This page describes how to create a high-availability VPN gateway that connects to a peer VPN gateway.
HA VPN gateways use the HA VPN API and provide a 99.99% SLA. This configuration uses a tunnel pair, with one tunnel on each HA VPN gateway interface. To receive a 99.99% SLA, you must configure VPN tunnels on both HA VPN gateway interfaces.
There are two gateway components to configure for HA VPN:
- An HA VPN gateway in Google Cloud.
Your peer VPN gateway or gateways—one or more physical VPN gateway devices or software applications in the peer network to which the HA VPN gateway connects. The peer gateway can be either an on-premises VPN gateway or one hosted by another cloud provider.
Create an external VPN gateway resource in Google Cloud for each peer gateway device or service. All peer gateway scenarios are represented in Google Cloud by a single external peer VPN resource.
For more information about Cloud VPN, see the following resources:
For diagrams of this topology, see HA VPN to peer VPN gateways.
For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.
For more information about Cloud VPN, see the Cloud VPN overview.
For definitions of terms used on this page, see Key terms.
Requirements
Redundancy types
The HA VPN API contains an option for REDUNDANCY_TYPE
,
which represents the number of interfaces that you configure for the external
VPN gateway resource.
When you configure an external VPN gateway resource, gcloud
commands
automatically infer the following values of REDUNDANCY_TYPE
from the number
of interfaces that you provide in the interface ID:
- One external VPN interface is
SINGLE_IP_INTERNALLY_REDUNDANT
. - Two external VPN interfaces are
TWO_IPS_REDUNDANCY
. - Four external VPN interfaces are
FOUR_IPS_REDUNDANCY
.
When configuring external VPN gateways, use the following interface identification numbers for the stated number of external VPN interfaces:
- For one external VPN interface, use a value of
0
. - For two external VPN interfaces, use values
0
and1
. - For four external VPN interfaces, use values
0
,1
,2
, and3
.
Creating HA VPN to AWS peer gateways
When configuring an HA VPN external VPN gateway to Amazon Web Services
(AWS), you can use either a transit gateway or a virtual private gateway. Only the transit gateway
supports equal-cost multipath (ECMP) routing. When enabled, ECMP equally distributes traffic across
active tunnels. The supported topology requires two AWS Site-to-Site VPN connections,
A
and B
, each with two external IP addresses. This topology yields four
external IP addresses in AWS: A1
, A2
, B1
, and B2
.
- Configure the four AWS IP addresses as a single external HA VPN
gateway with
FOUR_IPS_REDUNDANCY
, where: - AWS IP
0
=A1
- AWS IP
1
=A2
- AWS IP
2
=B1
- AWS IP
3
=B2
- Create four tunnels on the HA VPN gateway to meet the 99.99% SLA by using the following configuration:
- HA VPN
interface 0
to AWSinterface 0
- HA VPN
interface 0
to AWSinterface 1
- HA VPN
interface 1
to AWSinterface 2
- HA VPN
interface 1
to AWSinterface 3
Set up HA VPN with AWS:
- In Google Cloud, create an HA VPN gateway and a Cloud Router in the region that you want. This action creates two external IP addresses, one for each gateway interface. Record the external IP addresses for use in the next step.
- In AWS, create two customer gateways by using the following:
- The Dynamic routing option
- The Google ASN of the Cloud Router
- The external IP addresses of the Google Cloud HA VPN gateway
interfaces 0
and1
- Complete the steps that correspond to the AWS VPN option that you are using:
- Transit Gateway
- Create a
transit gateway VPN attachment
for the first customer gateway (
interface 0
), and use the Dynamic routing option. - Repeat the previous step for the second customer gateway (
interface 1
). - Virtual Private Gateway
- Create a Site-to-Site VPN connection
for the first customer gateway (
interface 0
) by using the following:- A Target Gateway Type of Virtual Private Gateway
- The Dynamic routing option
- Repeat the previous step for the second customer gateway (
interface 1
).
- Download the AWS configuration files for both connections that you created. The files contain information that you need during the next steps in this procedure, including pre-shared authentication keys, outside tunnel IP addresses, and inside tunnel IP addresses.
- In Google Cloud, do the following:
- Create a new peer VPN gateway with four interfaces by using the AWS external IP addresses from the files that you downloaded in the previous step.
- Create four VPN tunnels on the HA VPN gateway that you created in step 1. For each tunnel, configure the HA VPN gateway interface with the appropriate peer VPN gateway interface and pre-shared keys by using the information in the AWS configuration files that you downloaded.
- Configure BGP sessions on the Cloud Router by using the BGP IP addresses from the downloaded AWS configuration files.
Creating Cloud Routers
When configuring a new HA VPN gateway, you can create a new Cloud Router, or you can use an existing Cloud Router with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection because of the attachment's specific ASN requirements.
Before you begin
Review information about how dynamic routing works in Google Cloud.
Make sure that your peer VPN gateway supports Border Gateway Protocol (BGP).
Set up the following items in Google Cloud to make it easier to configure Cloud VPN:
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Install and initialize the Cloud SDK.
-
If you are using the
gcloud
command-line tool, set your project ID with the following command. Thegcloud
instructions on this page assume that you have set your project ID before issuing commands.gcloud config set project PROJECT_ID
-
You can also view a project ID that has already been set by running the following command:
gcloud config list --format='text(core.project)'
Creating a custom VPC network and subnet
Before creating an HA VPN gateway and tunnel pair, create a Virtual Private Cloud (VPC) network and at least one subnet in the region where the HA VPN gateway resides:
- To create a custom mode VPC network (recommended), see Creating a custom mode VPC network.
- To create subnets, see Working with subnets.
The examples in this document also use VPC global dynamic routing mode, which behaves in the following way:
- All instances of Cloud Router apply the
to on-premises
routes that they learn to all subnets of the VPC network. - Routes to all subnets in the VPC network are shared with on-premises routers.
Creating an HA VPN gateway and tunnel pair to a peer VPN
Follow the instructions in this section to create an HA VPN gateway, a peer VPN gateway resource, a pair of tunnels, and BGP sessions.
Console
The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.
Create an HA VPN gateway
In the Google Cloud Console, go to the VPN page.
If you are creating a gateway for the first time, click Create VPN connection.
Select the VPN setup wizard.
If you have an existing HA VPN gateway, select the option button for that gateway.
Click Continue.
Specify a VPN gateway name.
Under VPC network, select an existing network or the default network.
Select a Region.
Click Create and continue.
The console page refreshes and displays your gateway information. Two external IP addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.
Create a peer VPN gateway resource
The peer VPN gateway resource represents your non-Google Cloud gateway in Google Cloud.
- On the Create a VPN page, under Peer VPN gateway, select On-prem or Non-Google Cloud.
Under Peer VPN gateway name, choose an existing peer gateway or click Create a new peer VPN gateway.
If you choose an existing gateway, the Cloud Console selects the number of tunnels to configure based on the number of peer interfaces that you configured on the existing peer gateway.
To create a new peer gateway, complete the following steps:
- Specify a Name for the peer VPN gateway.
- Under Peer VPN gateway interfaces, select
one
,two
, orfour
interfaces, depending on the type of interfaces your peer gateway has. For examples of each type, see the Topologies page. - In the field for each peer VPN interface, specify the external IP address used for that interface. For more information, see Configuring the peer VPN gateway.
- Click Create.
Create VPN tunnels
If you configured your peer VPN gateway resource with one interface, on the Create VPN page, configure your single tunnel in the single VPN tunnel dialog. For a 99.99% SLA, you must create a second tunnel.
If you configured your peer VPN gateway resource with two or four interfaces, configure the associated dialogs that appear at the bottom of the Create VPN page.
Under Cloud Router, if you haven't already, create a Cloud Router specifying the following options. You can use an existing Cloud Router if the router does not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection.
To create a new Cloud Router, specify the following:
- A Name
- An optional Description
- A Google ASN for the new router
You can use any private ASN (
64512
through65534
,4200000000
through4294967294
) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router, and you cannot change the ASN later.To create the new router, click Create.
If applicable, under Associated Cloud VPN gateway interface, select the HA VPN interface and IP address combination that you want to associate with your peer VPN gateway interface for this tunnel.
Under Associated peer VPN gateway interface, select the peer VPN gateway interface and IP address combination that you want to associate with this tunnel and with the HA VPN interface. This interface must match the interface on your actual peer router.
- Specify a Name for the tunnel.
- Specify an optional Description.
- Specify the IKE version. We recommend IKE v2, the default setting, if your peer router supports it.
- Specify an IKE pre-shared key by using your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway. If you haven't configured a pre-shared key on your peer VPN gateway and want to generate one, click Generate and copy. Make sure that you record the pre-shared key in a secure location because it cannot be retrieved after you create your VPN tunnels.
- Click Done.
- On the Create VPN page, repeat the tunnel creation steps for any remaining tunnel dialogs.
When you have configured all tunnels, click Create and continue.
Create BGP sessions
- If you don't want to configure BGP sessions now, click Configure BGP sessions later, which opens the Summary and reminder page.
- If you want to configure BGP sessions now, on the first VPN tunnel, click Configure.
- On the Create BGP session page, complete the following steps:
- Specify a Name for the BGP session.
- Specify the Peer ASN configured for the peer VPN gateway.
- Optional: Specify the Advertised route priority.
- Specify the Cloud Router BGP IP address and the BGP Peer IP
address. Make sure that the IP addresses meet the following
requirements:
- Each BGP IP address must belong to the same /30 CIDR that fits
within
169.254.0.0/16
. - Each BGP IP address cannot be the first (network) or last (broadcast) address in the /30 CIDR.
- Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.
- Each BGP IP address must belong to the same /30 CIDR that fits
within
- Optional: Click the Advertised routes list and create custom routes.
- Click Save and continue.
- Repeat the previous steps for the rest of the tunnels configured on the gateway. For each tunnel, use a different Cloud Router BGP IP address and BGP Peer IP address.
- When you have configured all BGP sessions, click Save BGP configuration.
Summary and reminder
- The Summary section of this page lists information for the HA VPN gateway and the peer VPN gateway profile. For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
- The Reminder section of this page lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN. After reviewing the information on this page, click OK.
Create an additional tunnel on a single-tunnel gateway
To receive a 99.99% uptime SLA, configure a tunnel on each HA VPN interface of an HA VPN gateway.
Configure a second tunnel in the following circumstances:
- If you configured an HA VPN gateway to a peer VPN gateway that has a single peer VPN interface.
- If you set up a single tunnel previously on an HA VPN for a peer VPN gateway that contains any number of interfaces, but now want a 99.99% uptime SLA for your HA VPN gateway.
To configure a second tunnel, follow the steps at Adding a tunnel from an HA VPN gateway to a peer VPN gateway.
gcloud
Create an HA VPN gateway
To create an HA VPN gateway, run the following command. When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.
gcloud compute vpn-gateways create GW_NAME \ --network=NETWORK \ --region=REGION
Replace the following:
GW_NAME
: the name of the gatewayNETWORK
: the name of your Google Cloud networkREGION
: the Google Cloud region where you create the gateway and tunnel
The gateway that you create should look similar to the following example output. An external IP address has been automatically assigned to each gateway interface:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a]. NAME INTERFACE0 INTERFACE1 NETWORK REGION ha-vpn-gw-a 203.0.113.16 203.0.113.23 network-a us-central1
Create a Cloud Router
To create a Cloud Router, run the following command:
gcloud compute routers create ROUTER_NAME \ --region=REGION \ --network=NETWORK \ --asn=GOOGLE_ASN
Replace the following:
ROUTER_NAME
: the name of the Cloud Router in the same region as the Cloud VPN gatewayREGION
: the Google Cloud region where you create the gateway and tunnelNETWORK
: the name of your Google Cloud networkGOOGLE_ASN
: any private ASN (64512
through65534
,4200000000
through4294967294
) that you are not already using in the peer network; the Google ASN is used for all BGP sessions on the same Cloud Router, and it cannot be changed later
The router that you create should look similar to the following example output:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a]. NAME REGION NETWORK router-a us-central1 network-a
Create an external VPN gateway resource
Create an external VPN gateway resource that provides information to Google Cloud about your peer VPN gateway or gateways. Depending on the high availability recommendations for your peer VPN gateway, you can create external VPN gateway resources for the following different types of on-premises VPN gateways:
- Two separate peer VPN gateway devices where the two devices are redundant with each other, and each device has its own external IP address.
- A single peer VPN gateway that uses two separate interfaces, each with its own external IP address. For this kind of peer gateway, you can create a single external VPN gateway with two interfaces.
- A single peer VPN gateway with a single external IP address.
Option 1: Create an external VPN gateway resource for two separate peer VPN gateway devices
For this type of peer gateway, each interface of the external VPN gateway has one external IP address, and each address is from one of the peer VPN gateway devices:
gcloud compute external-vpn-gateways create PEER_GW_NAME \ --interfaces 0=PEER_GW_IP_0,1=PEER_GW_IP_1 \
Replace the following:
PEER_GW_NAME
: a name representing the peer gatewayPEER_GW_IP_0
: the external IP address for a peer gatewayPEER_GW_IP_1
: the external IP address for another peer gateway
The external VPN gateway resource that you created should look like the following example where
PEER_GW_IP_0
andPEER_GW_IP_1
show the actual external IP addresses of the peer gateway interfaces:Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw]. NAME INTERFACE0 INTERFACE1 peer-gw PEER_GW_IP_0 PEER_GW_IP_1
Option 2: Create an external VPN gateway resource for a single peer VPN gateway with two separate interfaces
For this type of peer gateway, create a single external VPN gateway with two interfaces:
gcloud compute external-vpn-gateways create PEER_GW_NAME \ --interfaces 0=PEER_GW_IP_0,1=PEER_GW_IP_1 \
Replace the following:
PEER_GW_NAME
: a name representing the peer gatewayPEER_GW_IP_0
: the external IP address for one interface from the peer gatewayPEER_GW_IP_1
: the external IP address for another interface from the peer gateway
The external VPN gateway resource that you created should look like the following example where
PEER_GW_IP_0
andPEER_GW_IP_1
show the actual external IP addresses of the peer gateway interfaces:Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw]. NAME INTERFACE0 INTERFACE1 peer-gw PEER_GW_IP_0 PEER_GW_IP_1
Option 3: Create an external VPN gateway resource for a single peer VPN gateway with a single external IP address
For this type of peer gateway, create an external VPN gateway with one interface:
gcloud compute external-vpn-gateways create PEER_GW_NAME \ --interfaces 0=PEER_GW_IP_0 \
Replace the following:
PEER_GW_NAME
: a name representing the peer gatewayPEER_GW_IP_0
: the external IP address for the interface from the peer gateway
The external VPN gateway resource that you created should look like the following example where
PEER_GW_IP_0
shows the actual external IP addresses of the peer gateway interface:Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw]. NAME INTERFACE0 peer-gw PEER_GW_IP_0
Create two VPN tunnels, one for each interface on the HA VPN gateway
When creating VPN tunnels, specify the peer side of the VPN tunnels as the external VPN gateway that you created earlier. Depending on the redundancy type of the external VPN gateway, configure the tunnels using one of the following two options.
Option 1: If the external VPN gateway is two separate peer VPN gateway devices or a single device with two IP addresses
In this case, one VPN tunnel needs to connect to
interface 0
of the external VPN gateway, and the other VPN tunnel needs to connect tointerface 1
of the external VPN gateway.gcloud compute vpn-tunnels create TUNNEL_NAME_IF0 \ --peer-external-gateway=PEER_GW_NAME \ --peer-external-gateway-interface=PEER_EXT_GW_IF0 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_0
gcloud compute vpn-tunnels create TUNNEL_NAME_IF1 \ --peer-external-gateway=PEER_GW_NAME \ --peer-external-gateway-interface=PEER_EXT_GW_IF1 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_1
Replace the following:
TUNNEL_NAME_IF0
andTUNNEL_NAME_IF1
: a name for the tunnel; naming the tunnels by including the gateway interface name can help identify the tunnels laterPEER_GW_NAME
: a name of the external peer gateway created earlierPEER_EXT_GW_IF0
andPEER_EXT_GW_IF1
: the interface number configured earlier on the external peer gatewayIKE_VERS
:1
for IKEv1 or2
for IKEv2; if possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace--ike-version 2
with--ike-version 1
.SHARED_SECRET
: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway; for recommendations, see Generating a strong pre-shared keyGW_NAME
: the name of the HA VPN gatewayINT_NUM_0
: the number0
for the first interface on the HA VPN gateway that you created earlierINT_NUM_1
: the number1
for the second interface on the HA VPN gateway that you created earlier- Optional: the
--vpn-gateway-region
is the region of the HA VPN gateway to operate on. Its value should be the same as--region
. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
The command output should look similar to the following example:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-0 us-central1 ha-vpn-gw-a 0 peer-gw 0 Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-1 us-central1 ha-vpn-gw-a 1 peer-gw 1
Option 2: If the external VPN gateway is a single peer VPN gateway with a single external IP address
In this case, both VPN tunnels need to connect to
interface 0
of the external VPN gateway.gcloud compute vpn-tunnels create TUNNEL_NAME_IF0 \ --peer-external-gateway=PEER_GW_NAME \ --peer-external-gateway-interface=PEER_EXT_GW_IF0 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_0
gcloud compute vpn-tunnels create TUNNEL_NAME_IF1 \ --peer-external-gateway=PEER_GW_NAME \ --peer-external-gateway-interface=PEER_EXT_GW_IF0 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME \ --vpn-gateway=GW_NAME \ --interface=INT_NUM_1
Replace the following:
TUNNEL_NAME_IF0
andTUNNEL_NAME_IF1
: a name for the tunnel; naming the tunnels by including the gateway interface name can help identify the tunnels laterPEER_GW_NAME
: the name of the external peer gateway created earlierPEER_EXT_GW_IF0
: the interface number configured earlier on the external peer gateway- Optional: the
--vpn-gateway-region
is the region of the HA VPN gateway to operate on. Its value should be the same as--region
. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation. IKE_VERS
:1
for IKEv1 or2
for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace--ike-version 2
with--ike-version 1
.SHARED_SECRET
: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway; for recommendations, see Generating a strong pre-shared keyINT_NUM_0
: the number0
for the first interface on the HA VPN gateway that you created earlierINT_NUM_1
: the number1
for the second interface on the HA VPN gateway that you created earlier
The command output should look similar to the following example:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-0 us-central1 ha-vpn-gw-a 0 peer-gw 0 Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1]. NAME REGION GATEWAY VPN_INTERFACE PEER_GATEWAY PEER_INTERFACE tunnel-a-to-on-prem-if-1 us-central1 ha-vpn-gw-a 1 peer-gw 0
Create Cloud Router interfaces and BGP peers
To create a Cloud Router BGP interface and BGP peer for each tunnel that you previously configured on the HA VPN gateway interfaces, follow these steps.
In the commands, replace the following:
ROUTER_INTERFACE_NAME_0
andROUTER_INTERFACE_NAME_1
: a name for the Cloud Router BGP interface; it can be helpful to use names related to the tunnel names configured previously- Manual configuration:
IP_ADDRESS_0
andIP_ADDRESS_1
: the BGP IP address for the HA VPN gateway interface that you configure; each tunnel uses a different gateway interface MASK_LENGTH
:30
; each BGP session on the same Cloud Router must use a unique /30 CIDR from the169.254.0.0/16
blockTUNNEL_NAME_0
andTUNNEL_NAME_1
: the tunnel associated with the HA VPN gateway interface that you configured
Choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers:
Automatic
To let Google Cloud automatically choose the link-local BGP IP addresses, complete the following steps.
For the first VPN tunnel
Add a BGP interface to the Cloud Router:
gcloud compute routers add-interface ROUTER_NAME \ --interface-name=ROUTER_INTERFACE_NAME_0 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_0 \ --region=REGION
The command output should look similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Add a BGP peer to the interface for the first tunnel; replace
PEER_NAME
with a name for the peer VPN interface, and replacePEER_ASN
with the ASN configured for the peer VPN gateway:gcloud compute routers add-bgp-peer ROUTER_NAME \ --peer-name=PEER_NAME \ --peer-asn=PEER_ASN \ --interface=ROUTER_INTERFACE_NAME_0 \ --region=REGION \
The command output should look similar to the following example:
Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
For the second VPN tunnel
Add a BGP interface to the Cloud Router:
gcloud compute routers add-interface ROUTER_NAME \ --interface-name=ROUTER_INTERFACE_NAME_1 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_1 \ --region=REGION
Add a BGP peer to the interface for the second tunnel; replace
PEER_NAME
with a name for the peer VPN interface, and replacePEER_ASN
with the ASN configured for the peer VPN gateway:gcloud compute routers add-bgp-peer ROUTER_NAME \ --peer-name=PEER_NAME \ --peer-asn=PEER_ASN \ --interface=ROUTER_INTERFACE_NAME_1 \ --region=REGION \
Manual
To manually assign the BGP IP addresses associated with the Google Cloud BGP interface and peer, complete the following steps:
For each VPN tunnel, decide on a pair of link-local BGP IP addresses in a
/30
block from the169.254.0.0/16
range (four addresses total). The BGP IP addresses that you specify must be unique among all Cloud Routers in all regions of a VPC network.For each tunnel, assign one of these BGP IP addresses to the Cloud Router, and the other BGP IP address to your peer VPN gateway. Configure your peer VPN device to use the peer BGP IP address.
In the following commands, replace the following:
GOOGLE_BGP_IP_0
: the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gatewayinterface 0
;PEER_BGP_IP_0
represents the BGP IP address of its peerGOOGLE_BGP_IP_1
: the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gatewayinterface 1
;PEER_BGP_IP_1
represents the BGP IP address of its peer
For the first VPN tunnel
Add a BGP interface to the Cloud Router; replace
ROUTER_INTERFACE_NAME_0
with a name for the interface:gcloud compute routers add-interface ROUTER_NAME \ --interface-name=ROUTER_INTERFACE_NAME_0 \ --vpn-tunnel=TUNNEL_NAME_0 \ --ip-address=GOOGLE_BGP_IP_0 \ --mask-length 30 \ --region=REGION \
The command output should look similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Add a BGP peer to the interface; replace
PEER_NAME
with a name for the peer, and replacePEER_ASN
with the ASN configured for the peer VPN gateway:gcloud compute routers add-bgp-peer ROUTER_NAME \ --peer-name=PEER_NAME \ --peer-asn=PEER_ASN \ --interface=ROUTER_INTERFACE_NAME_0 \ --peer-ip-address=PEER_BGP_IP_0 \ --region=REGION \
The command output should look similar to the following example:
Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
For the second VPN tunnel
Add a BGP interface to the Cloud Router; replace
ROUTER_INTERFACE_NAME_1
with a name for the interface:gcloud compute routers add-interface ROUTER_NAME \ --interface-name=ROUTER_INTERFACE_NAME_1 \ --vpn-tunnel=TUNNEL_NAME_1 \ --ip-address=GOOGLE_BGP_IP_1 \ --mask-length 30 \ --region=REGION \
Add a BGP peer to the interface; replace
PEER_NAME
with a name for the peer, and replacePEER_ASN
with the ASN configured for the peer VPN gateway:gcloud compute routers add-bgp-peer ROUTER_NAME \ --peer-name=PEER_NAME \ --peer-asn=PEER_ASN \ --interface=ROUTER_INTERFACE_NAME_1 \ --peer-ip-address=PEER_BGP_IP_1 \ --region=REGION \
Verify the Cloud Router configuration
List the BGP IP addresses chosen by Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. Use the BGP IP address
peerIpAddress
to configure your peer VPN gateway:gcloud compute routers get-status ROUTER_NAME \ --region=REGION \ --format='flattened(result.bgpPeerStatus[].name, result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
The expected output for a Cloud Router managing two Cloud VPN tunnels (index
0
and index1
) should look like the following example where the following is true:GOOGLE_BGP_IP_0
represents the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gatewayinterface 0
;PEER_BGP_IP_0
represents the BGP IP address of its peer.GOOGLE_BGP_IP_1
represents the BGP IP address of the Cloud Router's interface for the tunnel on Cloud VPN gatewayinterface 1
;PEER_BGP_IP_1
represents the BGP IP address of its peer.
result.bgpPeerStatus[0].ipAddress: 169.254.0.1 GOOGLE_BGP_IP_0 result.bgpPeerStatus[0].name: bgp-peer-tunnel-a-to-on-prem-if-0 result.bgpPeerStatus[0].peerIpAddress: 169.254.0.2 PEER_BGP_IP_0 result.bgpPeerStatus[1].ipAddress: 169.254.1.1 GOOGLE_BGP_IP_1 result.bgpPeerStatus[1].name: bgp-peer-tunnel-a-to-on-prem-if-1 result.bgpPeerStatus[1].peerIpAddress: 169.254.1.2 PEER_BGP_IP_1
You can also use the following command to get a full listing of the Cloud Router configuration:
gcloud compute routers describe ROUTER_NAME \ --region=REGION
The full listing should look like the following example:
bgp: advertiseMode: DEFAULT asn: 65001 bgpPeers: - interfaceName: if-tunnel-a-to-on-prem-if-0 ipAddress: 169.254.0.1 name: bgp-peer-tunnel-a-to-on-prem-if-0 peerAsn: 65002 peerIpAddress: 169.254.0.2 - interfaceName: if-tunnel-a-to-on-prem-if-1 ipAddress: 169.254.1.1 name: bgp-peer-tunnel-a-to-on-prem-if-1 peerAsn: 65004 peerIpAddress: 169.254.1.2 creationTimestamp: '2018-10-18T11:58:41.704-07:00' id: '4726715617198303502' interfaces: - ipRange: 169.254.0.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0 name: if-tunnel-a-to-on-prem-if-0 - ipRange: 169.254.1.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1 name: if-tunnel-a-to-on-prem-if-1 kind: compute#router name: router-a network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
API
To create the full configuration for an HA VPN gateway, use the following API commands.
To create an HA VPN gateway, make a POST request by using the
vpnGateways.insert
method:POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways { "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a" }
To create a Cloud Router, make a POST request by using the
routers.insert
method:POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers { "name": "router-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a" }
You can use an existing Cloud Router as long as the router does not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection. Otherwise, create another Cloud Router.
To create an external VPN gateway resource, make a POST request by using the
externalVpnGateways.insert
method.- For an external (peer) VPN gateway that has one interface, use the
following example, but specify only one interface ID and one
ipAddress
, with aredundancyType
ofSINGLE_IP_INTERNALLY_REDUNDANT
. - For an external VPN gateway with two interfaces, or two external VPN
gateways with one interface each, use the
TWO_IPS_REDUNDANCY
example. - For one or more external VPN gateways with four external VPN interfaces,
for example, Amazon Web Services (AWS), use the following example, but
specify four instances of the interface ID and
ipAddress
and use aredundancyType
ofFOUR_IPS_REDUNDANCY
.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways { "name": "my-peer-gateway", "interfaces": [ { "id": 0, "ipAddress": "192.0.2.1" }, { "id": 1, "ipAddress": "192.0.2.2" } ], "redundancyType": "TWO_IPS_REDUNDANCY" }
- For an external (peer) VPN gateway that has one interface, use the
following example, but specify only one interface ID and one
To create two VPN tunnels, one for each interface on the HA VPN gateway, make a POST request by using the
vpnTunnels.insert
method. To get a 99.99% uptime SLA, you must create a tunnel on each interface of your HA VPN gateway.To create the first tunnel, run the following command:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels { "name": "ha-vpn-gw-a-tunnel-0", "ikeVersion": 2, "peerExternalGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/my-peer-gateway", "peerExternalGatewayInterface": 0, "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a", "sharedSecret": "SHARED_SECRET", "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a", "vpnGatewayInterface": 0 }
To create the second tunnel, repeat this command, but change the following parameters:
name
peerExternalGatewayInterface
sharedSecret
orsharedSecretHash
(if needed)
Change the
vpnGatewayInterface
to the value of the other HA VPN gateway interface. In this example, change this value to1
.To create a Cloud Router BGP interface, make either a PATCH or UPDATE request by using the
routers.patch
method or therouters.update
method. PATCH updates only the parameters that you include. UPDATE updates all parameters for Cloud Router.Create a BGP interface for each VPN tunnel on the first HA VPN gateway. For the second BGP interface, use a different
name
,linkedVpnTunnel
name, andipRange
from the same/30
subnet as theipRange
for the first tunnel. Each BGP IP address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.Repeat this step and command for each VPN tunnel on the second HA VPN gateway.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/{resourceId} { "interfaces": [ { "name": "if-tunnel-a-to-on-prem-if-0", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipRange": "169.254.0.1/30" } ] }
To add a BGP peer to a Cloud Router for a VPN tunnel, make a POST request by using the
routers.insert
method. Repeat this command for the other VPN tunnel, changing all options exceptname
andpeerAsn
.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers { "name": "router-a", "network": "network-a", "bgpPeers": [ { "interfaceName": "if-tunnel-a-to-on-prem-if-0", "ipAddress": "169.254.0.1", "name": "bgp-peer-tunnel-a-to-on-prem-if-0", "peerAsn": "65002", "peerIpAddress": "169.254.0.2", "advertiseMode": "DEFAULT" } ] }
Verify the Cloud Router configuration by using the routers.getRouterStatus method, and use an empty request body:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
Setting the base advertised route priority (optional)
The BGP sessions that you create let each Cloud Router advertise routes to peer networks. The advertisements use unmodified base priorities.
Use the configuration documented in Creating an HA VPN gateway and tunnel pair to a peer VPN for active/active routing configurations where the advertised route priorities of the two VPN tunnels from the Google Cloud side and the peer side match. To configure the same advertised route priorities from Google Cloud to both BGP peers, omit the advertised route priority on the Google Cloud side.
To create an active/passive configuration, configure unequal advertised route priorities for the two HA VPN tunnels. One advertised route priority must be higher than the other. For example:
- BGP session1/tunnel1, route priority =
10
- BGP session2/tunnel2, route priority =
20
For more information about the base advertised route priority, see Advertised prefixes and priorities.
You can also specify which routes are advertised by using custom advertisements:
- Add the
--advertisement-mode=CUSTOM
flag (gcloud
) or theadvertiseMode: custom
flag (API). - Specify IP address ranges with the
--set-advertisement-ranges
flag (gcloud
) or theadvertisedIpRanges
flag (API).
Completing the configuration
Before you can use a new Cloud VPN gateway and its associated VPN tunnels, complete the following steps:
- Set up the peer VPN gateway and configure the corresponding tunnel or tunnels
there. For instructions, see the following:
- For specific configuration guidance for certain peer VPN devices, see Using third-party VPNs with Cloud VPN.
- For supported peer topologies, see Cloud VPN topologies.
- For general configuration parameters, see Configuring the peer VPN gateway.
- Configure firewall rules in Google Cloud and your peer network as required.
- Check the status of your VPN tunnels. This step includes checking the high-availability configuration of your HA VPN gateway.
Applying an organization policy constraint that restricts peer VPN gateway IP addresses
You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allowlist or a denylist of these peer IP addresses, which goes into effect for Cloud VPN tunnels that you create after you apply the constraint. For details, see Restricting peer IP addresses through a Cloud VPN tunnel.
To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.
Required permissions
To set a peer IP address constraint at the organization or project level, you must first be
granted the Organization Policy
Administrator role (roles/orgpolicy.policyAdmin
) for your organization.
Constraining connectivity from specific peer IP addresses
To only allow specific peer IP addresses through a Cloud VPN tunnel, perform the following steps:
- Find your organization ID by running the following command:
gcloud organizations list
The command output should look like the following example:
DISPLAY NAME ID example-organization 29252605212
-
Create a JSON file that defines your policy, as in the following example:
{ "constraint": "constraints/compute.restrictVpnPeersIPs", "listPolicy": { "allowedValues": [ "100.1.1.1", ], } }
-
Set the organization policy by using the Resource Manager
gcloud
commandset-policy
, passing in the JSON file, and using theORGANIZATION_ID
that you found in the previous step.
Constraining connectivity from any peer IP addresses
To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint:
- Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.
-
Create a JSON file like the following example:
{ "constraint": "constraints/compute.restrictVpnPeersIPs", "listPolicy": { "allValues": "DENY" } }
-
Pass in the JSON file by running the same command that you would use for restricting specific peer IP addresses.
What's next
- To find resources for maintaining VPN tunnels and gateways, see the Maintaining VPNs how-to guides.
- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.