Creating an HA VPN between Google Cloud networks

This page describes how to connect two Virtual Private Cloud networks together using an HA VPN gateway configuration. You can connect two existing VPC networks together as long as the primary and secondary subnet IP address ranges in each network don't overlap.

For a diagram of this topology, see the Topologies page.

For more information on how to choose a VPN type, see the Choosing a Network Connectivity product.

For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.

Requirements

General requirements and guidelines

Make sure that you meet the following requirements when creating this configuration to ensure that you receive a 99.99% SLA:

Place one HA VPN gateway in each VPC network.
Place both HA VPN gateways in the same Google Cloud region.
Configure a tunnel on each interface of each gateway.
Match gateway interfaces as described in the statement below.

Although it is also possible to connect two VPC networks together using a single tunnel between HA VPN gateways or by using Classic VPN gateways, this type of configuration is not considered highly available and does not meet the HA SLA of 99.99% availability.

Creating Cloud Routers

When configuring a new HA VPN gateway, you can create a new Cloud Router or you can use a Cloud Router that you are already using with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection, because of the attachment's specific ASN requirements.

Managing permissions

Since HA VPN gateways don't always belong to you or your Google Cloud organization, consider the following permissions requirements when you create an HA VPN gateway, or connect to one owned by someone else:

If you own the project where you create a HA VPN gateway, configure the recommended permissions on it.
If you want to connect to an HA VPN gateway that resides in a Google Cloud organization or project that you don't own, you need to request the compute.vpnGateways.use permission from the owner.

Before you begin

Review information about how dynamic routing works in Google Cloud.
Make sure your peer VPN gateway supports BGP.

Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:

Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to the project selector page
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Install and initialize the Cloud SDK.

If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

  gcloud config set project PROJECT_ID

You can also view a project ID that has already been set:

  gcloud config list --format='text(core.project)'

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels

Roles

roles/compute.networkAdmin

Creating a custom Virtual Private Cloud network and subnet

Before creating an HA VPN gateway and tunnel pair, you must create a Virtual Private Cloud network and at least one subnet in the region where the HA VPN gateway will reside.

To create a custom mode (recommended) VPC network, see Creating a custom mode network.
To create subnets, see Working with subnets.

The examples in this document also use VPC global dynamic routing mode, which behaves in the following way:

All instances of Cloud Router apply the "to on-premises" routes they learn to all subnets of the VPC network.
Routes to all subnets in the VPC network are shared with on-premises routers.

For reference, this document creates an HA VPN gateway in each of two different VPC networks:

NETWORK_1 contains the following subnets:

A subnet named SUBNET_NAME_1 in REGION_1 that uses the IP range RANGE_1
A subnet named SUBNET_NAME_2 in REGION_2 that uses the IP range RANGE_2

NETWORK_2 contains the following subnets:

A subnet named SUBNET_NAME_3 in REGION_1 that uses the IP range RANGE_3
A subnet named SUBNET_NAME_4 in REGION_3 that uses the IP range RANGE_4.

Creating two fully configured HA VPN gateways that connect to each other

Follow the instructions in this section to create an HA VPN gateway, tunnels, a peer VPN gateway resource, and BGP sessions.

Console

The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, tunnels, a peer VPN gateway resource, and BGP sessions.

Create a Cloud VPN gateway

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
1. If you are creating a gateway for the first time, select the Create VPN connection button.
2. Select the VPN setup wizard.
Select the radio button for an HA VPN gateway.
Click Continue.
Specify a VPN gateway name.
Under VPC network, select an existing network or the default network.
Select a Region.
Click Create and Continue.
The console screen refreshes and displays your gateway information. Two external IP addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.

Create a Peer VPN gateway resource

The peer VPN gateway resource represents your non-Google Cloud gateway in Google Cloud.

On the Create a VPN screen, under Peer VPN gateway, select Google Cloud.
Under Project, select a Google Cloud project that will contain the new gateway.
Under VPN gateway name, choose the other HA VPN that you are configuring at the same time.
Continue on to Create VPN tunnels

Create VPN tunnels

If you select Create a single VPN tunnel, you configure your single tunnel on the rest of the Create VPN screen. However, you must create a second tunnel later to get a 99.99% SLA to the other HA VPN gateway.
Caution: If you configure a single tunnel, you do not receive a 99.99% SLA for this configuration.
If you select, Create a pair of VPN tunnels (recommended) you must configure the two tunnel dialog boxes that appear at the bottom of the Create VPN screen.

Under High Availability, you can select either a pair of tunnels to the other HA VPN gateway, or one tunnel. You can add a second tunnel later as described at the end of this entire procedure.
Under Cloud Router, If you haven't already, create a Cloud Router specifying the options as noted below. You can use an existing Cloud Router as long as the router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect.
1. To create a Cloud Router, specify a Name, an optional Description, and Google ASN for the new router. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router and it cannot be changed later.
2. Click Create to create the router.
Complete the following steps either in the same screen, or in each tunnel's dialog box at the bottom of the screen.
If you are configuring one tunnel, under Associated Cloud VPN gateway interface, select the HA VPN interface/IP address combination for this gateway to associate it with the gateway interface on the other HA VPN gateway. For two-tunnel configurations, this option and the Associated peer VPN gateway interface option are both unavailable because the correct interface combinations are configured for you.
1. Specify a Name for the tunnel.
2. Specify an optional Description.
3. Specify the IKE version. IKE v2, the default setting, is recommended if your peer router supports it.
4. Specify an IKE pre-shared key using your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. If you haven't configured a shared secret on your peer VPN gateway and want to generate one, click the Generate and copy button. Make sure that you record the pre-shared key in a secure location, as it cannot be retrieved once you create your VPN tunnels.
5. Click Done.
6. Repeat the tunnel creation steps for any remaining tunnel dialog boxes on the Create VPN screen.
When you have configured all tunnels, click Create and continue.

Create BGP sessions

Setting the advertised route priority (optional)

The following example creates BGP sessions on instances of Cloud Router advertising the routes to the router's respective peer networks using unmodified base priorities.

Use this configuration for active/active configurations where the priorities of the two tunnels on both sides should match. Omitting the advertised base priority results in the same advertised priorities to both BGP peers.
For active/passive configurations, you can control the advertised base priority of the "to Google Cloud" routes that Cloud Router shares with your peer VPN gateway by setting the advertised route priority.
To create an active/passive configuration, set a higher advertised route priority for one BGP session and its corresponding VPN tunnel, than for the other BGP session and VPN tunnel.

For more information about advertised base priority, see Route metrics.

You can also refine the routes that are advertised using custom advertisements, by adding the --advertisement-mode=CUSTOM flag and specifying IP address ranges with --set-advertisement-ranges.

To create BGP sessions:

If you don't want to configure BGP sessions now, click the Configure BGP sessions later button, which takes you to the Summary and Reminder screen.
If you want to configure BGP sessions now, click the Configure button for the first VPN tunnel.
On the Create BGP session screen, perform the following steps:
1. Specify a Name for the BGP session.
2. Specify the Peer ASN configured for the peer VPN gateway.
3. (Optional) Specify the Advertised Route Priority.
4. Specify the Cloud Router BGP IP address and the BGP Peer IP address. Make sure that the IP addresses meet the following requirements:
  - Each BGP IP address must belong to the same /30 CIDR that fits within 169.254.0.0/16.
  - Each BGP IP address cannot be the first (network) or last (broadcast) address in the /30 CIDR.
  - Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.
5. (Optional) Click the Advertised routes drop-down menu and create custom routes.
6. Click Save and continue.
Repeat the preceding steps for the rest of the tunnels configured on the gateway, using a different Cloud Router BGP IP address and BGP Peer IP address for each tunnel.
When you have configured all BGP sessions, click Save BGP configuration.

Summary and reminder

The Summary section of this screen lists information for the HA VPN gateway and the peer VPN gateway profile.
For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
The Reminder section of this screen lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN.
Click Ok after reviewing the information on this screen.

Create an additional tunnel on a single-tunnel gateway.

Follow the steps in this section to configure a second tunnel on the second interface of an HA VPN gateway. If you've configured one tunnel on an HA VPN gateway to another HA VPN gateway but want to receive a 99.99% uptime SLA, you must configure a second tunnel.

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
1. Find the HA VPN you want to add the tunnel to.
2. Click the Add VPN tunnel button.
3. Under Peer VPN gateway, select Google Cloud.
4. Under Project, select a Google Cloud project that will contain the new gateway.
5. For VPN gateway name, choose the other HA VPN gateway that the new tunnel connects to.
6. Select Add the second VPN tunnel to an existing VPN tunnel for high availability.
7. Under Select existing VPN tunnel, make sure the existing tunnel is selected. You can click a link to view all existing tunnels near the top of the same screen.
8. Specify a tunnel Name.
9. Specify the same IKE version in use by the tunnel on the other gateway.
10. Specify an IKE pre-shared key using your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. If you haven't configured a shared secret on your peer VPN gateway and want to generate one, click the Generate and copy button. Make sure that you record the pre-shared key in a secure location, as it cannot be retrieved once you create your VPN tunnels.
11. Click Create and continue.
12. Configure and save a BGP session as in the preceding steps. Otherwise, you can configure BGP later.
13. Check the Summary reminder screen for configuration information and click OK.

gcloud

Create the HA VPN gateways

Complete the following command sequence to create two HA VPN gateways:

Create an HA VPN gateway in each network in REGION_1. When each gateway is created, two external IP addresses are automatically allocated, one for each gateway interface. Take note of these IP addresses to use later on in the configuration steps.

In the following commands, replace the options as noted below:

Replace GW_NAME_1 and GW_NAME_2 with the name of each gateway.
Replace all other options with the values you used previously.

Create the first gateway

  gcloud compute vpn-gateways create GW_NAME_1 \
    --network NETWORK_1 \
    --region REGION_1

The gateway you create should look similar to the following example output. An external IP address has been automatically assigned to each gateway interface:

  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a].
  NAME        INTERFACE0    INTERFACE1     NETWORK    REGION
  ha-vpn-gw-a 203.0.113.16  203.0.113.23   network-a  us-central1

Create the second gateway

  gcloud compute vpn-gateways create GW_NAME_2 \
    --network NETWORK_2 \
    --region REGION_1

  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b].
  NAME        INTERFACE0   INTERFACE1    NETWORK    REGION
  ha-vpn-gw-b 203.0.114.18 203.0.114.25  network-b  us-central1

Create each Cloud Router

The following instructions assume that you haven't already created Cloud Routers to use for managing BGP sessions for your HA VPN tunnels.

You can use an existing Cloud Router in each VPC network, unless those routers already manage a BGP session for an interconnect attachment associated with a Partner Interconnect.

Complete the following command sequence to create a Cloud Router in each network. In the following commands, replace the options as noted below:
- Replace ASN_1 and ASN_2 with any private ASN (64512 - 65534, 4200000000 - 4294967294) that you are not already using. This example uses ASN 65001 for both interfaces of ROUTER_NAME_1 and ASN 65002 for both interfaces of ROUTER_NAME_2.
- Replace all other options with the values you used previously.
Create the first router
```
  gcloud compute routers create ROUTER_NAME_1 \
    --region REGION_1 \
    --network NETWORK_1 \
    --asn ASN_1
```
The router you create should look similar to the following example output:
```
  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
  NAME     REGION      NETWORK
  router-a us-central1 network-a
```
Create the second router
```
  gcloud compute routers create ROUTER_NAME_2 \
    --region REGION_1 \
    --network NETWORK_2 \
    --asn ASN_2
```
The router you create should look similar to the following example output:
```
  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
  NAME     REGION      NETWORK
  router-b us-central1 network-b
```

Create VPN tunnels

Complete the following command sequence to create two VPN tunnels on each HA VPN gateway.

The VPN tunnels you create are not available until the corresponding partner tunnels have been created on the other VPN gateway.
- The tunnel you create from interface 0 of GW_NAME_1 must connect to the external IP address associated with interface 0 of GW_NAME_2 in NETWORK_2, and
- The tunnel from interface 1 of GW_NAME_1 must connect to the external IP address associated with interface 1 of GW_NAME_2.
- When you create VPN tunnels on GW_NAME_1 in NETWORK_1, you must specify the information for GW_NAME_2 in NETWORK_2. Google automatically connects the tunnel from interface 0 of GW_NAME_1 to interface 0 of GW_NAME_2, and interface 1 of GW_NAME_1 to interface 1 of GW_NAME_2.
Create two tunnels on GW_NAME_1
1. Create two VPN tunnels, one on each interface, of GW_NAME_1 in NETWORK_1. In the following commands, replace the options as noted below:
  - Replace TUNNEL_NAME_GW1_IF0 and TUNNEL_NAME_GW1_IF1 with a name for each tunnel originating from GW_NAME_1. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
  - Use GW_NAME_2 for the value of --peer-gcp-gateway.
  - Replace REGION with the region where GW_NAME_1 is located.
  - (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
  - Replace IKE_VERS with 2 for IKEv2. Since both tunnels connect to another HA VPN gateway, using IKEv2 is recommended.
  - Replace SHARED_SECRET with your shared secret, which must be the same shared secret that you use for the corresponding tunnel created from GW_NAME_2 on interface 0 and on interface 1. See Generating a strong pre-shared key for recommendations.
  - Replace INT_NUM_0 with the number 0 for the first interface on GW_NAME_1.
  - Replace INT_NUM_1 with the number 1 for the second interface on GW_NAME_1.
  - If the peer-gcp-gateway is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the --peer-gcp-gateway option as a full URI or as a relative name. The following sample option is a relative name: --peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b.
  - The --peer-gcp-gateway-region, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.
  Create the first tunnel on GW_NAME_1 INT_NUM_0
```
  gcloud compute vpn-tunnels create TUNNEL_NAME_GW1_IF0\
    --peer-gcp-gateway GW_NAME_2 \
    --region REGION_1 \
    --ike-version IKE_VERS \
    --shared-secret SHARED_SECRET \
    --router ROUTER_NAME_1 \
    --vpn-gateway GW_NAME_1 \
    --interface INT_NUM_0
```
  Create the second tunnel on GW_NAME_1 INT_NUM_1
```
  gcloud compute vpn-tunnels create TUNNEL_NAME_GW1_IF1 \
    --peer-gcp-gateway GW_NAME_2 \
    --region REGION_1 \
    --ike-version IKE_VERS \
    --shared-secret SHARED_SECRET \
    --router ROUTER_NAME_1 \
    --vpn-gateway GW_NAME_1 \
    --interface INT_NUM_1
```
  The command output should look similar to the following example:
```
  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0].
  NAME               REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
  tunnel-a-to-b-if-0 us-central1  ha-vpn-gw-a     0          ha-vpn-gw-b
  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1].
  NAME               REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
  tunnel-a-to-b-if-1 us-central1  ha-vpn-gw-a     1          ha-vpn-gw-b
```
Create two tunnels on GW_NAME_2
1. Create two VPN tunnels, one on each interface, of GW_NAME_2 in NETWORK_2.
  - The tunnel you create from interface 0 of GW_NAME_2 must connect to the external IP address associated with interface 0 of GW_NAME_1 in NETWORK_1, and
  - The tunnel from interface 1 of GW_NAME_2 must connect to the external IP address associated with interface 1 of GW_NAME_1.
  - Replace REGION with the region where GW_NAME_2 is located.
  - (Optional) The --vpn-gateway-region is the region of the VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
    
    In the following commands, replace the options as noted below:
  - Replace TUNNEL_NAME_GW2_IF0 and TUNNEL_NAME_GW2_IF1 with a name for each tunnel originating from GW_NAME_2. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
  - Use GW_NAME_1 for the value of --peer-gcp-gateway.
  - The value for the --peer-gcp-gateway-region must be in the same region as the VPN tunnel. If not specified, the value is set automatically. For this example, the region is REGION_1.
  - Replace IKE_VERS with 2 for IKEv2. Because these tunnels connect to the two tunnels created in the previous step, they must use the same IKE version (IKEv2 is recommended).
  - Replace SHARED_SECRET with your shared secret, which must correspond with the shared secret for the partner tunnel you created on each interface of GW_NAME_1. See Generating a strong pre-shared key for recommendations.
  - Replace GW_NAME_2 with the name of the second gateway you configured in the Gateway configuration step.
  - Replace INT_NUM_0 with the number 0 for the first interface on GW_NAME_2.
  - Replace INT_NUM_1 with the number 1 for the second interface on GW_NAME_2.
  - If the peer-gcp-gateway is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the --peer-gcp-gateway option as a full URI or as a relative name. The following sample option is a relative name: --peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b.
  - The --peer-gcp-gateway-region, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.
Create the first tunnel on GW_NAME_2 INT_NUM_0
```
  gcloud compute vpn-tunnels create TUNNEL_NAME_GW2_IF0 \
   --peer-gcp-gateway GW_NAME_1 \
   --region REGION_1 \
   --ike-version IKE_VERS \
   --shared-secret SHARED_SECRET \
   --router ROUTER_NAME_2 \
   --vpn-gateway GW_NAME_2 \
   --interface INT_NUM_0
```
Create the second tunnel on GW_NAME_2 INT_NUM_1
```
  gcloud compute vpn-tunnels create TUNNEL_NAME_GW2_IF1 \
    --peer-gcp-gateway GW_NAME_1 \
    --region REGION_1 \
    --ike-version IKE_VERS \
    --shared-secret SHARED_SECRET \
    --router ROUTER_NAME_2 \
    --vpn-gateway GW_NAME_2 \
    --interface INT_NUM_1
```
The command output should look similar to the following example:
```
  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0].
  NAME                REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
  tunnel-b-to-a-if-0  us-central1  ha-vpn-gw-b     0          ha-vpn-gw-a
  Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1].
  NAME                REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
  tunnel-b-to-a-if-1  us-central1  ha-vpn-gw-b     1          ha-vpn-gw-a
```
After this step, wait a few minutes, then check the status of each VPN tunnel.

A VPN tunnel's state changes to Established only when the corresponding partner tunnel is also available and properly configured. A valid IKE and Child Security Association (SA) must also be negotiated between them.

For example, tunnel-a-to-b-if-0 on ha-vpn-gw-a can only be established if tunnel-b-to-a-if-0 on ha-vpn-gw-b is configured and available.

Create Cloud Router interfaces and BGP peers

The following table provides an overview of the Cloud Router interfaces and BGP peers that you configure in this section. It shows the relationship between the IP ranges and peer IPs that you specify for each interface. For example, the first interface of router-1 has a peer IP of 169.254.0.2. This comes from the IP address range of the first interface of router-2, which is 169.254.0.2/30.

Router	BGP interface name	IP range	Peer IP	Peer ASN
router-1	if-tunnel-a-to-b-if-0	169.254.0.1/30	169.254.0.2	65002
router-2	if-tunnel-b-to-a-if-0	169.254.0.2/30	169.254.0.1	65001
router-1	if-tunnel-a-to-b-if-1	169.254.1.1/30	169.254.1.2	65002
router-2	if-tunnel-b-to-a-if-1	169.254.1.2/30	169.254.1.1	65001

For more detail, see the instructions in this section, which include sample output after configuration.

Setting the advertised route priority (optional)

The following examples create BGP sessions on instances of Cloud Router advertising the routes to their respective peer networks using unmodified base priorities. Use this configuration for active/active configurations where the priorities of the two tunnels on both sides should match. Omitting --advertised-base-priority, as in this example, results in the same advertised priorities to both BGP peers.

For active/passive configurations, you can control the advertised base priority of the "to Google Cloud" routes that Cloud Router shares with your peer VPN gateway by using the --advertised-route-priority flag when adding or updating a BGP peer.

To create an active/passive configuration, you set a higher advertised route priority for one BGP session, corresponding to one VPN tunnel, than the priority of the BGP session for the other VPN tunnel.

For more information about advertised base priority, see Route metrics.

You can also refine the routes that are advertised using custom advertisements, by adding the --advertisement-mode=CUSTOM flag and specifying IP address ranges with --set-advertisement-ranges.

To create Cloud Router interfaces and BGP peers:

Create a BGP interface and BGP peer on ROUTER_NAME_1 for the tunnel TUNNEL_NAME_GW1_IF0. This BGP interface connects TUNNEL_NAME_GW1_IF0 on interface 0 of GW_1 to interface 0 of GW_2 using two BGP IP addresses. In the following commands, replace the options as noted below:
- Replace ROUTER_1_INTERFACE_NAME_0 with a name for the Cloud Router BGP interface. Using a name related to TUNNEL_NAME_GW1_IF0 can be helpful.
- Replace IP_ADDRESS with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.0.1.
- Use a MASK_LENGTH of 30.
  
  Each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block.
- Replace PEER_NAME with a name describing the BGP peer. Using a name related to TUNNEL_NAME_GW1_IF0 can be helpful.
- Replace PEER_IP_ADDRESS with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.0.2.
- Replace the PEER_ASN with the ASN number used for all interfaces on the other Cloud Router, ROUTER_NAME_2. This example uses ASN number 65002.
  1. To create a BGP interface for TUNNEL_NAME_GW1_IF0, enter the following command:
```
gcloud compute routers add-interface ROUTER_NAME_1 \
   --interface-name ROUTER_1_INTERFACE_NAME_0 \
   --ip-address IP_ADDRESS \
   --mask-length MASK_LENGTH \
   --vpn-tunnel TUNNEL_NAME_GW1_IF0 \
   --region REGION_1
```
  2. To create a BGP peer for TUNNEL_NAME_GW1_IF0, enter the following command:
```
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \
   --peer-name PEER_NAME \
   --interface ROUTER_1_INTERFACE_NAME_0 \
   --peer-ip-address PEER_IP_ADDRESS \
   --peer-asn PEER_ASN \
   --region REGION_1
```
    The command output should look similar to the following example:
```
 Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```
Create a BGP interface and BGP peer on ROUTER_NAME_1 for the tunnel TUNNEL_NAME_GW1_IF1. This BGP interface connects TUNNEL_NAME_GW1_IF1 on interface 1 of GW_1 to interface 1 of GW_2 using two BGP IP addresses. In the following commands, replace the options as noted below:
- Replace ROUTER_1_INTERFACE_NAME_1 with a Cloud Router BGP interface name. Using a name related to TUNNEL_NAME_GW1_IF1 can be helpful.
- Replace IP_ADDRESS with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.1.1.
- Use a MASK_LENGTH of 30.
  
  Each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block.
- Replace PEER_NAME with a name describing the BGP peer. Using a name related to TUNNEL_NAME_GW1_IF1 can be helpful.
- Replace PEER_IP_ADDRESS with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.1.2.
- Replace the PEER_ASN with the ASN number used for all interfaces on the other Cloud Router, ROUTER_NAME_2. This example uses ASN number 65002.
  1. To create a BGP interface for TUNNEL_NAME_GW1_IF1, enter the following command:
```
gcloud compute routers add-interface ROUTER_NAME_1 \
   --interface-name ROUTER_1_INTERFACE_NAME_1 \
   --ip-address IP_ADDRESS \
   --mask-length MASK_LENGTH \
   --vpn-tunnel TUNNEL_NAME_GW1_IF1 \
   --region REGION_1
```
  2. To create a BGP peer for TUNNEL_NAME_GW1_IF1, enter the following command:
```
gcloud compute routers add-bgp-peer ROUTER_NAME_1  \
   --peer-name PEER_NAME \
   --interface ROUTER1_INTERFACE_NAME_1 \
   --peer-ip-address PEER_IP_ADDRESS \
   --peer-asn PEER_ASN \
   --region REGION_1
```
    The command output should look similar to the following example:
```
 Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a ].
```

Verify the settings for ROUTER_1 by entering the following command:

gcloud compute routers describe ROUTER_1  \
    --region REGION_1

The command output should look similar to the following example:

 bgp:
   advertisemode: DEFAULT
   asn: 65001
 bgpPeers:
 — interfaceName: if-tunnel-a-to-b-if-0
   ipAddress: 169.254.0.1
   name: bgp-peer-tunnel-a-to-b-if-0
   peerAsn: 65002
   peerIpAddress: 169.254.0.2
 bgpPeers:
 — interfaceName: if-tunnel-a-to-b-if-1
   ipAddress: 169.254.1.1
   name: bgp-peer-tunnel-a-to-b-if-1
   peerAsn: 65002
   peerIpAddress: 169.254.1.2
 creationTimestamp: '2015-10-19T14:31:52.639-07:00'
 id: '4047683710114914215'
 interfaces:
 — ipRange: 169.254.0.1/30
   linkedVpnTunnel:
 https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
   name: if-tunnel-a-to-b-if-0
 — ipRange: 169.254.1.1/30
   linkedVpnTunnel:
 https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1
   name: if-tunnel-a-to-b-if-1
 kind: compute#router
 name: router-a
 network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a
 region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a

Create a BGP interface and BGP peer on ROUTER_NAME_2 for the tunnel TUNNEL_NAME_GW2_IF0. This BGP interface connects TUNNEL_NAME_GW2_IF0 on interface 0 of GW_2 to interface 0 of GW_1 using two BGP IP addresses. In the following commands, replace the options as noted below:
- Replace ROUTER_2_INTERFACE_NAME_0 with a Cloud Router BGP interface name. Using a name related to TUNNEL_NAME_GW2_IF0 can be helpful.
- Replace IP_ADDRESS with the BGP IP address used previously for this gateway and interface. This example uses 169.254.0.2.
- Use a MASK_LENGTH of 30.
  
  Each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block.
- Replace PEER_NAME with a name describing the BGP peer. Using a name related to TUNNEL_NAME_GW2_IF0 can be helpful.
- Replace PEER_IP_ADDRESS with the IP address used previously for the peer gateway and interface. This example uses 169.254.0.1.
- Replace the PEER_ASN with the ASN number used for all interfaces on ROUTER_NAME_1 and that was set previously. This example uses ASN number 65001.
1. To create a BGP interface for TUNNEL_NAME_GW2_IF0, enter the following command.
```
gcloud compute routers add-interface ROUTER_NAME_2 \
   --interface-name ROUTER_2_INTERFACE_NAME_0 \
   --ip-address IP_ADDRESS \
   --mask-length MASK_LENGTH \
   --vpn-tunnel TUNNEL_NAME_GW2_IF0 \
   --region REGION_1
```
  The command output should look similar to the following example:
2. To create a BGP peer for TUNNEL_NAME_GW2_IF0, enter the following command:
```
 gcloud compute routers add-bgp-peer ROUTER_NAME_2 \
   --peer-name PEER_NAME \
   --interface ROUTER_2_INTERFACE_NAME_0 \
   --peer-ip-address PEER_IP_ADDRESS \
   --peer-asn PEER_ASN \
   --region REGION_1
```
  The command output should look similar to the following example:
```
 Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b ].
```
Create a BGP interface and BGP peer on ROUTER_NAME_2 for the tunnel TUNNEL_NAME_GW2_IF1. This BGP interface connects TUNNEL_NAME_GW2_IF1 on interface 1 of GW_2 to interface 1 of GW_1 using two BGP IP addresses. In the following commands, replace the options as noted below:
- Replace ROUTER_2_INTERFACE_NAME_1 with a Cloud Router BGP interface name. Using a name related to TUNNEL_NAME_GW2_IF1 can be helpful.
- Replace IP_ADDRESS with the BGP IP address used previously for this gateway and interface. This example uses 169.254.1.2.
- Use a MASK_LENGTH of 30.
  
  Each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block.
- Replace PEER_NAME with a name describing the BGP peer. Using a name related to TUNNEL_NAME_GW2_IF1 can be helpful.
- Replace PEER_IP_ADDRESS with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.1.1.
- Replace the PEER_ASN with the ASN number used for all interfaces on ROUTER_NAME_1 and that was set previously. This example uses ASN number 65001.
1. To create a BGP interface for TUNNEL_NAME_GW2_IF1, enter the following command:
```
gcloud compute routers add-interface ROUTER_NAME_2 \
   --interface-name ROUTER_2_INTERFACE_NAME_1 \
   --ip-address IP_ADDRESS \
   --mask-length MASK_LENGTH \
   --vpn-tunnel TUNNEL_NAME_GW2_IF1 \
   --region REGION_1
```
  The command output should look similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b ].
```
2. To create a BGP peer for TUNNEL_NAME_GW2_IF1, enter the following command:
```
gcloud compute routers add-bgp-peer ROUTER_NAME_2  \
   --peer-name PEER_NAME \
   --interface ROUTER_2_INTERFACE_NAME_1 \
   --peer-ip-address PEER_IP_ADDRESS \
   --peer-asn PEER_ASN \
   --region REGION_1
```
  The command output should look similar to the following example:
```
 Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b ].
```

Verify the settings for ROUTER_2 by entering the following command:

gcloud compute routers describe ROUTER_2  \
   --region REGION_1

The command output should look similar to the following example:

 bgp:
   advertiseMode: DEFAULT
   asn: 65002
 bgpPeers:
 — interfaceName: if-tunnel-b-to-a-if-0
   ipAddress: 169.254.0.2
   name: bgp-peer-tunnel-b-to-a-if-0
   peerAsn: 65001
   peerIpAddress: 169.254.0.1
 bgpPeers:
 — interfaceName: if-tunnel-b-to-a-if-1
   ipAddress: 169.254.1.2
   name: bgp-peer-tunnel-b-to-a-if-1
   peerAsn: 65001
   peerIpAddress: 169.254.1.1
 creationTimestamp: '2015-10-19T14:31:52.639-07:00'
 id: '4047683710114914215'
 interfaces:
 — ipRange: 169.254.0.1/30
   linkedVpnTunnel:
 https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
   name: if-tunnel-b-to-a-if-0
   — ipRange: 169.254.1.1/30
   linkedVpnTunnel:
 https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1
   name: if-tunnel-b-to-a-if-1
 kind: compute#router
 name: router-b
 network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-b
 region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b

Continue on to complete the configuration

API

STEP ONE: To create an HA VPN gateway, make a POST request to the vpnGateways.insert method. Repeat this command to create the other HA VPN gateway, using a name, network, and region for the other gateway,

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways
 {
   "name": "ha-vpn-gw-a",
   "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a"
 }

STEP TWO:

If you've already created a Cloud Router in each of the VPC networks where each of your HA VPN gateways resides, you can use those Cloud Routers instead of creating new ones. However, if a Cloud Router manages a BGP session for an interconnect attachment associated with a Partner Interconnect; you must create a new Cloud Router.

To create Cloud Router, make a POST request to the routers.insert method.

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
 {
   "name": "router-a",
   "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a"
 }

STEP THREE: To create two VPN tunnels, one for each interface on an HA VPN gateway, make a POST request to the vpnTunnels.insert method.

Enter the following command to create the first tunnel:

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels
 {
   "name": "ha-vpn-gw-a-tunnel-0",
   "ikeVersion": 2,
   "peerIp": "192.0.2.1",
   "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a",
   "sharedSecret": "974;va'oi3-1",
   "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpn-gateways/ha-vpn-gw-a",
   "vpnGatewayInterface": 0
 }

To create the second tunnel, repeat the preceding command, but change the following parameters:

name
peerIp
sharedSecret or sharedSecretHash(if needed)

For the second tunnel, change thevpnGatewayInterface parameter to the value of the other HA VPN gateway interface. In this example, you would change this value to 1.

Repeat this entire step to create two tunnels for your second HA VPN gateway that connect to your first HA VPNgateway, but change the parameters, using the gcloud command examples as a reference.

Setting the advertised route priority for BGP (optional)

The following examples create BGP sessions on instances of Cloud Router advertising the routes to their respective peer networks using unmodified base priorities. Use this configuration for active/active configurations where the priorities of the two tunnels on both sides should match. Omitting the parameter advertised-route-priority, as in this example, results in the same advertised priorities to both BGP peers.

For active/passive configurations, you can control the advertised base priority of the "to Google Cloud" routes that Cloud Router shares with your peer VPN gateway. To configure this priority, use the advertised-route-priority parameter when adding or updating a BGP peer.

To create an active/passive configuration, you set a higher advertised route priority for one BGP session, corresponding to one VPN tunnel, than the priority of the BGP session for the other VPN tunnel.

For more information about advertised base priority, see Route metrics.

You can also refine the routes that are advertised using custom advertisements, by adding the advertiseMode parameter and setting its value to custom, and by specifying IP address ranges with the advertisedIpRanges parameter.

STEP FOUR: To create a Cloud Router BGP interface, make either a PATCH or UPDATE request to the routers.patch method or the routers.update method. PATCH updates only the parameters you include. UPDATE updates all parameters for Cloud Router. Create a BGP interface for each VPN tunnel on the HA VPN gateway.

The BGP IP address ranges that you specify must be unique among all Cloud Routers in all regions of a VPC network.

 PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/{resourceId}
 {
   "interfaces": [
     {
       "name": "if-tunnel-a-to-on-prem-if-0",
       "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",
       "ipRange": "169.254.0.1/30"
     }
   ]
 }

STEP FIVE: To add a BGP peer to Cloud Router for each VPN tunnel, make a POST request to the routers.insert method. Repeat this command for the other VPN tunnel, changing all options except nameand `peerAsn".

To create the full configuration for an HA VPN gateway, use the following API commands.

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
 {
   "name": "router-a",
   "network": "network-a",
   "bgpPeers": [
     {
       "interfaceName": "if-tunnel-a-to-on-prem-if-0",
       "ipAddress": "169.254.0.1",
       "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
       "peerAsn": "65002",
       "peerIpAddress": "169.254.0.2",
       "advertiseMode": "DEFAULT"
     }
   ]
  }

STEP SIX: Verify Cloud Router configuration with the routers.getRouterStatus method, using an empty request body:

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers

Completing the configuration

You must complete the following steps before you can use a new Cloud VPN gateway and its associated VPN tunnels:

Set up the peer VPN gateway and configure the corresponding tunnel or tunnels there. Refer to these pages:
- For specific configuration guidance for certain peer VPN devices, see the VPN Interoperability Guides.
- For supported peer topologies, see the Topologies page.
- For general configuration parameters, see Configuring the Peer VPN Gateway.
Configure firewall rules in Google Cloud and your peer network as required. See the firewall rules page for suggestions.
Check the status of your VPN tunnels and check the configuration of your HA VPN gateway for high availability.

Applying a VPN organization policy

Applying an organization policy constraint that restricts the IP addresses of peer VPN gateways

You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allow list or a deny list of these peer IP addresses, which goes into effect for Cloud VPN tunnels created after you apply the constraint. For details, see the Cloud VPN overview.

Required permissions

To set a peer IP constraint at the organization or project level, you must first be granted the Organization Policy Administrator (orgpolicy.policyAdmin) role for your organization.

How to set constraints

To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.

Constraining connectivity from specific peer IP addresses through a Cloud VPN tunnel

To only allow specific peer IP addresses, perform the following steps:

Find your organization ID by entering the following command:
```
gcloud organizations list
```
The command output should look like the following example.
```
      DISPLAY NAME             ID
      example-organization     29252605212
    
```

Create a JSON file that defines your policy. You must provide a policy as a JSON file, as in the following example:

     {
       "constraint": "constraints/compute.restrictVpnPeersIPs",
       "listPolicy": {
         "allowedValues": [
           "100.1.1.1",
         ],
       }
     }

Use the gcloud Resource Manager set-policy command to set the organization policy, passing in the JSON file and using the `ORGANIZATION_ID` that you found in the previous step.

Constraining connectivity from any peer IPs through a Cloud VPN tunnel

To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint.

Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.

Create a JSON file like the following example.

    {
      "constraint": "constraints/compute.restrictVpnPeersIPs",
      "listPolicy": {
        "allValues": "DENY"
      }
    }

Pass in the JSON file by entering the same command that you would use for restricting specific peer IP addresses.

Creating an HA VPN to a peer VPN gateway

Configuring firewall rules