Creating an HA VPN gateway to a peer VPN gateway

This page describes how to create a high-availability VPN gateway that connects to a peer VPN gateway.

HA VPN gateways use the HA VPN API and provide a 99.99% SLA. This configuration uses a tunnel pair, with one tunnel on each HA VPN gateway interface. To receive a 99.99% SLA, you must configure VPN tunnels on both HA VPN gateway interfaces.

There are two gateway components to configure for HA VPN:

An HA VPN gateway in Google Cloud.
Your peer VPN gateway or gateways—one or more physical VPN gateway devices or software applications in the peer network to which the HA VPN gateway connects. The peer gateway can be either an on-premises VPN gateway or one hosted by another cloud provider.

Create an external VPN gateway resource in Google Cloud for each peer gateway device or service. All peer gateway scenarios are represented in Google Cloud by a single external peer VPN resource.

For more information about Cloud VPN, see the following resources:

For diagrams of this topology, see HA VPN to peer VPN gateways.
For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.
For more information about Cloud VPN, see the Cloud VPN overview.
For definitions of terms used on this page, see Key terms.

Requirements

Redundancy types

The HA VPN API contains an option for REDUNDANCY_TYPE, which represents the number of interfaces that you configure for the external VPN gateway resource.

When you configure an external VPN gateway resource, gcloud commands automatically infer the following values of REDUNDANCY_TYPE from the number of interfaces that you provide in the interface ID:

One external VPN interface is SINGLE_IP_INTERNALLY_REDUNDANT.
Two external VPN interfaces are TWO_IPS_REDUNDANCY.
Four external VPN interfaces are FOUR_IPS_REDUNDANCY.

When configuring external VPN gateways, use the following interface identification numbers for the stated number of external VPN interfaces:

For one external VPN interface, use a value of 0.
For two external VPN interfaces, use values 0 and 1.
For four external VPN interfaces, use values 0,1,2, and 3.

Creating HA VPN to AWS peer gateways

When configuring an HA VPN external VPN gateway to Amazon Web Services (AWS), you can use either a transit gateway or a virtual private gateway. Only the transit gateway supports equal-cost multipath (ECMP) routing. When enabled, ECMP equally distributes traffic across active tunnels. The supported topology requires two AWS Site-to-Site VPN connections, A and B, each with two external IP addresses. This topology yields four external IP addresses in AWS: A1, A2, B1, and B2.

Configure the four AWS IP addresses as a single external HA VPN gateway with FOUR_IPS_REDUNDANCY, where:

AWS IP 0=A1
AWS IP 1=A2
AWS IP 2=B1
AWS IP 3=B2

Create four tunnels on the HA VPN gateway to meet the 99.99% SLA by using the following configuration:

HA VPN interface 0 to AWS interface 0
HA VPN interface 0 to AWS interface 1
HA VPN interface 1 to AWS interface 2
HA VPN interface 1 to AWS interface 3

Set up HA VPN with AWS:

In Google Cloud, create an HA VPN gateway and a Cloud Router in the region that you want. This action creates two external IP addresses, one for each gateway interface. Record the external IP addresses for use in the next step.
In AWS, create two customer gateways by using the following:
- The Dynamic routing option
- The Google ASN of the Cloud Router
- The external IP addresses of the Google Cloud HA VPN gateway interfaces 0 and 1
Complete the steps that correspond to the AWS VPN option that you are using:
- Transit Gateway
- Virtual Private Gateway
Download the AWS configuration files for both connections that you created. The files contain information that you need during the next steps in this procedure, including pre-shared authentication keys, outside tunnel IP addresses, and inside tunnel IP addresses.
In Google Cloud, do the following:
1. Create a new peer VPN gateway with four interfaces by using the AWS external IP addresses from the files that you downloaded in the previous step.
2. Create four VPN tunnels on the HA VPN gateway that you created in step 1. For each tunnel, configure the HA VPN gateway interface with the appropriate peer VPN gateway interface and pre-shared keys by using the information in the AWS configuration files that you downloaded.
3. Configure BGP sessions on the Cloud Router by using the BGP IP addresses from the downloaded AWS configuration files.

Creating Cloud Routers

When configuring a new HA VPN gateway, you can create a new Cloud Router, or you can use an existing Cloud Router with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection because of the attachment's specific ASN requirements.

Before you begin

Review information about how dynamic routing works in Google Cloud.

Make sure that your peer VPN gateway supports Border Gateway Protocol (BGP).

Set up the following items in Google Cloud to make it easier to configure Cloud VPN:

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Install and initialize the Cloud SDK.

In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

Install and initialize the Cloud SDK.

If you are using the gcloud command-line tool, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
```
    gcloud config set project PROJECT_ID
    
```

You can also view a project ID that has already been set by running the following command:
```
    gcloud config list --format='text(core.project)'
    
```

Creating a custom VPC network and subnet

Before creating an HA VPN gateway and tunnel pair, create a Virtual Private Cloud (VPC) network and at least one subnet in the region where the HA VPN gateway resides:

To create a custom mode VPC network (recommended), see Creating a custom mode VPC network.
To create subnets, see Working with subnets.

The examples in this document also use VPC global dynamic routing mode, which behaves in the following way:

All instances of Cloud Router apply the to on-premises routes that they learn to all subnets of the VPC network.
Routes to all subnets in the VPC network are shared with on-premises routers.

Creating an HA VPN gateway and tunnel pair to a peer VPN

Follow the instructions in this section to create an HA VPN gateway, a peer VPN gateway resource, a pair of tunnels, and BGP sessions.

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels

Roles

roles/compute.networkAdmin

Create an HA VPN gateway

Console

The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.

To create an HA VPN gateway, follow these steps:

In the Google Cloud Console, go to the VPN page.

Go to VPN
If you are creating a gateway for the first time, click Create VPN connection.
Select the VPN setup wizard.
If you have an existing HA VPN gateway, select the option button for that gateway.
Click Continue.
Specify a VPN gateway name.
Under VPC network, select an existing network or the default network.
Select a Region.
Click Create and continue.
The console page refreshes and displays your gateway information. Two external IP addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.

gcloud

To create an HA VPN gateway, run the following command. When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

gcloud compute vpn-gateways create GW_NAME \
    --network=NETWORK \
    --region=REGION

Replace the following:

GW_NAME: the name of the gateway
NETWORK: the name of your Google Cloud network
REGION: the Google Cloud region where you create the gateway and tunnel

The gateway that you create should look similar to the following example output. An external IP address has been automatically assigned to each gateway interface:

Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a].
NAME          INTERFACE0     INTERFACE1     NETWORK     REGION
ha-vpn-gw-a   203.0.113.16   203.0.113.23   network-a   us-central1

API

To create the full configuration for an HA VPN gateway, use the API commands in the following sections. All field values used in these sections are example values.

To create an HA VPN gateway, make a POST request by using the vpnGateways.insert method:

   POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways
   {
     "name": "ha-vpn-gw-a",
     "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a"
   }

Create a peer VPN gateway resource

Console

The peer VPN gateway resource represents your non-Google Cloud gateway in Google Cloud.

To create a peer VPN gateway resource, follow these steps:

On the Create a VPN page, under Peer VPN gateway, select On-prem or Non-Google Cloud.
Under Peer VPN gateway name, choose an existing peer gateway or click Create a new peer VPN gateway.

If you choose an existing gateway, the Cloud Console selects the number of tunnels to configure based on the number of peer interfaces that you configured on the existing peer gateway.

To create a new peer gateway, complete the following steps:
1. Specify a Name for the peer VPN gateway.
2. Under Peer VPN gateway interfaces, select one, two, or four interfaces, depending on the type of interfaces your peer gateway has. For examples of each type, see the Topologies page.
3. In the field for each peer VPN interface, specify the external IP address used for that interface. For more information, see Configuring the peer VPN gateway.
4. Click Create.

gcloud

Create an external VPN gateway resource that provides information to Google Cloud about your peer VPN gateway or gateways. Depending on the high availability recommendations for your peer VPN gateway, you can create external VPN gateway resources for the following different types of on-premises VPN gateways:

Two separate peer VPN gateway devices where the two devices are redundant with each other, and each device has its own external IP address.
A single peer VPN gateway that uses two separate interfaces, each with its own external IP address. For this kind of peer gateway, you can create a single external VPN gateway with two interfaces.
A single peer VPN gateway with a single external IP address.

Option 1: Create an external VPN gateway resource for two separate peer VPN gateway devices

For this type of peer gateway, each interface of the external VPN gateway has one external IP address, and each address is from one of the peer VPN gateway devices:
```
gcloud compute external-vpn-gateways create PEER_GW_NAME \
   --interfaces 0=PEER_GW_IP_0,1=PEER_GW_IP_1
```
Replace the following:
- PEER_GW_NAME: a name representing the peer gateway
- PEER_GW_IP_0: the external IP address for a peer gateway
- PEER_GW_IP_1: the external IP address for another peer gateway
The external VPN gateway resource that you created should look like the following example where PEER_GW_IP_0 and PEER_GW_IP_1 show the actual external IP addresses of the peer gateway interfaces:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
NAME      INTERFACE0    INTERFACE1
peer-gw   PEER_GW_IP_0  PEER_GW_IP_1
```

Option 2: Create an external VPN gateway resource for a single peer VPN gateway with two separate interfaces

For this type of peer gateway, create a single external VPN gateway with two interfaces:
```
gcloud compute external-vpn-gateways create PEER_GW_NAME \
   --interfaces 0=PEER_GW_IP_0,1=PEER_GW_IP_1
```
Replace the following:
- PEER_GW_NAME: a name representing the peer gateway
- PEER_GW_IP_0: the external IP address for one interface from the peer gateway
- PEER_GW_IP_1: the external IP address for another interface from the peer gateway
The external VPN gateway resource that you created should look like the following example where PEER_GW_IP_0 and PEER_GW_IP_1 show the actual external IP addresses of the peer gateway interfaces:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
NAME     INTERFACE0    INTERFACE1
peer-gw  PEER_GW_IP_0  PEER_GW_IP_1
```

Option 3: Create an external VPN gateway resource for a single peer VPN gateway with a single external IP address

For this type of peer gateway, create an external VPN gateway with one interface:
```
gcloud compute external-vpn-gateways create PEER_GW_NAME \
   --interfaces 0=PEER_GW_IP_0
```
Replace the following:
- PEER_GW_NAME: a name representing the peer gateway
- PEER_GW_IP_0: the external IP address for the interface from the peer gateway
The external VPN gateway resource that you created should look like the following example where PEER_GW_IP_0 shows the actual external IP addresses of the peer gateway interface:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
NAME       INTERFACE0
peer-gw    PEER_GW_IP_0
```

API

To create an external VPN gateway resource, make a POST request by using the externalVpnGateways.insert method.

For an external (peer) VPN gateway that has one interface, use the following example, but specify only one interface ID and one ipAddress, with a redundancyType of SINGLE_IP_INTERNALLY_REDUNDANT.
For an external VPN gateway with two interfaces, or two external VPN gateways with one interface each, use the TWO_IPS_REDUNDANCY example.

For one or more external VPN gateways with four external VPN interfaces, for example, Amazon Web Services (AWS), use the following example, but specify four instances of the interface ID and ipAddress and use a redundancyType of FOUR_IPS_REDUNDANCY.

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways
 {
   "name": "my-peer-gateway",
   "interfaces": [
     {
       "id": 0,
       "ipAddress": "192.0.2.1"
     },
     {
       "id": 1,
       "ipAddress": "192.0.2.2"
     }
   ],
   "redundancyType": "TWO_IPS_REDUNDANCY"
 }

Create a Cloud Router

Console

Under Cloud Router, if you haven't already, create a Cloud Router specifying the following options. You can use an existing Cloud Router if the router does not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection.

To create a new Cloud Router, specify the following:
- A Name
- An optional Description
- A Google ASN for the new router
You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router, and you cannot change the ASN later.
To create the new router, click Create.

gcloud

To create a Cloud Router, run the following command:

gcloud compute routers create ROUTER_NAME \
    --region=REGION \
    --network=NETWORK \
    --asn=GOOGLE_ASN

Replace the following:

ROUTER_NAME: the name of the Cloud Router in the same region as the Cloud VPN gateway
REGION: the Google Cloud region where you create the gateway and tunnel
NETWORK: the name of your Google Cloud network
GOOGLE_ASN: any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not already using in the peer network; the Google ASN is used for all BGP sessions on the same Cloud Router, and it cannot be changed later

The router that you create should look similar to the following example output:

Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
NAME       REGION        NETWORK
router-a   us-central1   network-a

API

You can use an existing Cloud Router if the router does not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection. Otherwise, create another Cloud Router.

To create a Cloud Router, make a POST request by using the routers.insert method:

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
 {
   "name": "router-a",
   "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a"
 }

Create VPN tunnels

Console

If you configured your peer VPN gateway resource with one interface, on the Create VPN page, configure your single tunnel in the single VPN tunnel dialog. For a 99.99% SLA, you must create a second tunnel.

If you configured your peer VPN gateway resource with two or four interfaces, configure the associated dialogs that appear at the bottom of the Create VPN page.

To create VPN tunnels, follow these steps:

If applicable, under Associated Cloud VPN gateway interface, select the HA VPN interface and IP address combination that you want to associate with your peer VPN gateway interface for this tunnel.
Under Associated peer VPN gateway interface, select the peer VPN gateway interface and IP address combination that you want to associate with this tunnel and with the HA VPN interface. This interface must match the interface on your actual peer router.
1. Specify a Name for the tunnel.
2. Specify an optional Description.
3. Specify the IKE version. We recommend IKE v2, the default setting, if your peer router supports it.
4. Specify an IKE pre-shared key by using your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway. If you haven't configured a pre-shared key on your peer VPN gateway and want to generate one, click Generate and copy. Make sure that you record the pre-shared key in a secure location because it cannot be retrieved after you create your VPN tunnels.
5. Click Done.
6. On the Create VPN page, repeat the tunnel creation steps for any remaining tunnel dialogs.
When you have configured all tunnels, click Create and continue.

gcloud

Create two VPN tunnels, one for each interface on the HA VPN gateway. When creating VPN tunnels, specify the peer side of the VPN tunnels as the external VPN gateway that you created earlier. Depending on the redundancy type of the external VPN gateway, configure the tunnels by using one of the following two options.

Option 1: If the external VPN gateway is two separate peer VPN gateway devices or a single device with two IP addresses

In this case, one VPN tunnel needs to connect to interface 0 of the external VPN gateway, and the other VPN tunnel needs to connect to interface 1 of the external VPN gateway.

Note: The VPN tunnels that you create are not available until the corresponding partner tunnels have been created on your peer VPN gateway or gateways.
```
gcloud compute vpn-tunnels create TUNNEL_NAME_IF0 \
   --peer-external-gateway=PEER_GW_NAME \
   --peer-external-gateway-interface=PEER_EXT_GW_IF0  \
   --region=REGION \
   --ike-version=IKE_VERS \
   --shared-secret=SHARED_SECRET \
   --router=ROUTER_NAME \
   --vpn-gateway=GW_NAME \
   --interface=INT_NUM_0
```
```
gcloud compute vpn-tunnels create TUNNEL_NAME_IF1 \
   --peer-external-gateway=PEER_GW_NAME \
   --peer-external-gateway-interface=PEER_EXT_GW_IF1 \
   --region=REGION \
   --ike-version=IKE_VERS \
   --shared-secret=SHARED_SECRET \
   --router=ROUTER_NAME \
   --vpn-gateway=GW_NAME \
   --interface=INT_NUM_1
```
Replace the following:
- TUNNEL_NAME_IF0 and TUNNEL_NAME_IF1: a name for the tunnel; naming the tunnels by including the gateway interface name can help identify the tunnels later
- PEER_GW_NAME: a name of the external peer gateway created earlier
- PEER_EXT_GW_IF0 and PEER_EXT_GW_IF1: the interface number configured earlier on the external peer gateway
- IKE_VERS: 1 for IKEv1 or 2 for IKEv2; if possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
- SHARED_SECRET: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway; for recommendations, see Generating a strong pre-shared key
- GW_NAME: the name of the HA VPN gateway
- INT_NUM_0: the number 0 for the first interface on the HA VPN gateway that you created earlier
- INT_NUM_1: the number 1 for the second interface on the HA VPN gateway that you created earlier
- Optional: the --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
The command output should look similar to the following example:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
NAME                       REGION        GATEWAY       VPN_INTERFACE   PEER_GATEWAY  PEER_INTERFACE
tunnel-a-to-on-prem-if-0   us-central1   ha-vpn-gw-a   0               peer-gw       0

Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
NAME                       REGION        GATEWAY       VPN_INTERFACE   PEER_GATEWAY  PEER_INTERFACE
tunnel-a-to-on-prem-if-1   us-central1   ha-vpn-gw-a   1               peer-gw       1
```

Option 2: If the external VPN gateway is a single peer VPN gateway with a single external IP address

In this case, both VPN tunnels need to connect to interface 0 of the external VPN gateway.

Note: The VPN tunnels that you create are not available until the corresponding partner tunnels have been created on your peer VPN gateway or gateways.
```
gcloud compute vpn-tunnels create TUNNEL_NAME_IF0 \
   --peer-external-gateway=PEER_GW_NAME \
   --peer-external-gateway-interface=PEER_EXT_GW_IF0  \
   --region=REGION \
   --ike-version=IKE_VERS \
   --shared-secret=SHARED_SECRET \
   --router=ROUTER_NAME \
   --vpn-gateway=GW_NAME \
   --interface=INT_NUM_0
```
```
gcloud compute vpn-tunnels create TUNNEL_NAME_IF1 \
   --peer-external-gateway=PEER_GW_NAME \
   --peer-external-gateway-interface=PEER_EXT_GW_IF0 \
   --region=REGION \
   --ike-version=IKE_VERS \
   --shared-secret=SHARED_SECRET \
   --router=ROUTER_NAME \
   --vpn-gateway=GW_NAME \
   --interface=INT_NUM_1
```
Replace the following:
- TUNNEL_NAME_IF0 and TUNNEL_NAME_IF1: a name for the tunnel; naming the tunnels by including the gateway interface name can help identify the tunnels later
- PEER_GW_NAME: the name of the external peer gateway created earlier
- PEER_EXT_GW_IF0: the interface number configured earlier on the external peer gateway
- Optional: the --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
- IKE_VERS: 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
- SHARED_SECRET: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway; for recommendations, see Generating a strong pre-shared key
- INT_NUM_0: the number 0 for the first interface on the HA VPN gateway that you created earlier
- INT_NUM_1: the number 1 for the second interface on the HA VPN gateway that you created earlier
The command output should look similar to the following example:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
NAME                       REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
tunnel-a-to-on-prem-if-0   us-central1  ha-vpn-gw-a    0               peer-gw        0

Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
NAME                       REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
tunnel-a-to-on-prem-if-1   us-central1  ha-vpn-gw-a    1               peer-gw        0
```

API

To create two VPN tunnels, one for each interface on the HA VPN gateway, make a POST request by using the vpnTunnels.insert method. To get a 99.99% uptime SLA, you must create a tunnel on each interface of your HA VPN gateway.

To create the first tunnel, run the following command:

   POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels
   {
     "name": "ha-vpn-gw-a-tunnel-0",
     "ikeVersion": 2,
     "peerExternalGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/my-peer-gateway",
     "peerExternalGatewayInterface": 0,
     "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a",
     "sharedSecret": "SHARED_SECRET",
     "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a",
     "vpnGatewayInterface": 0
   }

To create the second tunnel, repeat this command, but change the following parameters:
- name
- peerExternalGatewayInterface
- sharedSecret or sharedSecretHash(if needed)
- vpnGatewayInterface: change to the value of the other HA VPN gateway interface—in this example, change this value to 1

Create BGP sessions

Console

To create BGP sessions, follow these steps:

If you don't want to configure BGP sessions now, click Configure BGP sessions later, which opens the Summary and reminder page.
If you want to configure BGP sessions now, on the first VPN tunnel, click Configure.
On the Create BGP session page, complete the following steps:
1. Specify a Name for the BGP session.
2. Specify the Peer ASN configured for the peer VPN gateway.
3. Optional: Specify the Advertised route priority.
4. Specify the Cloud Router BGP IP address and the BGP Peer IP address. Make sure that the IP addresses meet the following requirements:
  - Each BGP IP address must belong to the same /30 CIDR that fits within 169.254.0.0/16.
  - Each BGP IP address cannot be the first (network) or last (broadcast) address in the /30 CIDR.
  - Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.
5. Optional: Click the Advertised routes list and create custom routes.
6. Click Save and continue.
Repeat the previous steps for the rest of the tunnels configured on the gateway. For each tunnel, use a different Cloud Router BGP IP address and BGP Peer IP address.
When you have configured all BGP sessions, click Save BGP configuration.

gcloud

To create a Cloud Router BGP interface and BGP peer for each tunnel that you previously configured on the HA VPN gateway interfaces, follow these steps.

In the commands, replace the following:

ROUTER_INTERFACE_NAME_0 and ROUTER_INTERFACE_NAME_1: a name for the Cloud Router BGP interface; it can be helpful to use names related to the tunnel names configured previously
Manual configuration: IP_ADDRESS_0 and IP_ADDRESS_1: the BGP IP address for the HA VPN gateway interface that you configure; each tunnel uses a different gateway interface
MASK_LENGTH: 30; each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block
TUNNEL_NAME_0 and TUNNEL_NAME_1: the tunnel associated with the HA VPN gateway interface that you configured

Choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers:

Automatic

To let Google Cloud automatically choose the link-local BGP IP addresses, complete the following steps.

For the first VPN tunnel

Add a BGP interface to the Cloud Router:

gcloud compute routers add-interface ROUTER_NAME \
   --interface-name=ROUTER_INTERFACE_NAME_0 \
   --mask-length=MASK_LENGTH \
   --vpn-tunnel=TUNNEL_NAME_0 \
   --region=REGION

The command output should look similar to the following example:

Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].

Add a BGP peer to the interface for the first tunnel; replace PEER_NAME with a name for the peer VPN interface, and replace PEER_ASN with the ASN configured for the peer VPN gateway:

gcloud compute routers add-bgp-peer ROUTER_NAME \
   --peer-name=PEER_NAME \
   --peer-asn=PEER_ASN \
   --interface=ROUTER_INTERFACE_NAME_0 \
   --region=REGION

The command output should look similar to the following example:

Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.

For the second VPN tunnel

Add a BGP interface to the Cloud Router:

gcloud compute routers add-interface ROUTER_NAME \
 --interface-name=ROUTER_INTERFACE_NAME_1 \
 --mask-length=MASK_LENGTH \
 --vpn-tunnel=TUNNEL_NAME_1 \
 --region=REGION

Add a BGP peer to the interface for the second tunnel; replace PEER_NAME with a name for the peer VPN interface, and replace PEER_ASN with the ASN configured for the peer VPN gateway:
```
gcloud compute routers add-bgp-peer ROUTER_NAME \
 --peer-name=PEER_NAME \
 --peer-asn=PEER_ASN \
 --interface=ROUTER_INTERFACE_NAME_1 \
 --region=REGION
```

Manual

To manually assign the BGP IP addresses associated with the Google Cloud BGP interface and peer, complete the following steps.

For each VPN tunnel, decide on a pair of link-local BGP IP addresses in a /30 block from the 169.254.0.0/16 range (four addresses total). The BGP IP addresses that you specify must be unique among all Cloud Routers in all regions of a VPC network.

For each tunnel, assign one of these BGP IP addresses to the Cloud Router, and the other BGP IP address to your peer VPN gateway. Configure your peer VPN device to use the peer BGP IP address.

In the following commands, replace the following:

GOOGLE_BGP_IP_0: the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gateway interface 0; PEER_BGP_IP_0 represents the BGP IP address of its peer
GOOGLE_BGP_IP_1: the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gateway interface 1; PEER_BGP_IP_1 represents the BGP IP address of its peer

For the first VPN tunnel

Add a BGP interface to the Cloud Router; replace ROUTER_INTERFACE_NAME_0 with a name for the interface:

gcloud compute routers add-interface ROUTER_NAME \
  --interface-name=ROUTER_INTERFACE_NAME_0 \
  --vpn-tunnel=TUNNEL_NAME_0 \
  --ip-address=GOOGLE_BGP_IP_0 \
  --mask-length 30 \
  --region=REGION

The command output should look similar to the following example:

Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].

Add a BGP peer to the interface; replace PEER_NAME with a name for the peer, and replace PEER_ASN with the ASN configured for the peer VPN gateway:

gcloud compute routers add-bgp-peer ROUTER_NAME \
 --peer-name=PEER_NAME \
 --peer-asn=PEER_ASN \
 --interface=ROUTER_INTERFACE_NAME_0 \
 --peer-ip-address=PEER_BGP_IP_0 \
 --region=REGION

The command output should look similar to the following example:

Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.

For the second VPN tunnel

Add a BGP interface to the Cloud Router; replace ROUTER_INTERFACE_NAME_1 with a name for the interface:

gcloud compute routers add-interface ROUTER_NAME \
 --interface-name=ROUTER_INTERFACE_NAME_1 \
 --vpn-tunnel=TUNNEL_NAME_1 \
 --ip-address=GOOGLE_BGP_IP_1 \
 --mask-length 30 \
 --region=REGION

Add a BGP peer to the interface; replace PEER_NAME with a name for the peer, and replace PEER_ASN with the ASN configured for the peer VPN gateway:

gcloud compute routers add-bgp-peer ROUTER_NAME \
 --peer-name=PEER_NAME \
 --peer-asn=PEER_ASN \
 --interface=ROUTER_INTERFACE_NAME_1 \
 --peer-ip-address=PEER_BGP_IP_1 \
 --region=REGION

API

To create a Cloud Router BGP interface, make either a PATCH or UPDATE request by using the routers.patch method or the routers.update method. PATCH updates only the parameters that you include. UPDATE updates all parameters for Cloud Router.

Note: For information about setting advertised routes, see Setting the base advertised route priority.

Create a BGP interface for each VPN tunnel on the first HA VPN gateway. For the second BGP interface, use a different name, linkedVpnTunnel name, and ipRange from the same /30 subnet as the ipRange for the first tunnel. Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.

Repeat this step and command for each VPN tunnel on the second HA VPN gateway.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/{resourceId}
{
 "interfaces": [
   {
     "name": "if-tunnel-a-to-on-prem-if-0",
     "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",
     "ipRange": "169.254.0.1/30"
    }
  ]
}
```

To add a BGP peer to a Cloud Router for a VPN tunnel, make a POST request by using the routers.insert method. Repeat this command for the other VPN tunnel, changing all options except nameand peerAsn.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
{
 "name": "router-a",
 "network": "network-a",
 "bgpPeers": [
 {
   "interfaceName": "if-tunnel-a-to-on-prem-if-0",
   "ipAddress": "169.254.0.1",
   "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
   "peerAsn": "65002",
   "peerIpAddress": "169.254.0.2",
   "advertiseMode": "DEFAULT"
  }
]
}

Verify the configuration

Console

To verify the configuration, go to the Summary and reminder page:

The Summary section of this page lists information for the HA VPN gateway and the peer VPN gateway profile. For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
The Reminder section of this page lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN. After reviewing the information on this page, click OK.

gcloud

To verify the Cloud Router configuration, follow these steps:

List the BGP IP addresses chosen by Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. Use the BGP IP address peerIpAddress to configure your peer VPN gateway:
```
gcloud compute routers get-status ROUTER_NAME \
   --region=REGION \
   --format='flattened(result.bgpPeerStatus[].name,
     result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
```
The expected output for a Cloud Router managing two Cloud VPN tunnels (index 0 and index 1) should look like the following example where the following is true:
- GOOGLE_BGP_IP_0 represents the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gateway interface 0; PEER_BGP_IP_0 represents the BGP IP address of its peer.
- GOOGLE_BGP_IP_1 represents the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gateway interface 1; PEER_BGP_IP_1 represents the BGP IP address of its peer.
```
  result.bgpPeerStatus[0].ipAddress:      169.254.0.1 GOOGLE_BGP_IP_0
  result.bgpPeerStatus[0].name:           bgp-peer-tunnel-a-to-on-prem-if-0
  result.bgpPeerStatus[0].peerIpAddress:  169.254.0.2 PEER_BGP_IP_0
  result.bgpPeerStatus[1].ipAddress:      169.254.1.1 GOOGLE_BGP_IP_1
  result.bgpPeerStatus[1].name:           bgp-peer-tunnel-a-to-on-prem-if-1
  result.bgpPeerStatus[1].peerIpAddress:  169.254.1.2 PEER_BGP_IP_1
```

You can also use the following command to get a full listing of the Cloud Router configuration:

gcloud compute routers describe ROUTER_NAME \
   --region=REGION

The full listing should look like the following example:

bgp:
  advertiseMode: DEFAULT
  asn: 65001
bgpPeers:
- interfaceName: if-tunnel-a-to-on-prem-if-0
  ipAddress: 169.254.0.1
  name: bgp-peer-tunnel-a-to-on-prem-if-0
  peerAsn: 65002
  peerIpAddress: 169.254.0.2
- interfaceName: if-tunnel-a-to-on-prem-if-1
  ipAddress: 169.254.1.1
  name: bgp-peer-tunnel-a-to-on-prem-if-1
  peerAsn: 65004
  peerIpAddress: 169.254.1.2
creationTimestamp: '2018-10-18T11:58:41.704-07:00'
id: '4726715617198303502'
interfaces:
- ipRange: 169.254.0.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0
  name: if-tunnel-a-to-on-prem-if-0
- ipRange: 169.254.1.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1
  name: if-tunnel-a-to-on-prem-if-1
  kind: compute#router
  name: router-a
  network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a
  region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1
  selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a

API

To verify the Cloud Router configuration, make a GET request by using the routers.getRouterStatus method, and use an empty request body:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers

Create an additional tunnel on a single-tunnel gateway

Console

To receive a 99.99% uptime SLA, configure a tunnel on each HA VPN interface of an HA VPN gateway.

Configure a second tunnel in the following circumstances:

If you configured an HA VPN gateway to a peer VPN gateway that has a single peer VPN interface.
If you set up a single tunnel previously on an HA VPN for a peer VPN gateway that contains any number of interfaces, but now want a 99.99% uptime SLA for your HA VPN gateway.

To configure a second tunnel, follow the steps at Adding a tunnel from an HA VPN gateway to a peer VPN gateway.

Setting the base advertised route priority (optional)

The BGP sessions that you create let each Cloud Router advertise routes to peer networks. The advertisements use unmodified base priorities.

Use the configuration documented in Creating an HA VPN gateway and tunnel pair to a peer VPN for active/active routing configurations where the advertised route priorities of the two VPN tunnels from the Google Cloud side and the peer side match. To configure the same advertised route priorities from Google Cloud to both BGP peers, omit the advertised route priority on the Google Cloud side.

To create an active/passive configuration, configure unequal advertised route priorities for the two HA VPN tunnels. One advertised route priority must be higher than the other. For example:

BGP session1/tunnel1, route priority = 10
BGP session2/tunnel2, route priority = 20

For more information about the base advertised route priority, see Advertised prefixes and priorities.

You can also specify which routes are advertised by using custom advertisements:

Add the --advertisement-mode=CUSTOM flag (gcloud) or the advertiseMode: custom flag (API).
Specify IP address ranges with the --set-advertisement-ranges flag (gcloud) or the advertisedIpRanges flag (API).

Completing the configuration

Before you can use a new Cloud VPN gateway and its associated VPN tunnels, complete the following steps:

Set up the peer VPN gateway and configure the corresponding tunnel or tunnels there. For instructions, see the following:
- For specific configuration guidance for certain peer VPN devices, see Using third-party VPNs with Cloud VPN.
- For supported peer topologies, see Cloud VPN topologies.
- For general configuration parameters, see Configuring the peer VPN gateway.
Configure firewall rules in Google Cloud and your peer network as required.
Check the status of your VPN tunnels. This step includes checking the high-availability configuration of your HA VPN gateway.

Applying an organization policy constraint that restricts peer VPN gateway IP addresses

You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allowlist or a denylist of these peer IP addresses, which goes into effect for Cloud VPN tunnels that you create after you apply the constraint. For details, see Restricting peer IP addresses through a Cloud VPN tunnel.

To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.

Required permissions

To set a peer IP address constraint at the organization or project level, you must first be granted the Organization Policy Administrator role (roles/orgpolicy.policyAdmin) for your organization.

Constraining connectivity from specific peer IP addresses

To only allow specific peer IP addresses through a Cloud VPN tunnel, perform the following steps:

Find your organization ID by running the following command:

gcloud organizations list

The command output should look like the following example:

      DISPLAY NAME             ID
      example-organization     29252605212

Create a JSON file that defines your policy, as in the following example:

     {
       "constraint": "constraints/compute.restrictVpnPeersIPs",
       "listPolicy": {
         "allowedValues": [
           "100.1.1.1",
         ],
       }
     }

Set the organization policy by using the Resource Manager gcloud command set-policy, passing in the JSON file, and using the ORGANIZATION_ID that you found in the previous step.

Constraining connectivity from any peer IP addresses

To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint:

Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.

Create a JSON file like the following example:

    {
      "constraint": "constraints/compute.restrictVpnPeersIPs",
      "listPolicy": {
        "allValues": "DENY"
      }
    }

Pass in the JSON file by running the same command that you would use for restricting specific peer IP addresses.

What's next

To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.