Create an HA VPN gateway between Google Cloud networks

This page describes how to connect two Virtual Private Cloud (VPC) networks together using an HA VPN gateway configuration. You can connect two existing VPC networks together as long as the primary and secondary subnet IP address ranges in each network don't overlap.

For more information about Cloud VPN, see the following resources:

Requirements

General guidelines

To receive a 99.99% SLA, make sure that you meet the following requirements when creating this configuration:

  • Place one HA VPN gateway in each VPC network.
  • Place both HA VPN gateways in the same Google Cloud region.
  • Configure a tunnel on each interface of each gateway.
  • Match gateway interfaces as described in the following note.

Although it is possible to connect two VPC networks together by using a single tunnel between HA VPN gateways or by using Classic VPN gateways, this type of configuration is not considered to have high availability and does not meet the HA SLA of 99.99% availability.

Create Cloud Routers

When configuring a new HA VPN gateway, you can create a new Cloud Router, or you can use an existing Cloud Router with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection because of the attachment's specific ASN requirements.

Manage permissions

Because HA VPN gateways don't always belong to you or your Google Cloud organization, consider the following permissions requirements when you create an HA VPN gateway or connect to one owned by someone else:

  • If you own the project where you create an HA VPN gateway, configure the recommended permissions on it.
  • If you want to connect to an HA VPN gateway that resides in a Google Cloud organization or project that you don't own, request the compute.vpnGateways.use permission from the owner.

Before you begin

Review information about how dynamic routing works in Google Cloud.

Make sure that your peer VPN gateway supports Border Gateway Protocol (BGP).

Set up the following items in Google Cloud to make it easier to configure Cloud VPN:

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. Install and initialize the Google Cloud CLI.
  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  7. Install and initialize the Google Cloud CLI.
  1. If you are using the Google Cloud CLI, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

        gcloud config set project PROJECT_ID
        
  1. You can also view a project ID that has already been set by running the following command:

        gcloud config list --format='text(core.project)'
        

Create a custom VPC network and subnet

Before creating an HA VPN gateway and tunnel pair, create a VPC network and at least one subnet in the region where the HA VPN gateway resides:

To enable IPv6 in your HA VPN gateways (Preview), you must enable the allocation of IPv6 internal addresses when you create the VPC networks. In addition, you must configure the subnets to use IPv6 internal addresses.

You must also configure IPv6 on the VMs that reside in the subnet.

The VPC subnets must be configured to use internal IPv6 addresses. When you use the gcloud CLI, you configure the subnets with the --ipv6-access-type=INTERNAL flag. Cloud Router does not dynamically advertise routes for subnets that are configured to use external IPv6 addresses (--ipv6-access-type=EXTERNAL).

For information about using internal IPv6 ranges in your VPC networks and subnets, see Internal IPv6 specifications.

The examples in this document also use VPC global dynamic routing mode, which behaves in the following way:

  • All instances of Cloud Router apply the to on-premises routes that they learn to all subnets of the VPC network.
  • Routes to all subnets in the VPC network are shared with on-premises routers.

For reference, this document creates an HA VPN gateway in each of two different VPC networks:

NETWORK_1 contains the following subnets:

  • A subnet named SUBNET_NAME_1 in REGION_1 that uses the IP range RANGE_1.
  • A subnet named SUBNET_NAME_2 in REGION_2 that uses the IP range RANGE_2.

NETWORK_2 contains the following subnets:

  • A subnet named SUBNET_NAME_3 in REGION_1 that uses the IP range RANGE_3.
  • A subnet named SUBNET_NAME_4 in REGION_3 that uses the IP range RANGE_4.

Create two fully configured HA VPN gateways that connect to each other

Follow the instructions in this section to create an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.

Create the HA VPN gateways

Console

The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.

To create the first HA VPN gateway, follow these steps:

  1. In the Google Cloud console, go to the VPN page.

    Go to VPN

  2. If you are creating a gateway for the first time, click Create VPN connection.

  3. Select the VPN setup wizard.

  4. If you have an existing HA VPN gateway, select the option button for that gateway.

  5. Click Continue.

  6. Specify a VPN gateway name.

  7. Under VPC network, select an existing network or the default network.

  8. Select a Region.

  9. Select a stack type for the gateway, either IPv4 (single-stack) or IPv4 and IPv6 (dual-stack) (Preview).

  10. Click Create and continue.

  11. The console page refreshes and displays your gateway information. Two external IPv4 addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.

To create the second HA VPN gateway, repeat the preceding steps, and consider the following:

  • If necessary, use a separate browser to create the second HA VPN gateway. If you are connecting two HA VPNs, you might need to log in to the project that hosts the network you want to connect to.
  • Specify the same Region that you configured for the first HA VPN gateway.
  • Make sure you specify the same stack type as the first gateway, either IPv4 (single-stack) or IPv4 and IPv6 (dual-stack) (Preview).

gcloud

To create two HA VPN gateways, complete the following command sequence:

  • Create an HA VPN gateway in each network in REGION_1.

    When each gateway is created, two external IPv4 addresses are automatically allocated, one for each gateway interface. Take note of these IP addresses to use later on in the configuration steps.

    In the following commands, replace the following:

    • GW_NAME_1 and GW_NAME_2: the name of each gateway
    • NETWORK: the name of your Google Cloud network
    • REGION: the Google Cloud region where you need to create the gateway and tunnel
    • IP_STACK : Optional: the IP stack to use. Specify either IPV4_ONLY or IPV4_IPV6 (Preview). The default value is IPV4_ONLY.

    Create the first gateway

    gcloud compute vpn-gateways create GW_NAME_1 \
       --network=NETWORK_1 \
       --region=REGION_1 \
       --stack-type=IP_STACK
    

    The gateway that you create should look similar to the following example output. An external IPv4 address has been automatically assigned to each gateway interface:

    Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a].
    NAME          INTERFACE0     INTERFACE1     NETWORK     REGION
    ha-vpn-gw-a   203.0.113.16   203.0.113.23   network-a   us-central1
    

    Create the second gateway

    gcloud compute vpn-gateways create GW_NAME_2 \
       --network=NETWORK_2 \
       --region=REGION_1 \
       --stack-type=IP_STACK
    

    If you specified a stack type for the first gateway, use the same stack type for the second gateway.

    The gateway that you create should look similar to the following example output:

    Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b].
    NAME          INTERFACE0     INTERFACE1     NETWORK     REGION
    ha-vpn-gw-b   203.0.114.18   203.0.114.25   network-b   us-central1
    

API

To create the full configuration for an HA VPN gateway, use the API commands in the following sections. All field values used in these sections are example values.

  1. Create the first HA VPN gateway by making a POST request to the vpnGateways.insert method.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways
    {
     "name": "ha-vpn-gw-a",
     "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a",
     "stackType": "IPV4_IPV6"
    }
    

    The stackType field is optional. The only valid values are IPV4_IPV6 (Preview) or IPV4_ONLY. If you do not specify a stackType, the default is IPV4_ONLY.

  2. Repeat the command to create the second HA VPN gateway, and specify the appropriate project, name, network, and region.

    If you specified stackType for the first gateway, use the same stack type for the second gateway, either IPV4_ONLY or IPV4_IPV6 (Preview).

Specify the peer VPN gateway resource

In this setup, the peer VPN gateway resource is the other HA VPN gateway with which you are creating a VPN tunnel.

If you are connecting two VPC networks, the second VPC network can exist in the same Google Cloud project or in a separate Google Cloud project.

Console

To specify the peer HA VPN gateway resource, follow these steps:

  1. On the Create a VPN page, under Peer VPN gateway, select Google Cloud.
  2. Under Project, select the Google Cloud project that contains the new gateway.
  3. Under VPN gateway name, select the second HA VPN that you created in Create the HA VPN gateways.
  4. Continue on to Create VPN tunnels.

gcloud

To create the peer VPN gateway resource, see the gcloud steps for Creating the HA VPN gateways.

You specify the peer VPN gateway resource when you create the HA VPN tunnels.

API

To create the peer VPN gateway resource, see the API steps for Creating the HA VPN gateways.

You specify the peer VPN gateway resource when you create the HA VPN tunnels.

Create Cloud Routers

Console

Under Cloud Router, if you haven't already, create a Cloud Router specifying the following options. You can use an existing Cloud Router if the router does not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection.

  1. To create a new Cloud Router, specify the following:

    • A Name
    • An optional Description
    • A Google ASN for the new router

    You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router, and you cannot change the ASN later.

  2. To create the new router, click Create.

gcloud

The following instructions assume that you haven't already created Cloud Routers to use for managing BGP sessions for your HA VPN tunnels. You can use an existing Cloud Router in each VPC network unless those routers already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection.

To create two Cloud Routers, complete the following command sequence:

  • Create a Cloud Router in each network in REGION_1.

    In the following commands, replace the following:

    • PEER_ASN_1 and PEER_ASN_2: any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not already using. This example uses ASN 65001 for both interfaces of ROUTER_NAME_1 and ASN 65002 for both interfaces of ROUTER_NAME_2.
    • Replace all other options with the values that you used previously.

    Create the first router

    gcloud compute routers create ROUTER_NAME_1 \
       --region=REGION_1 \
       --network=NETWORK_1 \
       --asn=PEER_ASN_1
    

    The router that you create should look similar to the following example output:

    Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
    NAME       REGION        NETWORK
    router-a   us-central1   network-a
    

    Create the second router

    gcloud compute routers create ROUTER_NAME_2 \
       --region=REGION_1 \
       --network=NETWORK_2 \
       --asn=PEER_ASN_2
    

    The router that you create should look similar to the following example output:

    Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
    NAME       REGION        NETWORK
    router-b   us-central1   network-b
    

API

If you already created a Cloud Router in each of the VPC networks where each of your HA VPN gateways reside, you can use those Cloud Routers instead of creating new ones. However, if a Cloud Router manages a BGP session for a VLAN attachment associated with a Partner Interconnect connection, then create a new Cloud Router.

To create a Cloud Router, make a POST request to the routers.insert method.

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
   {
     "name": "router-a",
     "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a"
   }

Create VPN tunnels

Console

To create VPN tunnels, follow these steps:

  1. Under High availability, select either a pair of tunnels or one tunnel to the other HA VPN gateway:

    • If you select Create a pair of VPN tunnels (recommended), configure the two tunnel dialogs that appear at the bottom of the Create VPN page.

    • If you select Create a single VPN tunnel, you configure your single tunnel on the rest of the Create VPN page. However, to get a 99.99% SLA to the other HA VPN gateway, you must create a second tunnel. You can add a second tunnel later as described at the end of this procedure.

  2. Complete the following steps either on the same page or in each tunnel's dialog at the bottom of the page.

  3. If you are configuring one tunnel, under Associated Cloud VPN gateway interface, select the HA VPN interface and IP address combination for this gateway to associate it with the gateway interface on the other HA VPN gateway. For two-tunnel configurations, this option and the Associated peer VPN gateway interface option are both unavailable because the correct interface combinations are configured for you.

    1. Specify a Name for the tunnel.
    2. Specify an optional Description.
    3. Specify the IKE version. We recommend IKEv2, the default setting. To allow IPv6 traffic (Preview), you must select IKEv2.
    4. Specify an IKE pre-shared key by using your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway. If you haven't configured a pre-shared key on your peer VPN gateway and want to generate one, click Generate and copy. Make sure that you record the pre-shared key in a secure location because it cannot be retrieved after you create your VPN tunnels.
    5. Click Done.
    6. On the Create VPN page, repeat the tunnel creation steps for any remaining tunnel dialogs.
  4. When you have configured all tunnels, click Create and continue.

gcloud

To create two VPN tunnels on each HA VPN gateway, complete the following command sequence.

  • The tunnel that you create from interface 0 of GW_NAME_1 must connect to the external IP address associated with interface 0 of GW_NAME_2 in NETWORK_2.
  • The tunnel from interface 1 of GW_NAME_1 must connect to the external IP address associated with interface 1 of GW_NAME_2.
  • When you create VPN tunnels on GW_NAME_1 in NETWORK_1, specify the information for GW_NAME_2 in NETWORK_2. Google automatically connects the tunnel from interface 0 of GW_NAME_1 to interface 0 of GW_NAME_2, and interface 1 of GW_NAME_1 to interface 1 of GW_NAME_2.

    Create two tunnels on GW_NAME_1

    • Create two VPN tunnels, one on each interface, of GW_NAME_1 in NETWORK_1.

      In the following commands, replace the following:

      • TUNNEL_NAME_GW1_IF0 and TUNNEL_NAME_GW1_IF1: a name for each tunnel originating from GW_NAME_1; naming the tunnels by including the gateway interface name can help identify the tunnels later
      • GW_NAME_2: the value of --peer-gcp-gateway
      • REGION: the region where GW_NAME_1 is located
      • Optional: The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
      • IKE_VERS: 2 for IKEv2; because both tunnels connect to another HA VPN gateway, Google recommends using IKEv2. To allow IPv6 traffic (Preview), you must use IKEv2.
      • SHARED_SECRET: your pre-shared key (shared secret), which must be the same pre-shared key that you use for the corresponding tunnel created from GW_NAME_2 on interface 0 and interface 1; for recommendations, see Generate a strong pre-shared key
      • INT_NUM_0: the number 0 for the first interface on GW_NAME_1
      • INT_NUM_1: the number 1 for the second interface on GW_NAME_1
      • If the peer-gcp-gateway is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the --peer-gcp-gateway option as a full URI or as a relative name. The following sample option is a relative name:
        --peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b
        
      • The --peer-gcp-gateway-region, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.

      Create the first tunnel on GW_NAME_1 INT_NUM_0

      gcloud compute vpn-tunnels create TUNNEL_NAME_GW1_IF0 \
          --peer-gcp-gateway=GW_NAME_2 \
          --region=REGION_1 \
          --ike-version=IKE_VERS \
          --shared-secret=SHARED_SECRET \
          --router=ROUTER_NAME_1 \
          --vpn-gateway=GW_NAME_1 \
          --interface=INT_NUM_0
      

      Create the second tunnel on GW_NAME_1 INT_NUM_1

      gcloud compute vpn-tunnels create TUNNEL_NAME_GW1_IF1 \
          --peer-gcp-gateway=GW_NAME_2 \
          --region=REGION_1 \
          --ike-version=IKE_VERS \
          --shared-secret=SHARED_SECRET \
          --router=ROUTER_NAME_1 \
          --vpn-gateway=GW_NAME_1 \
          --interface=INT_NUM_1
      

      The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0].
      NAME                 REGION        VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESS
      tunnel-a-to-b-if-0   us-central1   ha-vpn-gw-a   0          ha-vpn-gw-b
      
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1].
      NAME                 REGION        VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESS
      tunnel-a-to-b-if-1   us-central1   ha-vpn-gw-a   1          ha-vpn-gw-b
      

    Create two tunnels on GW_NAME_2

    • Create two VPN tunnels, one on each interface, of GW_NAME_2 in NETWORK_2.

      • The tunnel that you create from interface 0 of GW_NAME_2 must connect to the external IP address associated with interface 0 of GW_NAME_1 in NETWORK_1.
      • The tunnel from interface 1 of GW_NAME_2 must connect to the external IP address associated with interface 1 of GW_NAME_1.

      In the following commands, replace the following:

      • REGION: the region where GW_NAME_2 is located
      • Optional: The --vpn-gateway-region is the region of the VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
      • TUNNEL_NAME_GW2_IF0 and TUNNEL_NAME_GW2_IF1: a name for each tunnel originating from GW_NAME_2; naming the tunnels by including the gateway interface name can help identify the tunnels later
      • GW_NAME_1: the value of --peer-gcp-gateway; the value for --peer-gcp-gateway-region must be in the same region as the VPN tunnel. If not specified, the value is set automatically. For this example, the region is REGION_1.
      • IKE_VERS: 2 for IKEv2; because these tunnels connect to the two tunnels created in the previous step, they must use the same IKE version (Google recommends using IKEv2). To allow IPv6 traffic (Preview), you must use IKEv2.
      • SHARED_SECRET: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you created on each interface of GW_NAME_1; for recommendations, see Generate a strong pre-shared key
      • GW_NAME_2: the name of the second gateway that you configured in the gateway configuration step
      • INT_NUM_0: the number 0 for the first interface on GW_NAME_2
      • INT_NUM_1: the number 1 for the second interface on GW_NAME_2
      • If the peer-gcp-gateway is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the --peer-gcp-gateway option as a full URI or as a relative name. The following sample option is a relative name:
        --peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b
        
      • The --peer-gcp-gateway-region, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.

      Create the first tunnel on GW_NAME_2 INT_NUM_0

      gcloud compute vpn-tunnels create TUNNEL_NAME_GW2_IF0 \
          --peer-gcp-gateway=GW_NAME_1 \
          --region=REGION_1 \
          --ike-version=IKE_VERS \
          --shared-secret=SHARED_SECRET \
          --router=ROUTER_NAME_2 \
          --vpn-gateway=GW_NAME_2 \
          --interface=INT_NUM_0
      

      Create the second tunnel on GW_NAME_2 INT_NUM_1

      gcloud compute vpn-tunnels create TUNNEL_NAME_GW2_IF1 \
          --peer-gcp-gateway=GW_NAME_1 \
          --region=REGION_1 \
          --ike-version=IKE_VERS \
          --shared-secret=SHARED_SECRET \
          --router=ROUTER_NAME_2 \
          --vpn-gateway=GW_NAME_2 \
          --interface=INT_NUM_1
      

      The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0].
      NAME                 REGION       VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESS
      tunnel-b-to-a-if-0   us-central1  ha-vpn-gw-b   0          ha-vpn-gw-a
      
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1].
      NAME                 REGION       VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESS
      tunnel-b-to-a-if-1   us-central1  ha-vpn-gw-b   1          ha-vpn-gw-a
      

    After this step, wait a few minutes, and then check the status of each VPN tunnel.

    A VPN tunnel's state changes to Established only when the corresponding partner tunnel is also available and properly configured. A valid IKE and Child Security Association (SA) must also be negotiated between them.

    For example, tunnel-a-to-b-if-0 on ha-vpn-gw-a can only be established if tunnel-b-to-a-if-0 on ha-vpn-gw-b is configured and available.

API

To create two VPN tunnels, one for each interface on an HA VPN gateway, make a POST request to the vpnTunnels.insert method.

  1. To create the first tunnel, run the following command:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels
    {
     "name": "ha-vpn-gw-a-tunnel-0",
     "ikeVersion": 2,
     "peerGcpGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpn-gateways/ha-vpn-gw-b",
     "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a",
     "sharedSecret": "SECRET_1",
     "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpn-gateways/ha-vpn-gw-a",
     "vpnGatewayInterface": 0
    }
    

    If you plan to enable IPv6 (Preview) in the BGP session associated with this tunnel, you must specify 2 for the ikeVersion.

  2. To create the second tunnel, repeat the preceding command, but change the following parameters:

    • name: for example, ha-vpn-gw-a-tunnel-1
    • sharedSecret or sharedSecretHash (if needed)
    • vpnGatewayInterface: change to the value of the other HA VPN gateway interface—in this example, change this value to 1

Next, create two tunnels for your second HA VPN gateway that connect to your first HA VPN gateway.

  1. To create the first tunnel on the second HA VPN gateway, run the following command:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels
    {
     "name": "ha-vpn-gw-b-tunnel-0",
     "ikeVersion": 2,
     "peerGcpGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpn-gateways/ha-vpn-gw-a",
     "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-b",
     "sharedSecret": SECRET_1,
     "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpn-gateways/ha-vpn-gw-b",
     "vpnGatewayInterface": 0
    }
    

    Use the same sharedSecret that you specified for the first tunnel on the first gateway (ha-vpn-gw-a-tunnel-0).

    If you plan to enable IPv6 (Preview) in the BGP session associated with this tunnel, you must specify 2 for the ikeVersion.

  2. To create the second tunnel on the second HA VPN gateway, repeat the preceding command, but change the following parameters:

    • name: for example ha-vpn-gw-b-tunnel-1
    • sharedSecret or sharedSecretHash: specify the sharedSecret or sharedSecretHash that you used when creating the second tunnel on the first gateway
    • vpnGatewayInterface: change to the value of the other HA VPN gateway interface—in this example, change this value to 1

Create BGP sessions

Console

To create BGP sessions, follow these steps:

  1. If you don't want to configure BGP sessions now, click Configure BGP sessions later, which opens the Summary and reminder page.
  2. If you want to configure BGP sessions now, on the first VPN tunnel, click Configure.
  3. On the Create BGP session page, complete the following steps:
    1. Specify a Name for the BGP session.
    2. Specify the Peer ASN configured for the peer VPN gateway.
    3. Optional: Specify the Advertised route priority.
    4. Optional: Select Enable IPv6 to allow the exchange of IPv6 address prefixes over the BGP session (Preview).
    5. Under Allocate BGP IPv4 address, select Automatically or Manually. If you select Manually, you can specify the Cloud Router BGP IP address and the BGP Peer IP address. Make sure that the IPv4 addresses meet the following requirements:
      • Each BGP IP address must belong to the same /30 CIDR that fits within 169.254.0.0/16.
      • Each BGP IP address cannot be the first (network) or last (broadcast) address in the /30 CIDR.
      • Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.
    6. Optional: If you enabled IPv6, you can allocate the IPv6 next hop addresses automatically or manually (Preview). To allocate the addresses manually:
      1. Under Allocate IPv6 next hop, select Manually.
      2. Enter the IPv6 address for the Cloud Router IPv6 next hop. This address is the next hop address for IPv6 routes that are advertised by Cloud Router. The address must be in the range 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64.
      3. Enter the IPv6 address for the Peer IPv6 next hop. This address is the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer. The address must be in the range 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64.
    7. Optional: Click the Advertised routes list and create custom routes.
    8. Click Save and continue.
  4. Repeat the preceding steps for the rest of the tunnels configured on the gateway. For each tunnel, use a different Cloud Router BGP IP address and BGP Peer IP address.
  5. When you have configured all BGP sessions, click Save BGP configuration.

gcloud

In this section, you configure Cloud Router interfaces and BGP peers; the following table provides an overview of these interfaces and peers. It shows the relationship between the IP ranges and peer IP addresses that you specify for each interface.

For example, the first interface of router-1 has a peer IP address of 169.254.0.2. This comes from the IP address range of the first interface of router-2, which is 169.254.0.2/30. In addition, this table also illustrates an example IPv6 next hop address configuration (Preview).

Router BGP interface name IP range Peer IP address Peer ASN IPv6 next hop
address
(Preview)
Peer IPv6 next hop
address
(Preview)
router-1 if-tunnel-a-to-b-if-0 169.254.0.1/30 169.254.0.2 65002 2600:2d00:0:2::1 2600:2d00:0:2::2
router-2 if-tunnel-b-to-a-if-0 169.254.0.2/30 169.254.0.1 65001 2600:2d00:0:2::2 2600:2d00:0:2::1
router-1 if-tunnel-a-to-b-if-1 169.254.1.1/30 169.254.1.2 65002 2600:2d00:0:2::1:1 2600:2d00:0:2::1:2
router-2 if-tunnel-b-to-a-if-1 169.254.1.2/30 169.254.1.1 65001 2600:2d00:0:2::1:2 2600:2d00:0:2::1:1

For more details, see the instructions in this section, which include sample output after configuration.

To create Cloud Router interfaces and BGP peers, complete the following command sequence.

  1. Create a BGP interface and BGP peer on ROUTER_NAME_1 for the tunnel TUNNEL_NAME_GW1_IF0.

    This BGP interface uses two BGP IP addresses to connect TUNNEL_NAME_GW1_IF0 on interface 0 of GW_1 to interface 0 of GW_2.

    In the following commands, replace the following:

    • ROUTER_1_INTERFACE_NAME_0: a name for the Cloud Router BGP interface; using a name related to TUNNEL_NAME_GW1_IF0 is helpful
    • IP_ADDRESS_1: Optional: a BGP IP address from the 169.254.0.0/16 block that's not already in use; this example uses 169.254.0.1. If you omit this flag and do not manually assign a BGP IP address, Google Cloud automatically assigns one from the 169.254.0.0/16 block for you.
    • MASK_LENGTH: 30; each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block
    • PEER_NAME_GW1_IF0: a name describing the BGP peer; using a name related to TUNNEL_NAME_GW1_IF0 is helpful
    • PEER_IP_ADDRESS_1: Optional: a BGP IP address from the 169.254.0.0/16 block that's not already in use; this example uses 169.254.0.2. If you did not specifically assign a BGP IP address, IP_ADDRESS_1 above, omit this option as well and Google Cloud automatically assigns a matching BGP peer IP address for you. If you manually specified IP_ADDRESS_1, you must also manually configure this option.
    • PEER_ASN_2: the ASN number used for all interfaces on the other Cloud Router ROUTER_NAME_2; this example uses ASN number 65002
    • Optional: If you are creating VPN tunnels that allow IPv6 traffic (Preview), specify --enable-ipv6 when you run the add-bgp-peer command. When you enable IPv6 traffic, you have the option to configure IPv6 next hop addresses automatically or manually. To configure next hop addresses manually, replace both of the following:

      • IPV6_NEXTHOP_ADDRESS_1: the next hop address for IPv6 routes that are advertised by Cloud Router; the address must be in the range 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64.
      • PEER_IPV6_NEXTHOP_ADDRESS_1: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer; the address must be in the range 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64.

      If you do not specify the IPv6 next hop addresses, Google Cloud automatically assigns unused addresses from the 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64 range.

    • AUTHENTICATION_KEY the secret key to use for MD5 authentication on PEER_NAME_GW1_IF0; for more information about this optional feature, see Use MD5 authentication (Preview)

    Create a BGP interface for TUNNEL_NAME_GW1_IF0

    gcloud compute routers add-interface ROUTER_NAME_1 \
        --interface-name=ROUTER_1_INTERFACE_NAME_0 \
        --ip-address=IP_ADDRESS_1 \
        --mask-length=MASK_LENGTH \
        --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \
        --region=REGION_1
    

    Create a BGP peer for TUNNEL_NAME_GW1_IF0

    The following example command creates an IPv6-enabled BGP peer with manually specified IPv4 BGP addresses and IPv6 next hop addresses (Preview):

    gcloud compute routers add-bgp-peer ROUTER_NAME_1 \
        --peer-name=PEER_NAME_GW1_IF0 \
        --interface=ROUTER_1_INTERFACE_NAME_0 \
        --peer-ip-address=PEER_IP_ADDRESS_1 \
        --peer-asn=PEER_ASN_2 \
        --region=REGION_1 \
        --enable-ipv6 \
        --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS_1 \
        --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS_1
    

    The following command creates a BGP peer without IPv6 enabled:

    gcloud compute routers add-bgp-peer ROUTER_NAME_1 \
        --peer-name=PEER_NAME_GW1_IF0 \
        --interface=ROUTER_1_INTERFACE_NAME_0 \
        --peer-ip-address=PEER_IP_ADDRESS_1 \
        --peer-asn=PEER_ASN_2 \
        --region=REGION_1
    

    If you want to use MD5 authentication, use thegcloud beta command and the --md5-authentication-key flag. Use this field to identify your secret key:

    gcloud beta compute routers add-bgp-peer ROUTER_NAME_1 \
        --peer-name=PEER_NAME_GW1_IF0 \
        --interface=ROUTER_1_INTERFACE_NAME_0 \
        --peer-ip-address=PEER_IP_ADDRESS_1 \
        --peer-asn=PEER_ASN_2 \
        --region=REGION_1
        --md5-authentication-key=AUTHENTICATION_KEY
    

    The command output should look similar to the following example:

    Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
    
  2. Create a BGP interface and BGP peer on ROUTER_NAME_1 for the tunnel TUNNEL_NAME_GW1_IF1.

    This BGP interface uses two BGP IP addresses to connect TUNNEL_NAME_GW1_IF1 on interface 1 of GW_1 to interface 1 of GW_2.

    In the following commands, replace the following:

    • ROUTER_1_INTERFACE_NAME_1: a Cloud Router BGP interface name; using a name related to TUNNEL_NAME_GW1_IF1 is helpful
    • IP_ADDRESS_2: Optional: a BGP IP address from the 169.254.0.0/16 block that's not already in use; this example uses 169.254.1.1. If you omit this flag and do not manually assign a BGP IP address, Google Cloud automatically assigns one from the 169.254.0.0/16 block for you.
    • MASK_LENGTH: 30; each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block
    • PEER_NAME_GW1_IF1: a name describing the BGP peer; using a name related to TUNNEL_NAME_GW1_IF1 is helpful
    • PEER_IP_ADDRESS_2: a BGP IP address from the 169.254.0.0/16 block that's not already in use; this example uses 169.254.1.2. If you did not specifically assign a BGP IP address, IP_ADDRESS_2, omit this option and Google Cloud automatically assigns a matching BGP peer IP address for you. If you manually specified IP_ADDRESS_2, you must also manually configure this option.
    • PEER_ASN_2: the ASN number used for all interfaces on the other Cloud Router ROUTER_NAME_2; this example uses ASN number 65002
    • Optional: If you are creating VPN tunnels that allow IPv6 traffic (Preview), specify --enable-ipv6 in the add-bgp-peer command. When you enable IPv6 traffic, you have the option to configure IPv6 next hop addresses manually. To configure next hop addresses, replace both of the following:

      • IPV6_NEXTHOP_ADDRESS_2: the next hop address for IPv6 routes that are advertised by Cloud Router; the address must be in the range 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64
      • PEER_IPV6_NEXTHOP_ADDRESS_2: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer; the address must be in the range 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64

      If you do not specify the IPv6 next hop addresses, Google Cloud automatically assigns unused addresses from the 2600:2d00:0:2::/64 or 2600:2d00:0:3::/64 range.

    • AUTHENTICATION_KEY_2 the secret key to use for MD5 authentication on PEER_NAME_GW1_IF1; for more information about this optional feature, see Use MD5 authentication (Preview)

    Create a BGP interface for TUNNEL_NAME_GW1_IF1

    gcloud compute routers add-interface ROUTER_NAME_1 \
       --interface-name=ROUTER_1_INTERFACE_NAME_1 \
       --ip-address=IP_ADDRESS_2 \
       --mask-length=MASK_LENGTH \
       --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \
       --region=REGION_1
    

    Create a BGP peer for TUNNEL_NAME_GW1_IF1

    The following example command creates an IPv6-enabled BGP peer with manually specified IPv4 BGP addresses and IPv6 next hop addresses (Preview):

    gcloud compute routers add-bgp-peer ROUTER_NAME_1  \
       --peer-name=PEER_NAME_GW1_IF1 \
       --interface=ROUTER_1_INTERFACE_NAME_1 \
       --peer-ip-address=PEER_IP_ADDRESS_2 \
       --peer-asn=PEER_ASN_2 \
       --region=REGION_1 \
       --enable-ipv6 \
       --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS_1 \
       --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS_1
    

    The following command creates a BGP peer that does not have IPv6 enabled:

    gcloud compute routers add-bgp-peer ROUTER_NAME_1 \
        --peer-name=PEER_NAME_GW1_IF0 \
        --interface=ROUTER_1_INTERFACE_NAME_0 \
        --peer-ip-address=PEER_IP_ADDRESS_2 \
        --peer-asn=PEER_ASN_2 \
        --region=REGION_1
    
    If you want to use MD5 authentication, use the `gcloud beta` command and add the `--md5-authentication-key` flag. Use this field to identify your secret key:
    gcloud beta compute routers add-bgp-peer ROUTER_NAME_1  \
       --peer-name=PEER_NAME_GW1_IF1 \
       --interface=ROUTER_1_INTERFACE_NAME_1 \
       --peer-ip-address=PEER_IP_ADDRESS_2 \
       --peer-asn=PEER_ASN_2 \
       --region=REGION_1
       --md5-authentication-key=AUTHENTICATION_KEY_2
    
    The command output should look similar to the following example:
    Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
    
  3. Verify the settings for ROUTER_NAME_1:

    gcloud compute routers describe ROUTER_NAME_1  \
        --region=REGION_1
    

    The command output should look similar to the following example:

     bgp:
       advertisemode: DEFAULT
       asn: 65001
       keepaliveInterval: 20
     bgpPeers:
     — bfd:
           minReceiveInterval: 1000
           minTransmitInterval: 1000
           mode: DISABLED
           multiplier: 5
           sessionInitializationMode: DISABLED
       enable: 'TRUE'
       enableIpv6: true
       interfaceName: if-tunnel-a-to-b-if-0
       ipAddress: 169.254.0.1
       ipv6NexthopAddress: 2600:2d00:0:2:0:0:0:1
       name: bgp-peer-tunnel-a-to-b-if-0
       peerAsn: 65002
       peerIpAddress: 169.254.0.2
       peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:0:2
     — bfd:
           minReceiveInterval: 1000
           minTransmitInterval: 1000
           mode: DISABLED
           multiplier: 5
           sessionInitializationMode: DISABLED
       enable: 'TRUE'
       enableIpv6: true
       interfaceName: if-tunnel-a-to-b-if-1
       ipAddress: 169.254.1.1
       ipv6NexthopAddress: 2600:2d00:0:2:0:0:1:1
       name: bgp-peer-tunnel-a-to-b-if-1
       peerAsn: 65002
       peerIpAddress: 169.254.1.2
       peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:1:2
     creationTimestamp: '2021-10-19T14:31:52.639-07:00'
     id: '4047683710114914215'
     interfaces:
     — ipRange: 169.254.0.1/30
       linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
       name: if-tunnel-a-to-b-if-0
     — ipRange: 169.254.1.1/30
       linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1
       name: if-tunnel-a-to-b-if-1
     kind: compute#router
     name: router-a
     network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a
     region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
     selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
    
  4. Create a BGP interface and BGP peer on ROUTER_NAME_2 for the tunnel TUNNEL_NAME_GW2_IF0.

    This BGP interface uses two BGP IP addresses to connect TUNNEL_NAME_GW2_IF0 on interface 0 of GW_2 to interface 0 of GW_1.

    In the following commands, replace the following:

    • ROUTER_2_INTERFACE_NAME_0: a Cloud Router BGP interface name; using a name related to TUNNEL_NAME_GW2_IF0 is helpful
    • IP_ADDRESS_3: the BGP IP address used previously for this gateway and interface. If you automatically assigned the peer BGP IP address when you created the BGP interface and peer for TUNNEL_NAME_GW1_IF0 on ROUTER_NAME_1, then you must specify the allocated address as IP_ADDRESS_3. To find out which addresses have been allocated by Google Cloud, run gcloud compute routers describe ROUTER_NAME_1. In the output for the BGP peer, use the value that appears in the peerIpAddress field. This example uses 169.254.0.2.
    • MASK_LENGTH: 30; each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block
    • PEER_NAME_GW2_IF0: a name describing the BGP peer; using a name related to TUNNEL_NAME_GW2_IF0 is helpful
    • PEER_IP_ADDRESS_3: the BGP IP address used previously when you configured the first gateway and interface. Run gcloud compute routers describe ROUTER_NAME_1, and use the value that appears in the ipAddress field for the BGP peer you created for TUNNEL_NAME_GW1_IF0. This example uses 169.254.0.1.
    • PEER_ASN_1: the ASN number used for all interfaces on ROUTER_NAME_1 and that was set previously; this example uses ASN number 65001
    • Optional: If you are creating VPN tunnels that allow IPv6 traffic (Preview), specify --enable-ipv6 in the add-bgp-peer command. You must configure the IPv6 next hop addresses to match the interface and IPv6-enabled BGP peer configured for the first gateway. To configure next hop addresses, replace both of the following:
      • IPV6_NEXTHOP_ADDRESS_3: the next hop address for IPv6 routes that you specified previously in PEER_IPV6_NEXTHOP_ADDRESS_1. If you automatically assigned IPv6 next hop addresses when you created the BGP interface and peer for TUNNEL_NAME_GW1_IF0 on ROUTER_NAME_1, then you must find out what address has been allocated by Google Cloud. Run gcloud compute routers describe ROUTER_NAME_1 and check the output for the BPG peer you set up for TUNNEL_NAME_GW1_IF0. Use the value that appears in the peerIpv6NextHopAddress field. This example uses 2600:2d00:0:2:0:0:0:2.
      • PEER_IPV6_NEXTHOP_ADDRESS_3: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer. Use the value that you specified previously in IPV6_NEXTHOP_ADDRESS_1. If you automatically assigned IPv6 next hop addresses, run gcloud compute routers describe ROUTER_NAME_1 and check the output for the BPG peer you set up for TUNNEL_NAME_GW1_IF0. Use the value that appears in the Ipv6NextHopAddress field. This example uses 2600:2d00:0:2:0:0:0:1.
    • AUTHENTICATION_KEY the secret key to use for MD5 authentication on PEER_NAME_GW2_IF0

    Create a BGP interface for TUNNEL_NAME_GW2_IF0

    gcloud compute routers add-interface ROUTER_NAME_2 \
        --interface-name=ROUTER_2_INTERFACE_NAME_0 \
        --ip-address=IP_ADDRESS_3 \
        --mask-length=MASK_LENGTH \
        --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \
        --region=REGION_1
    

    Create a BGP peer for TUNNEL_NAME_GW2_IF0

    The following example command creates an IPv6-enabled BGP peer (Preview):

    gcloud compute routers add-bgp-peer ROUTER_NAME_2 \
        --peer-name=PEER_NAME_GW2_IF0 \
        --interface=ROUTER_2_INTERFACE_NAME_0 \
        --peer-ip-address=PEER_IP_ADDRESS_3 \
        --peer-asn=PEER_ASN_1 \
        --region=REGION_1 \
        --enable-ipv6 \
        --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS \
        --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS
    

    The following command creates a BGP peer without IPv6 enabled:

    gcloud compute routers add-bgp-peer ROUTER_NAME_2 \
        --peer-name=PEER_NAME_GW2_IF0 \
        --interface=ROUTER_2_INTERFACE_NAME_1 \
        --peer-ip-address=PEER_IP_ADDRESS_4 \
        --peer-asn=PEER_ASN_2 \
        --region=REGION_1
    

    Alternatively, if you configured ROUTER_NAME_1 to use MD5 authentication for PEER_NAME_GW1_IF0, configure ROUTER_NAME_2 to use MD5 authentication, as follows:

    gcloud beta compute routers add-bgp-peer ROUTER_NAME_2  \
       --peer-name=PEER_NAME_GW2_IF0 \
       --interface=ROUTER_2_INTERFACE_NAME_0 \
       --peer-ip-address=PEER_IP_ADDRESS_3 \
       --peer-asn=PEER_ASN_1 \
       --region=REGION_1
       --md5-authentication-key=AUTHENTICATION_KEY
    
    The command output should look similar to the following example:
    Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
    
  5. Create a BGP interface and BGP peer on ROUTER_NAME_2 for the tunnel TUNNEL_NAME_GW2_IF1.

    This BGP interface uses two BGP IP addresses to connect TUNNEL_NAME_GW2_IF1 on interface 1 of GW_2 to interface 1 of GW_1.

    In the following commands, replace the following:

    • ROUTER_2_INTERFACE_NAME_1: a Cloud Router BGP interface name; using a name related to TUNNEL_NAME_GW2_IF1 is helpful
    • IP_ADDRESS_4: the BGP IP address used previously for this gateway and interface. If you automatically assigned the peer BGP IP address when you created the BGP interface and peer for TUNNEL_NAME_GW1_IF1 on ROUTER_NAME_1, then you must specify the allocated address as IP_ADDRESS_4. To find out which addresses have been allocated by Google Cloud, run gcloud compute routers describe ROUTER_NAME_1. In the output for the BGP peer, use the value that appears in the peerIpAddress field. This example uses 169.254.1.2.
    • MASK_LENGTH: 30; each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block
    • PEER_NAME_GW2_IF1: a name describing the BGP peer; using a name related to TUNNEL_NAME_GW2_IF1 is helpful
    • PEER_IP_ADDRESS_4: the IP address you specified as IP_ADDRESS_2 when you configured the first gateway and interface. Run gcloud compute routers describe ROUTER_NAME_1, and use the value that appears in the ipAddress field for the BGP peer you created for TUNNEL_NAME_GW2_IF1. This example uses 169.254.1.1.
    • PEER_ASN_1: the ASN number used for all interfaces on ROUTER_NAME_1 and that was set previously; this example uses ASN number 65001
    • Optional: If you configured the BGP peer and interfaces on the first gateway to allow IPv6 traffic (Preview), then specify --enable-ipv6. To configure next hop addresses, replace both of the following:
      • IPV6_NEXTHOP_ADDRESS_4: the next hop address for IPv6 routes that you specified previously in PEER_IPV6_NEXTHOP_ADDRESS_2. If you automatically assigned IPv6 next hop addresses when you created the BGP interface and peer for TUNNEL_NAME_GW1_IF1 on ROUTER_NAME_1, then you must find out what address has been allocated by Google Cloud. Run gcloud compute routers describe ROUTER_NAME_1 and check the output for the BPG peer you set up for TUNNEL_NAME_GW1_IF1. Use the value that appears in the peerIpv6NextHopAddress field.
      • PEER_IPV6_NEXTHOP_ADDRESS_3: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer. Use the value that you specified previously in IPV6_NEXTHOP_ADDRESS_2. If you automatically assigned IPv6 next hop addresses, run gcloud compute routers describe ROUTER_NAME_1 and check the output for the BPG peer you set up for TUNNEL_NAME_GW1_IF1. Use the value that appears in the Ipv6NextHopAddress field. This example uses 2600:2d00:0:2:0:0:1:1.
    • AUTHENTICATION_KEY_2 the secret key to use for MD5 authentication on PEER_NAME_GW2_IF1

    Create a BGP interface for TUNNEL_NAME_GW2_IF1

    gcloud compute routers add-interface ROUTER_NAME_2 \
       --interface-name=ROUTER_2_INTERFACE_NAME_1 \
       --ip-address=IP_ADDRESS_4 \
       --mask-length=MASK_LENGTH \
       --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \
       --region=REGION_1
    

    The command output should look similar to the following example:

    Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
    

    Create a BGP peer for TUNNEL_NAME_GW2_IF1

    The following example command creates an IPv6-enabled BGP peer (Preview):

    gcloud compute routers add-bgp-peer ROUTER_NAME_2  \
       --peer-name=PEER_NAME_GW2_IF1 \
       --interface=ROUTER_2_INTERFACE_NAME_1 \
       --peer-ip-address=PEER_IP_ADDRESS_4 \
       --peer-asn=PEER_ASN_1 \
       --region=REGION_1 \
       --enable-ipv6 \
       --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS \
       --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS
    

    The following command creates a BGP peer without IPv6 enabled:

    gcloud compute routers add-bgp-peer ROUTER_NAME_2 \
        --peer-name=PEER_NAME_GW2_IF0 \
        --interface=ROUTER_2_INTERFACE_NAME_1 \
        --peer-ip-address=PEER_IP_ADDRESS_4 \
        --peer-asn=PEER_ASN_2 \
        --region=REGION_1
    

    Alternatively, if you configured ROUTER_NAME_1 to use MD5 authentication for PEER_NAME_GW1_IF1, configure ROUTER_NAME_2 to use MD5 authentication, as follows:

    gcloud beta compute routers add-bgp-peer ROUTER_NAME_2  \
       --peer-name=PEER_NAME_GW2_IF1 \
       --interface=ROUTER_2_INTERFACE_NAME_1 \
       --peer-ip-address=PEER_IP_ADDRESS_4 \
       --peer-asn=PEER_ASN_1 \
       --region=REGION_1
       --md5-authentication-key=AUTHENTICATION_KEY_2
    
    The command output should look similar to the following example:
    Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
    
  6. Verify the settings for ROUTER_NAME_2:

    gcloud compute routers describe ROUTER_NAME_2  \
       --region=REGION_1
    

    The command output should look similar to the following example:

     bgp:
       advertiseMode: DEFAULT
       asn: 65002
     bgpPeers:
     — bfd:
           minReceiveInterval: 1000
           minTransmitInterval: 1000
           mode: DISABLED
           multiplier: 5
           sessionInitializationMode: DISABLED
       enable: 'TRUE'
       enableIpv6: true
       interfaceName: if-tunnel-b-to-a-if-0
       ipAddress: 169.254.0.2
       ipv6NexthopAddress: 2600:2d00:0:2:0:0:0:2
       name: bgp-peer-tunnel-b-to-a-if-0
       peerAsn: 65001
       peerIpAddress: 169.254.0.1
       peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:0:1
     bgpPeers:
     — bfd:
           minReceiveInterval: 1000
           minTransmitInterval: 1000
           mode: DISABLED
           multiplier: 5
           sessionInitializationMode: DISABLED
       enable: 'TRUE'
       enableIpv6: true
       interfaceName: if-tunnel-b-to-a-if-1
       ipAddress: 169.254.1.2
       ipv6NexthopAddress: 2600:2d00:0:2:0:0:1:2
       name: bgp-peer-tunnel-b-to-a-if-1
       peerAsn: 65001
       peerIpAddress: 169.254.1.1
       peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:1:1
     creationTimestamp: '2021-10-19T14:31:52.639-07:00'
     id: '4047683710114914215'
     interfaces:
     — ipRange: 169.254.0.1/30
       linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
       name: if-tunnel-b-to-a-if-0
       — ipRange: 169.254.1.1/30
       linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1
       name: if-tunnel-b-to-a-if-1
     kind: compute#router
     name: router-b
     network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-b
     region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
     selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b
    

API

  1. To create a Cloud Router BGP interface, make either a PATCH or UPDATE request to the routers.patch method or the routers.update method. PATCH updates only the parameters that you include. UPDATE updates all parameters for Cloud Router. Create a BGP interface for each VPN tunnel on the HA VPN gateway.

    The BGP IP address ranges that you specify must be unique among all Cloud Routers in all regions of a VPC network.

    PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/{resourceId}
    {
     "interfaces": [
       {
         "name": "if-tunnel-a-to-on-prem-if-0",
         "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",
         "ipRange": "169.254.0.1/30"
       }
     ]
    }
    
  2. To add a BGP peer to a Cloud Router for each VPN tunnel, make a POST request to the routers.insert method. Repeat this command for the other VPN tunnel, changing all options except name and peerAsn.

    To create a full BGP session configuration for an HA VPN gateway, use the following API command:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
    {
     "name": "router-a",
     "network": "network-a",
     "bgpPeers": [
       {
         "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
         "interfaceName": "if-tunnel-a-to-on-prem-if-0",
         "ipAddress": "169.254.0.1",
         "peerIpAddress": "169.254.0.2",
         "peerAsn": "65002",
    
         "advertiseMode": "DEFAULT"
       }
     ]
    }
    

    To create the full BGP session configuration for an HA VPN gateway with IPv6 enabled (Preview), use the following API command:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
    {
     "name": "router-a",
     "network": "network-a",
     "bgpPeers": [
       {
         "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
         "interfaceName": "if-tunnel-a-to-on-prem-if-0",
         "ipAddress": "169.254.0.1",
         "peerIpAddress": "169.254.0.2",
         "peerAsn": "65002",
    
         "advertiseMode": "DEFAULT"
         "enableIpv6": "true"
         "ipv6NexthopAddress: "2600:2d00:0:2:0:0:0:1"
         "peerIpv6NexthopAddress: "2600:2d00:0:2:0:0:0:2"
       }
     ]
    }
    

    If you want to configure the session to use MD5 authentication (Preview), you must use the beta API, and your request must contain a few additional things. It must include an authentication key, which means that it must provide both the key and a name for the key. It must also reference the key by name when creating the BGP peering session. For example:

    PATCH https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME
    {
    "md5AuthenticationKeys": [
      {
       "name": "bgppeer-1-key",
       "key": "secret_key_value"
       }
    ],
    }
    {
    "bgpPeers": [
      {
       "interfaceName": "if-tunnel-a-to-on-prem-if-0",
       "ipAddress": "169.254.0.1",
       "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
       "peerAsn": "65002",
       "peerIpAddress": "169.254.0.2",
       "advertiseMode": "DEFAULT",
       "md5AuthenticationKeyName": "bgppeer-1-key"
       }
     ],
    }
    

Verify the configuration

Console

To verify the configuration, go to the Summary and reminder page:

  1. The Summary section of this page lists information for the HA VPN gateway and the peer VPN gateway profile. For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
  2. The Reminder section of this page lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN. After reviewing the information on this page, click OK.

gcloud

To verify the Cloud Router configurations, see the verification steps on the gcloud tab in Create BGP sessions.

API

To verify the Cloud Router configuration, make a GET request by using the routers.getRouterStatus method, and use an empty request body:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers

Create an additional tunnel on a single-tunnel gateway

Console

To receive a 99.99% uptime SLA, configure a tunnel on each HA VPN interface on each side of an HA VPN-to-HA VPN gateway configuration.

If you configured one tunnel on an HA VPN gateway to another HA VPN gateway but want to receive a 99.99% uptime SLA, you must configure a second tunnel.

To configure a second tunnel, follow the steps at Add a tunnel from an HA VPN gateway to another HA VPN gateway.

Set the base advertised route priority (optional)

The BGP sessions that you create let each Cloud Router advertise routes to peer networks. The advertisements use unmodified base priorities.

Use the configuration documented in Creating two fully configured HA VPN gateways that connect to each other for active/active routing configurations where the advertised route priorities of the two tunnels on both sides match. Omitting the advertised route priority (--advertised-route-priority) results in the same advertised route priorities to both BGP peers.

For active/passive routing configurations, you can control the advertised route priority of the to Google Cloud routes that Cloud Router shares with your peer VPN gateway by setting the advertised route priority (--advertised-route-priority) when adding or updating a BGP peer. To create an active/passive configuration, set a higher advertised route priority for one BGP session and its corresponding VPN tunnel than for the other BGP session and VPN tunnel.

For more information about the base advertised route priority, see Advertised prefixes and priorities.

You can also refine the routes that are advertised by using custom advertisements:

  • Add the --advertisement-mode=CUSTOM flag (gcloud) or the advertiseMode: custom flag (API).
  • Specify IP address ranges with the --set-advertisement-ranges flag (gcloud) or the advertisedIpRanges flag (API).

Complete the configuration

Before you can use a new Cloud VPN gateway and its associated VPN tunnels, complete the following steps: 1. Configure firewall rules in Google Cloud for your VPC networks. 1. Check the status of your VPN tunnels. This step includes checking the high-availability configuration of your HA VPN gateway.

Apply an organization policy constraint that restricts peer VPN gateway IP addresses

You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allowlist or a denylist of these peer IP addresses, which goes into effect for Cloud VPN tunnels that you create after you apply the constraint. For details, see Restricting peer IP addresses through a Cloud VPN tunnel.

To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.

Required permissions

To set a peer IP address constraint at the organization or project level, you must first be granted the Organization Policy Administrator role (roles/orgpolicy.policyAdmin) for your organization.

Constrain connectivity from specific peer IP addresses

To only allow specific peer IP addresses through a Cloud VPN tunnel, perform the following steps:

  1. Find your organization ID by running the following command:
    gcloud organizations list

    The command output should look like the following example:

          DISPLAY NAME             ID
          example-organization     29252605212
        
  2. Create a JSON file that defines your policy, as in the following example:

         {
           "constraint": "constraints/compute.restrictVpnPeersIPs",
           "listPolicy": {
             "allowedValues": [
               "100.1.1.1",
             ],
           }
         }
       
  3. Set the organization policy by using the Resource Manager gcloud command set-policy, passing in the JSON file, and using the ORGANIZATION_ID that you found in the previous step.

Constrain connectivity from any peer IP addresses

To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint:

  1. Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.
  2. Create a JSON file like the following example:

        {
          "constraint": "constraints/compute.restrictVpnPeersIPs",
          "listPolicy": {
            "allValues": "DENY"
          }
        }
    
  3. Pass in the JSON file by running the same command that you would use for restricting specific peer IP addresses.

What's next

  • To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.