4_ONLY
.
Verify the configuration
Console
To verify the configuration, go to the Summary and reminder page:
- The Summary section of this page lists information for the HA VPN gateway and the peer VPN gateway profile. For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
- The Reminder section of this page lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN.
- After reviewing the information on this page, click OK.
gcloud
To verify the Cloud Router configuration, follow these steps:
List the BGP IP addresses chosen by Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface are listed with the highest index number. Use the BGP IP address
peerIpAddress
to configure your peer VPN gateway:gcloud compute routers get-status ROUTER_NAME \ --region=REGION \ --format='flattened(result.bgpPeerStatus[].name, result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
The expected output for a Cloud Router managing two Cloud VPN tunnels (index
0
and index1
) looks like the following example where the following is true:GOOGLE_BGP_IP_0
represents the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gatewayinterface 0
;PEER_BGP_IP_0
represents the BGP IP address of its peer.GOOGLE_BGP_IP_1
represents the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gatewayinterface 1
;PEER_BGP_IP_1
represents the BGP IP address of its peer.
result.bgpPeerStatus[0].ipAddress: 169.254.0.1 GOOGLE_BGP_IP_0 result.bgpPeerStatus[0].name: bgp-peer-tunnel-a-to-on-prem-if-0 result.bgpPeerStatus[0].peerIpAddress: 169.254.0.2 PEER_BGP_IP_0 result.bgpPeerStatus[1].ipAddress: 169.254.1.1 GOOGLE_BGP_IP_1 result.bgpPeerStatus[1].name: bgp-peer-tunnel-a-to-on-prem-if-1 result.bgpPeerStatus[1].peerIpAddress: 169.254.1.2 PEER_BGP_IP_1
You can also use the following command to get a full listing of the Cloud Router configuration:
gcloud compute routers describe ROUTER_NAME \ --region=REGION
The full listing looks like the following example:
bgp: advertiseMode: DEFAULT asn: 65001 bgpPeers: - interfaceName: if-tunnel-a-to-on-prem-if-0 ipAddress: 169.254.0.1 name: bgp-peer-tunnel-a-to-on-prem-if-0 peerAsn: 65002 peerIpAddress: 169.254.0.2 - interfaceName: if-tunnel-a-to-on-prem-if-1 ipAddress: 169.254.1.1 name: bgp-peer-tunnel-a-to-on-prem-if-1 peerAsn: 65004 peerIpAddress: 169.254.1.2 creationTimestamp: '2018-10-18T11:58:41.704-07:00' id: '4726715617198303502' interfaces: - ipRange: 169.254.0.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0 name: if-tunnel-a-to-on-prem-if-0 - ipRange: 169.254.1.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1 name: if-tunnel-a-to-on-prem-if-1 kind: compute#router name: router-a network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
API
To verify the Cloud Router configuration, make a GET
request by
using the
routers.getRouterStatus
method,
and use an empty request body:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
What's next
- To control which IP addresses are allowed for peer VPN gateways, see Restrict IP addresses for peer VPN gateways.