Creating an HA VPN gateway to a Peer VPN gateway

This page describes how to create a highly available VPN gateway that connects to a peer VPN gateway.

HA VPN gateways use the HA VPN API and provide a 99.99% SLA. This configuration uses a tunnel pair, with one tunnel on each HA VPN gateway interface.

There are two gateway components to configure for HA VPN:

An HA VPN gateway in Google Cloud.
Your peer VPN gateway or gateways—one or more physical VPN gateway devices or software applications in the peer network to which the HA VPN gateway connects. The peer gateway can be either an on-premises VPN gateway or one hosted by another cloud provider. You need to create an external VPN gateway resource in Google Cloud for each peer gateway device or service.

For diagrams of this topology, see the Topologies page.

For more information on how to choose a VPN type, see the Choosing a Network Connectivity product.

For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.

Requirements

General requirements and guidelines

Review information about how dynamic routing works in Google Cloud.
Make sure that your peer VPN gateway supports BGP.

Redundancy types

The HA VPN API contains an option for REDUNDANCY_TYPE, which represents the number of interfaces you configure for the external VPN gateway resource.

gcloud commands automatically infer the following values of REDUNDANCY_TYPE from the number of interfaces you provide in the interface ID when you configure an external VPN gateway resource:

One external VPN interface is SINGLE_IP_INTERNALLY_REDUNDANT
Two external VPN interfaces are TWO_IPS_REDUNDANCY
Four external VPN interfaces are FOUR_IPS_REDUNDANCY

When configuring external VPN gateways, you must use the following interface identification numbers for the stated number of external VPN interfaces:

For one external VPN interface, use a value of 0.
For two external VPN interfaces, use values 0 and 1.
For four external VPN interfaces, use values 0,1,2, and 3.

When configuring an HA VPN external VPN gateway to Amazon Web Services (AWS), the supported topology requires two AWS Virtual Private Gateways, A and B, each with two external IP addresses. This topology yields four external IP addresses total in AWS: A1, A2, B1, and B2.

Configure the four AWS IP addresses as a single external HA VPN gateway with FOUR_IPS_REDUNDANCY, where:

AWS IP 0=A1
AWS IP 1=A2
AWS IP 2=B1
AWS IP 3=B2

Create four tunnels on the HA VPN gateway to meet the 99.99% SLA. using the following configuration:

HA VPN interface 0 to AWS interface 0
HA VPN interface 0 to AWS interface 1
HA VPN interface 1 to AWS interface 2
HA VPN interface 1 to AWS interface 3

Overview of high-level configurations steps to set up HA VPN with Amazon Web Services (AWS):

Create the HA VPN gateway and a Cloud Router. This creates 2 external IP addresses on the GCP side.
Create two AWS Virtual Private Gateways. This creates 4 external addresses on the AWS side.
Create two AWS Site-to-Site VPN connections and customer gateways, one for each AWS Virtual Private Gateway. Specify a non-overlapping link-local Tunnel IP Range for each tunnel, 4 total. For example, 169.254.1.4/30.
Download the AWS configuration files for the generic device type.
Create four VPN tunnels on the HA VPN gateway.
Configure BGP sessions on the Cloud Router using the BGP IP addresses from the downloaded AWS configuration files.

Creating Cloud Routers

When configuring a new HA VPN gateway, you can create a new Cloud Router or you can use a Cloud Router that you are already using with existing Cloud VPN tunnels or interconnect attachments (VLANs). However, the Cloud Router that you use must not already manage a BGP session for an interconnect attachment (VLAN) associated with a Partner Interconnect connection, because of the attachment's specific ASN requirements.

Before you begin

Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:

Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Cloud Console, on the project selector page, select or create a Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to the project selector page
Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.
Install and initialize the Cloud SDK.

If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

    gcloud config set project project-id

You can also view a project ID that has already been set:

    gcloud config list --format='text(core.project)'

Permissions required for this task

To perform this task, you must have been granted the following permissions OR the following IAM roles.

Permissions

compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels

Roles

roles/compute.networkAdmin

Creating a custom Virtual Private Cloud network and subnet

Before creating an HA VPN gateway and tunnel pair, you must create a Virtual Private Cloud network and at least one subnet in the region where the HA VPN gateway will reside.

To create a custom mode (recommended) VPC network, see Creating a custom mode network.
To create subnets, see Working with subnets.

The examples in this document also use VPC global dynamic routing mode so that all instances of Cloud Router apply the to on-premises routes that they learn to all subnets of the VPC network. In global routing mode, routes to all subnets in the VPC network are shared with on-premises routers.

Creating an HA VPN gateway and tunnel pair to a peer VPN

Follow the instructions in this section to create a HA VPN gateway, a pair of tunnels, a peer VPN gateway resource, and BGP sessions.

Console

The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, tunnels, a peer VPN gateway resource, and BGP sessions.

Create a Cloud VPN gateway

Go to the VPN page in the Google Cloud Console.
Go to the VPN page
1. If you are creating a gateway for the first time, select the Create VPN connection button.
2. Select the VPN setup wizard.
Select the radio button for an HA VPN gateway.
Click Continue.
Specify a VPN gateway name.
Under VPC network, select an existing network or the default network.
Select a Region.
Click Create and Continue.
The console screen refreshes and displays your gateway information. Two external IP addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.

Create a Peer VPN gateway resource

The peer VPN gateway resource represents your non-Google Cloud gateway in Google Cloud.

On the Create a VPN screen, under Peer VPN gateway, select On-prem or Non-Google Cloud.
Under Peer VPN gateway name, choose an existing peer gateway, or click Create a new peer VPN gateway. If you choose an existing gateway, Cloud Console selects the number of tunnels to configure based on the number of peer interfaces you configured on the existing peer gateway. To create a new peer gateway, complete the following steps:
1. Specify a Name for the peer VPN gateway.
2. Under Peer VPN gateway interfaces, select one, two, or four interfaces, depending on the type of interfaces your peer gateway has. See the Topologies page for examples of each type.
3. In the field for each peer VPN interface, specify the external IP address used for that interface. For more information, refer to Configuring the peer VPN gateway.
4. Click Create.

Create VPN tunnels

If you configured your peer VPN gateway resource with one interface, you configure your single tunnel in the single VPN tunnel dialog box on the Create VPN screen. You must create a second tunnel for a 99.99% SLA.
If you configured your peer VPN gateway resource with two or four interfaces, you must configure the associated dialog boxes that appear at the bottom of the Create VPN screen.

Under Cloud Router, If you haven't already, create a Cloud Router specifying the following options. You can use an existing Cloud Router if the router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect.
1. To create a new Cloud Router, specify a Name, an optional Description, and Google ASN for the new router. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router and you cannot change the ASN later.
2. Click Create to create the new router.
If applicable, under Associated Cloud VPN gateway interface, select the HA VPN interface and IP address combination that you want to associate with your peer VPN gateway interface for this tunnel.
Under Associated peer VPN gateway interface, select the peer VPN gateway interface and IP address combination that you want to associate with this tunnel and with the HA VPN interface. This interface must match the interface on your actual peer router.
1. Specify a Name for the tunnel.
2. Specify an optional Description.
3. Specify the IKE version. IKE v2, the default setting, is recommended if your peer router supports it.
4. Specify an IKE pre-shared key using your shared secret, which must correspond with the shared secret for the partner tunnel that you create on your peer gateway. If you haven't configured a shared secret on your peer VPN gateway and want to generate one, click the Generate and copy button. Make sure that you record the pre-shared key in a secure location, because it cannot be retrieved after you create your VPN tunnels.
5. Click Done.
6. Repeat the tunnel creation steps for any remaining tunnel dialog boxes on the Create VPN screen.
When you have configured all tunnels, click Create and continue.

Create BGP sessions

If you don't want to configure BGP sessions now, click the Configure BGP sessions later button, which opens Summary and Reminder screen.
If you want to configure BGP sessions now, click the Configure button for the first VPN tunnel.
On the Create BGP session screen, use the following steps:
1. Specify a Name for the BGP session.
2. Specify the Peer ASN configured for the peer VPN gateway.
3. (Optional) Specify the Advertised Route Priority.
4. Specify the Cloud Router BGP IP address and the BGP Peer IP address. Each of these addresses must use a link-local address from the 169.254.0.0/16 CIDR block in the same /30 subnet. Make sure that these addresses aren't the network or broadcast address of the subnet.
5. (Optional) Click the Advertised routes drop-down menu and create custom routes.
6. Click Save and continue.
Repeat the previous steps for the rest of the tunnels configured on the gateway, using a different Cloud Router BGP IP address and BGP Peer IP address for each tunnel.
When you have configured all BGP sessions, click Save BGP configuration.

Note on setting the advertised base route priority:
The following example creates BGP sessions on instances of Cloud Router. These BGP sessions allow each Cloud Router to advertise routes to peer networks. The advertisements use unmodified base priorities.

Use the configuration documented in this section for active/active routing configurations where the route priorities of the two VPN tunnels from the Google Cloud side and peer side match. Omit the advertised base route priority on the Google Cloud side to configure the same advertised priorities from Google Cloud to both BGP peers.

To create an active/passive configuration, you must configure unequal advertised base route priorities for the two HA VPN tunnels. One route priority must be higher than the other. For example:

BGP session1/tunnel1, route priority = 10
BGP session2/tunnel2, route priority = 20

For more information about advertised base route priority, refer to Route metrics.

You can also specify which routes that are advertised using custom advertisements, by adding the
--advertisement-mode=CUSTOM flag and specifying IP address ranges with the
--set-advertisement-ranges flag.

Summary and reminder

The Summary section of this screen lists information for the HA VPN gateway and the peer VPN gateway profile.
For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
The Reminder section of this screen lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN.
Click Ok after reviewing the information on this screen.

Create an additional tunnel on a single-tunnel gateway.

Follow the steps in this section to configure a second tunnel on the second interface of a HA VPN gateway. Do this in the following circumstances:

When you've configured a HA VPN gateway to a peer VPN gateway that has a single peer VPN interface.
If you set up a single tunnel previously on a HA VPN for a peer VPN gateway that contains any number of interfaces, but now want a 99.99% uptime SLA for your HA VPN gateway.
1. Go to the VPN page in the Google Cloud Console.
  Go to the VPN page
2. Click the Create VPN tunnel button.
3. From the drop-down menu, select the gateway that requires the second tunnel.
4. Click Continue.
5. Choose a Cloud Router. If you haven't configured a Cloud Router, follow the steps for creating one in the Create VPN tunnels procedure.
6. For Peer VPN gateway, select On-prem or Non Google Cloud.
7. For Peer VPN gateway name, choose the existing peer VPN gateway resource that the new tunnel will use. You can check existing peer VPN gateway names for this Cloud VPN gateway by clicking the View all existing tunnels link under VPN gateway name near the top of the screen.
8. You might receive a warning that a tunnel with the same peer VPN gateway interface is already associated with the same local Cloud VPN gateway interface. To fix this issue, under Associated Cloud VPN gateway interface, select the other HA VPN interface.
9. Configure the remainder of the steps as listed in the Create VPN tunnels procedure to finish configuring the tunnel.

gcloud

Create the HA VPN gateway

Complete the following command sequence to create the HA VPN gateway:

Create an HA VPN gateway. When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

In the following commands, replace the following options:
- Replace network with the name of your Google Cloud network.
- Replace region with the Google Cloud region where you need to create the gateway and tunnel.
- Replace gw-name with the name of the gateway.
```
  gcloud compute vpn-gateways create gw-name \
    --network network \
    --region region
```
The gateway you create should look similar to the following example output. An external IP address has been automatically assigned to each gateway interface:
```
  Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/ha-vpn-gw-a].
  NAME        INTERFACE0    INTERFACE1   NETWORK   REGION
  ha-vpn-gw-a 203.0.113.16  203.0.113.23 network-a us-central1
```

Create Cloud Router

Complete the following command sequence to create a Cloud Router. In the following commands, replace the following options:
- Replace router-name with the name of the Cloud Router in the same region as the Cloud VPN gateway.
- Replace google-asn with any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not already using in the peer network. The Google ASN is used for all BGP sessions on the same Cloud Router and it cannot be changed later.
```
  gcloud compute routers create router-name \
    --region region \
    --network network \
    --asn google-asn
```
The router you create should look similar to the following example output:
```
  Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a].
  NAME      REGION      NETWORK
  router-a us-central1 network-a
```

Create an External VPN Gateway resource

Create an external VPN gateway resource that provides information to Google Cloud about your peer VPN gateway or gateways. Depending on the HA recommendations for your peer VPN gateway, you can create external VPN gateway resource for the following different types of on-premises VPN gateways:

Two separate peer VPN gateway devices where the two devices are redundant with each other and each device has its own external IP address.
A single peer VPN gateway that uses two separate interfaces, each with its own external IP address. For this kind of peer gateway, you can create a single external VPN gateway with two interfaces.
A single peer VPN gateway with a single external IP address.

Option 1: Create an External VPN Gateway resource for two separate peer VPN gateway devices

For this type of peer gateway, each interface of the external VPN gateway has one external IP address, and each address is from one of the peer VPN gateway devices. In the following gcloud command, replace the following options:
- Replace peer-gw_name with a name representing the peer gateway.
- Replace peer-gw-ip-0 with the external IP addresses for a peer gateway.
- Replace peer-gw-ip-1 with the external IP address for another peer gateway.
```
  gcloud compute external-vpn-gateways create peer-gw-name \
    --interfaces 0=peer-gw-ip-0,1=peer-gw-ip-1 \
```
The External VPN Gateway resource created should look like the following example where peer-gw-ip-0 and peer-gw-ip-1 show the actual external addresses of the peer gateway interfaces:
```
  Created [https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways/peer-gw].
  NAME      INTERFACE0      INTERFACE1
  peer-gw   peer-gw-ip-0    peer-gw-ip-1
```

Option 2: Create an External VPN Gateway resource for a single peer VPN gateway with two separate interfaces

For this type of peer gateway, create a single external VPN gateway with two interfaces. In the following gcloud command, replace the following options:
- Replace peer-gw-name with a name representing the peer gateway.
- Replace peer-gw-ip-0 with the external IP address for one interface from the peer gateway.
- Replace peer-gw-ip-1 with the external IP address for another interface from the peer gateway.
```
gcloud compute external-vpn-gateways create peer-gw-name \
 --interfaces 0=on-prem-gw-ip-0,1=on-prem-gw-ip-1 \
```
  The External VPN Gateway resource created should look like the following example where peer-gw-ip-0 and peer-gw-ip-1 show the actual external addresses of the peer gateway interfaces:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
NAME      INTERFACE0      INTERFACE1
peer-gw   peer-gw-ip-0  peer-gw-ip-1
```

Option 3: Create an External VPN Gateway resource for a single peer VPN gateway with a single external IP address

For this type of peer gateway, create an external VPN gateway with one interface. In the following gcloud command, replace the following options:
- Replace peer-gw-name with a name representing the peer gateway.
- Replace peer-gw-ip-0 with the external IP address for the interface from the peer gateway.
```
  gcloud compute external-vpn-gateways create peer-gw-name \
    --interfaces 0=peer-gw-ip-0 \
```
The External VPN Gateway resource you created should look like the following example where peer-gw-ip-0 shows the actual external addresses of the peer gateway interface:
```
  Created [https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways/peer-gw].
  NAME      INTERFACE0
  peer-gw   peer-gw-ip-0
```

Create two VPN tunnels, one for each interface on the HA VPN gateway

When creating VPN tunnels, specify the peer side of the VPN tunnels as the external VPN gateway you created earlier. Depending on the redundancy type of the external VPN gateway, configure the tunnels using one of the following two options.

Option 1: If the external VPN gateway is two separate peer VPN gateway devices or a single device with two IP addresses

In this case, one VPN tunnel needs to connect to interface 0 of the external VPN gateway, and the other VPN tunnel needs to connect to interface 1 of the external VPN gateway.
The VPN tunnels you create are not available until the corresponding partner tunnels have been created on your peer VPN gateway or gateways.
In the following commands to create each tunnel, replace the following options:
- Replace tunnel-name-if0 and tunnel-name-if1 with a name for the tunnel. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
- Replace gw-name with the name of the HA VPN gateway.
- (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation..
- Replace peer-gw-name with a name of the external peer gateway created earlier.
- Replace peer-ext-gw-if0 and peer-ext-gw-if1 with the interface number configured earlier on the external peer gateway.
- Replace ike-vers with 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
- Replace shared-secret with your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. See Generating a strong pre-shared key for recommendations.
- Replace int-num-0 with the number 0 for the first interface on the HA VPN gateway you created earlier.
- Replace int-num-1 with the number 1 for the second interface on the HA VPN gateway you created earlier.
```
  gcloud compute vpn-tunnels create tunnel-name-if0 \
    --peer-external-gateway peer-gw-name \
    --peer-external-gateway-interface peer-ext-gw-if0  \
    --region region \
    --ike-version ike-vers \
    --shared-secret shared-secret \
    --router router-name \
    --vpn-gateway gw-name \
    --interface int-num-0
```
```
 gcloud compute vpn-tunnels create tunnel-name-if1 \
    --peer-external-gateway peer-gw-name \
    --peer-external-gateway-interface peer-ext-gw-if1 \
    --region region \
    --ike-version ike-vers \
    --shared-secret shared-secret \
    --router router-name \
    --vpn-gateway gw-name \
    --interface int-num-1
```
  The command output should look similar to the following example:
```
  Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
  NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
  tunnel-a-to-on-prem-if-0  us-central1  ha-vpn-gw-a    0               peer-gw        0
  Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
  NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
  tunnel-a-to-on-prem-if-1  us-central1  ha-vpn-gw-a    1               peer-gw        1
```

Option 2: If the external VPN gateway is a single peer VPN gateway with a single external IP address

In this case, both VPN tunnels need to connect to interface 0 of the external VPN gateway.
The VPN tunnels you create will not be available until the corresponding partner tunnels have been created on your peer VPN gateway or gateways.
In the following commands to create each tunnel, replace the following options:
- Replace tunnel-name-if0 and tunnel-name-if1 with a name for the tunnel. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
- Replace peer-gw-name with the name of the external peer gateway created earlier.
- Replace peer-ext-gw-if0 with the interface number configured earlier on the external peer gateway.
- (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
- Replace ike-vers with 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
- Replace shared-secret with your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. See Generating a strong pre-shared key for recommendations.
- Replace int-num-0 with the number 0 for the first interface on the HA VPN gateway you created earlier.
- Replace int-num-1 with the number 1 for the second interface on the HA VPN gateway you created earlier.
```
  gcloud compute vpn-tunnels create tunnel-name-if0 \
    --peer-external-gateway peer-gw-name \
    --peer-external-gateway-interface peer-ext-gw-if0  \
    --region region \
    --ike-version ike-vers \
    --shared-secret shared-secret \
    --router router-name \
    --vpn-gateway gw-name \
    --interface int-num-0
```
```
  gcloud compute vpn-tunnels create tunnel-name_if1 \
    --peer-external-gateway peer-gw-name \
    --peer-external-gateway-interface [peer-ext-gw-if0] \
    --region region \
    --ike-version ike-vers \
    --shared-secret shared-secret \
    --router router-name \
    --vpn-gateway gw-name \
    --interface int-num-1
```
The command output should look similar to the following example:
```
  Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
  NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
  tunnel-a-to-on-prem-if-0  us-central1  ha-vpn-gw-a    0               peer-gw        0
  Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
  NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
  tunnel-a-to-on-prem-if-1  us-central1  ha-vpn-gw-a    1               peer-gw        0
```

Create Cloud Router interfaces and BGP peers

BGP session1/tunnel1, route priority = 10
BGP session2/tunnel2, route priority = 20

Create a Cloud Router BGP interface and BGP peer for each tunnel you previously configured on the HA VPN gateway interfaces.
In the following commands, replace the following options:
- Replace router-interface-name-0 and router-interface-name-1 with a name for the Cloud Router BGP interface. It can be helpful to use names related to the tunnel names configured previously.
- If you use the manual configuration method, replace ip-address-0 and ip-address-1 with the BGP IP address for the HA VPN gateway interface you configure. Each tunnel uses a different gateway interface.
- Use a mask-length of 30.
  
  Each BGP session on the same Cloud Router must use a unique /30 CIDR from the 169.254.0.0/16 block.
- Replace tunnel-name-0 and tunnel-name-1 with the tunnel associated with the HA VPN gateway interface you configured.
Choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers:
Automatic
To let Google Cloud automatically choose the link-local BGP IP addresses, use the following steps.

For the first VPN tunnel
1. Add a BGP interface to the Cloud Router.
```
gcloud compute routers add-interface router-name \
    --interface-name router-interface-name-0 \
    --mask-length mask-length \
    --vpn-tunnel tunnel-name-0 \
    --region region
```
  The command output should look similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a].
```
2. Add a BGP peer to the interface for the first tunnel . Replace peer-name with a name for the peer VPN interface, and peer-asn with the ASN configured for the peer VPN gateway.
```
gcloud compute routers add-bgp-peer router-name \
    --peer-name peer-name \
    --peer-asn peer-asn \
    --interface router-interface-name-0 \
    --region region \
```
  The command output should look similar to the following example:
```
Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
```
For the second VPN tunnel
1. Add a BGP interface to the Cloud Router.
```
gcloud compute routers add-interface router-name \
    --interface-name router-interface-name-1 \
    --mask-length mask-length \
    --vpn-tunnel tunnel-name-1 \
    --region region
```
2. Add a BGP peer to the interface for the second tunnel . Replace peer-name with a name for the peer VPN interface, and peer-asn with the ASN configured for the peer VPN gateway.
```
gcloud compute routers add-bgp-peer router-name \
    --peer-name peer-name \
    --peer-asn peer-asn \
    --interface router-interface-name-1 \
    --region region \
```
Manual
To manually assign the BGP IP addresses associated with the Google Cloud BGP interface and peer, use the following steps:
1. For each VPN tunnel, decide on a pair of link-local BGP IP addresses in a /30 block from the 169.254.0.0/16 range (four addresses total). For each tunnel, assign one of these BGP IP addresses to the Cloud Router, and the other BGP IP address to your peer VPN gateway. You must also configure your peer VPN device to use the peer BGP IP address. Use the following options in the commands below:
  - google-bgp-ip-0 represents the BGP IP of the Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 0. on-prem-bgp-ip-0 represents the BGP IP of its peer.
  - google-bgp-ip-1 represents the BGP IP of the Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 1. on-prem-bgp-ip-1 represents the BGP IP of its peer.
For the first VPN tunnel
1. Add a BGP interface to the Cloud Router. Supply a name for the interface by replacing router-interface-name-0.
```
gcloud compute routers add-interface router-name \
    --interface-name router-interface-name-0 \
    --vpn-tunnel tunnel-name-0 \
    --ip-address google-bgp-ip-0 \
    --mask-length 30 \
    --region region \
```
  The command output should look similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a].
```
2. Add a BGP peer to the interface. Replace peer-name with a name for the peer, and [PEER_ASN] with the ASN configured for the peer VPN gateway.
```
gcloud compute routers add-bgp-peer router-name \
    --peer-name peer-name \
    --peer-asn peer-asn \
    --interface router-interface_name-0 \
    --peer-ip-address on-prem-bgp-ip-0 \
    --region region \
```
  The command output should look similar to the following example:
```
Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
```
For the second VPN tunnel
1. Add a BGP interface to the Cloud Router. Specify a name for the interface by replacing router-interface-name-1.
```
gcloud compute routers add-interface router-name \
    --interface-name router-interface-name-1 \
    --vpn-tunnel tunnel-name-1 \
    --ip-address google-bgp-ip-1 \
    --mask-length 30 \
    --region region \
```
2. Add a BGP peer to the interface. Replace peer-name with a name for the peer, and peer-asn with the ASN configured for the peer VPN gateway.
```
gcloud compute routers add-bgp-peer router-name \
    --peer-name peer-name \
    --peer-asn peer-asn \
    --interface router-interface-name-1 \
    --peer-ip-address on-prem-bgp-ip-1 \
    --region region \
```

Verify the Cloud Router configuration

List the BGP IP addresses chosen by Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. The Peer IP Address is the BGP IP address you should use to configure your peer VPN gateway.

 gcloud compute routers get-status router-name \
     --region region \
     --format='flattened(result.bgpPeerStatus[].name,
       result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'

Expected output for a Cloud Router managing a two Cloud VPN tunnels (index 0) and (index 1) looks like the following example, where:

google-bgp-ip-0 represents the BGP IP of Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 0 and on-prem-bgp-ip-0 represents the BGP IP of its peer.
google-bgp-ip-1 represents the BGP IP of Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 1 and on-prem-bgp-ip-1 represents the BGP IP of its peer.

result.bgpPeerStatus[0].ipAddress:     169.254.0.1 [GOOGLE_BGP_IP_0]
result.bgpPeerStatus[0].name:          bgp-peer-tunnel-a-to-on-prem-if-0
result.bgpPeerStatus[0].peerIpAddress: 169.254.0.2 [ON_PREM_BGP_IP_0]
result.bgpPeerStatus[1].ipAddress:     169.254.1.1 [GOOGLE_BGP_IP_1]
result.bgpPeerStatus[1].name:          bgp-peer-tunnel-a-to-on-prem-if-1
result.bgpPeerStatus[1].peerIpAddress: 169.254.1.2 [ON_PREM_BGP_IP_1]

You can also use the following command to get a full listing of the Cloud Router configuration:

gcloud compute routers describe router-name \
    --region region

The full listing should look like the following example:

bgp:
  advertiseMode: DEFAULT
  asn: 65001
bgpPeers:
- interfaceName: if-tunnel-a-to-on-prem-if-0
  ipAddress: 169.254.0.1
  name: bgp-peer-tunnel-a-to-on-prem-if-0
  peerAsn: 65002
  peerIpAddress: 169.254.0.2
- interfaceName: if-tunnel-a-to-on-prem-if-1
  ipAddress: 169.254.1.1
  name: bgp-peer-tunnel-a-to-on-prem-if-1
  peerAsn: 65004
  peerIpAddress: 169.254.1.2
creationTimestamp: '2018-10-18T11:58:41.704-07:00'
id: '4726715617198303502'
interfaces:
- ipRange: 169.254.0.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0
  name: if-tunnel-a-to-on-prem-if-0
- ipRange: 169.254.1.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1
  name: if-tunnel-a-to-on-prem-if-1
  kind: compute#router
  name: router-a
  network: https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a
  region: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1
  selfLink: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a

To complete the gateway configuration, continue to Completing the configuration.

API

To create the full configuration for an HA VPN gateway. use the following API commands.

STEP ONE: To create an HA VPN gateway, make a POST request with the vpnGateways.insert method:

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpnGateways
 {
   "name": "ha-vpn-gw-a",
   "network": "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a"
 }

STEP TWO: To create Cloud Router, make a POST request with the routers.insert method:

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers
 {
   "name": "router-a",
   "network": "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a"
 }

You can use an existing Cloud Router as long as the router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect. Otherwise, create another Cloud Router.

STEP THREE: To create an External VPN Gateway resource, make a POST request with the externalVpnGateways.insert method.

For an external (peer) VPN gateway that has one interface, use the example below, but specify only one interface ID and one ipAddress, with a redundancyType of SINGLE_IP_INTERNALLY_REDUNDANT.
For an external VPN gateway with two interfaces, or two external VPN gateways with one interface each, use the TWO_IPS_REDUNDANCY example below.
For one or more external VPN gateways with four external VPN interfaces; for example, Amazon Web Services (AWS), use the example below, but specify four instances of the interface ID and ipAddress and use a redundancyType of FOUR_IPS_REDUNDANCY.

 POST https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways
 {
   "name": "my-peer-gateway",
   "interfaces": [
     {
       "id": 0,
       "ipAddress": "192.0.2.1"
     },
     {
       "id": 1,
       "ipAddress": "192.0.2.2"
     }
   ],
   "redundancyType": "TWO_IPS_REDUNDANCY"
 }

STEP FOUR: To create two VPN tunnels, one for each interface on the HA VPN gateway, make a POST request with the vpnTunnels.insert method.

Enter the following command to create the first tunnel:

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpnTunnels
 {
   "name": "ha-vpn-gw-a-tunnel-0",
   "ikeVersion": 2,
   "peerExternalGateway": "https://www.googleapis.com/compute/v1/projects/project-id/global/external-vpn-gateways/my-peer-gateway",
   "peerExternalGatewayInterface": 0,
   "peerIp": "192.0.2.1",
   "router": "https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers/router-a",
   "sharedSecret": "shared_secret",
   "vpnGateway": "https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpn-gateways/ha-vpn-gw-a",
   "vpnGatewayInterface": 0
 }

To create the second tunnel, repeat this command, but change the following parameters:

name
peerExternalGatewayInterface
peerIp
sharedSecret or sharedSecretHash(if needed)

Change thevpnGatewayInterface to the value of the other HA VPN gateway interface. In this example, you would change this value to 1.

STEP FIVE: To create a Cloud Router BGP interface, make either a PATCH or UPDATE request with the routers.patch method or the routers.update method. PATCH updates only the parameters you include. UPDATE updates all parameters for Cloud Router.

Create a BGP interface for each VPN tunnel on the first HA VPN gateway. For the second BGP interface, use a different name, linkedVpnTunnel name, and ipRange from the same /30 subnet as the ipRange for the first tunnel. Repeat this step and command for each VPN tunnel on the second HA VPN gateway.

 PATCH https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers/{resourceId}
 {
   "interfaces": [
     {
       "name": "if-tunnel-a-to-on-prem-if-0",
       "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",
       "ipRange": "169.254.0.1/30"
      }
    ]
 }

Note on setting the advertised base route priority:
The example below creates BGP sessions on instances of Cloud Router. These BGP sessions allow each Cloud Router to advertise routes to peer networks. The advertisements use unmodified base priorities.

Use the configuration documented in this section for active/active routing configurations where the route priorities of the two VPN tunnels from the Google Cloud side and peer side match. Omit the advertised base route priority on the Google Cloud side to configure the same advertised priorities from Google Cloud to both BGP peers.

To create an active/passive configuration, you must configure unequal advertised base route priorities for the two HA VPN tunnels. One route priority must be higher than the other. For example:

BGP session1/tunnel1, route priority = 10
BGP session2/tunnel2, route priority = 20

For more information about advertised base route priority, refer to Route metrics.

You can also specify which routes that are advertised using custom advertisements, by adding the advertiseMode: custom flag and specifying IP address ranges with the advertisedIpRanges flag.

STEP SIX: To add a BGP peer to Cloud Router for a VPN tunnel, make a POST request with the routers.insert method. Repeat this command for the other VPN tunnel, changing all options except nameand peerAsn.

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers
 {
   "name": "router-a",
   "network": "network-a",
   "bgpPeers": [
   {
     "interfaceName": "if-tunnel-a-to-on-prem-if-0",
     "ipAddress": "169.254.0.1",
     "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
     "peerAsn": "65002",
     "peerIpAddress": "169.254.0.2",
     "advertiseMode": "DEFAULT"
    }
  ]
 }

STEP SEVEN: Verify the Cloud Router configuration with the routers.getRouterStatus method, using an empty request body:

POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers

Completing the configuration

You must complete the following steps before you can use a new Cloud VPN gateway and its associated VPN tunnels:

Set up the peer VPN gateway and configure the corresponding tunnel or tunnels there. Refer to these pages:
- For specific configuration guidance for certain peer VPN devices, see the VPN Interoperability Guides.
- For supported peer topologies, see the Topologies page.
- For general configuration parameters, see Configuring the Peer VPN Gateway.
Configure firewall rules in Google Cloud and your peer network as required. See the firewall rules page for suggestions.
Check the status of your VPN tunnels.
Note: This step includes checking the high-availability configuration of your HA VPN gateway.

Applying a VPN organization policy

Applying an organization policy constraint that restricts the IP addresses of peer VPN gateways

You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allow list or a deny list of these peer IP addresses, which goes into effect for Cloud VPN tunnels created after you apply the constraint. For details, see the Cloud VPN overview.

Required permissions

To set a peer IP constraint at the organization or project level, you must first be granted the Organization Policy Administrator (orgpolicy.policyAdmin) role for your organization.

How to set constraints

To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.

Constraining connectivity from specific peer IP addresses through a Cloud VPN tunnel

To only allow specific peer IP addresses, perform the following steps:

Find your organization ID by entering the following command:
```
gcloud organizations list
```
The command output should look like the following example.
```
      DISPLAY NAME             ID
      example-organization     29252605212
    
```

Create a JSON file that defines your policy. You must provide a policy as a JSON file, as in the following example:

     {
       "constraint": "constraints/compute.restrictVpnPeersIPs",
       "listPolicy": {
         "allowedValues": [
           "100.1.1.1",
         ],
       }
     }

Use the gcloud Resource Manager set-policy command to set the organization policy, passing in the JSON file and using the organization-id that you found in the previous step.

Constraining connectivity from any peer IPs through a Cloud VPN tunnel

To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint.

Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.

Create a JSON file like the following example.

    {
      "constraint": "constraints/compute.restrictVpnPeersIPs",
      "listPolicy": {
        "allValues": "DENY"
      }
    }

Pass in the JSON file by entering the same command that you would use for restricting specific peer IP addresses.

Creating Google Cloud to Google Cloud HA VPN gateways