This page describes how to create a Classic VPN gateway and one tunnel using static routing. This tunnel is either a policy based or route based tunnel.
With route based VPN, you specify only the remote traffic selector. If you need to specify a local traffic selector, create a Cloud VPN tunnel that uses policy based routing instead.
For best practices to consider before setting up Cloud VPN, see Best practices for Cloud VPN.
Routing option differences
When you create a policy based tunnel using the Google Cloud Console, Classic VPN performs all of the following tasks:
- Sets the tunnel's local traffic selector to the IP range that you specify
- Sets the tunnel's remote traffic selector to the IP ranges that you specify in Remote network IP ranges
- For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.
When you create a route based tunnel using the Cloud Console, Classic VPN performs both of the following tasks:
- Sets the tunnel's local and remote traffic selectors to any IP address
(
0.0.0.0/0
) - For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the range's CIDR, and whose next hop is the tunnel.
When you create either a policy or route based tunnel using the gcloud
command-line tool, traffic selectors for the tunnel are defined in the same way.
However, because the creation of custom static routes is done with
separate commands, you have more control over those routes. For more information,
see Networks and tunnel
routing.
Specifying multiple CIDRs per traffic selector
The number of CIDRs that you can specify in a traffic selector depends on the IKE version. Carefully review Routing options and traffic selectors and Multiple CIDRs per traffic selector for additional, important background information.
Before you begin
Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Install and initialize the Cloud SDK.
- If you are using
gcloud
commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
gcloud config set project [PROJECT_ID]
You can also view a project ID that has already been set:
gcloud config list --format='text(core.project)'
Creating a custom Virtual Private Cloud network and subnet
Before creating an Classic VPN gateway and tunnel, you must create a Virtual Private Cloud network and at least one subnet in the region where the Classic VPN gateway will reside.
- To create a custom mode (recommended) VPC network, see Creating a custom mode network.
- To create subnets, see Working with subnets.
Creating a gateway and tunnel
The VPN setup wizard is the only console option for creating a Classic VPN gateway. The wizard includes all required configuration steps for creating a Classic VPN gateway, tunnels, BGP sessions, and an external VPN gateway resource. However, you can complete certain steps later. For example, configuring BGP sessions.
The Create VPN gateway button only supports creating HA VPN gateways.
VPN wizard
Configure the Gateway
- Go to the VPN page in the Google Cloud Console.
Go to the VPN page- If you are creating a gateway for the first time, select the Create VPN connection button.
- Select the VPN setup wizard.
- Select the radio button for Classic VPN.
- Click Continue.
- On the Create a VPN connection page, specify the following gateway
settings:
- Name — The name of the VPN gateway. The name cannot be changed later.
- Description — Optionally, add a description.
- Network — Specify an existing VPC network in which to create the VPN gateway and tunnel.
- Region — Cloud VPN gateways and tunnels are regional objects. Choose a Google Cloud region where the gateway will be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant Google Cloud resources.
- IP address — Create or choose an existing regional external
IP address.
Configure Tunnels
Specify the following settings in the Tunnels section for the new tunnel:
- Name — The name of the VPN tunnel. The name cannot be changed later.
- Description — Optionally, type a description.
- Remote peer IP address — Specify the external IP address of the peer VPN gateway.
- IKE version — Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device. Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
For Policy based tunnels
- Under Routing options, select Policy-based.
- Under Remote network IP ranges, provide a space-separated list of the IP ranges used by the peer network. This is the remote traffic selector: the "right side" from the perspective of Cloud VPN.
- Under Local IP ranges, select one of the following methods:
- Use the Local subnetworks menu to choose an existing local IP range, or
- Use the Local IP ranges field to enter a list of space-separated IP ranges used in your VPC network. Refer to traffic selectors for important considerations.
For Route based tunnels
- Routing options — Select Route-based.
- Remote network IP ranges — Provide a space-separated list of the IP ranges used by the peer network. These ranges are used to create custom static routes whose next hop is this VPN tunnel.
If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can also add more tunnels later.
Click Create.
gcloud
In the following commands, replace:
PROJECT_ID
with the ID of your project.NETWORK
with the name of your Google Cloud network.REGION
with the Google Cloud region where you need to create the gateway and tunnel.- (Optional) The
--target-vpn-gateway-region
is the region of the Classic VPN gateway to operate on. Its value should be the same as--region
. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation. GW_NAME
with the name of the gateway.GW_IP_NAME
with a name for the external IP used by the gateway.
Complete the following command sequence to create a Google Cloud gateway:
Create the resources for the Cloud VPN gateway:
Create the target VPN gateway object.
gcloud compute target-vpn-gateways create GW_NAME \ --network NETWORK \ --region REGION \ --project PROJECT_ID
Reserve a regional external (static) IP address:
gcloud compute addresses create GW_IP_NAME \ --region REGION \ --project PROJECT_ID
Note the IP address (so you can use it when you configure your peer VPN gateway):
gcloud compute addresses describe GW_IP_NAME \ --region REGION \ --project PROJECT_ID \ --format='flattened(address)'
Create three forwarding rules. These rules instruct Google Cloud to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway.
gcloud compute forwarding-rules create fr-GW_NAME-esp \ --ip-protocol ESP \ --address GW_IP_NAME \ --target-vpn-gateway GW_NAME \ --region REGION \ --project PROJECT_ID
gcloud compute forwarding-rules create fr-GW_NAME-udp500 \ --ip-protocol UDP \ --ports 500 \ --address GW_IP_NAME \ --target-vpn-gateway GW_NAME \ --region REGION \ --project PROJECT_ID
gcloud compute forwarding-rules create fr-GW_NAME-udp4500 \ --ip-protocol UDP \ --ports 4500 \ --address GW_IP_NAME \ --target-vpn-gateway GW_NAME \ --region REGION \ --project PROJECT_ID
Create the Cloud VPN tunnel with the following details:
- Replace
TUNNEL_NAME
with a name for the tunnel. - Replace
ON_PREM_IP
with the external IP address of the peer VPN gateway. - Replace
IKE_VERS
with1
for IKEv1 or2
for IKEv2. - Replace
SHARED_SECRET
with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
For Policy based VPN:
- Replace
LOCAL_IP_RANGES
with a comma-delimited list of the Google Cloud IP ranges. For example, you can supply the CIDR block for each subnet in a VPC network. This is the "left side" from the perspective of Cloud VPN. - Replace
REMOTE_IP_RANGES
with a comma-delimited list of the peer network IP ranges. This is the "right side" from the perspective of Cloud VPN.
Policy based VPN command:
gcloud compute vpn-tunnels create TUNNEL_NAME \ --peer-address ON_PREM_IP \ --ike-version IKE_VERS \ --shared-secret SHARED_SECRET \ --local-traffic-selector=LOCAL_IP_RANGES \ --remote-traffic-selector=REMOTE_IP_RANGES \ --target-vpn-gateway GW_NAME \ --region REGION \ --project PROJECT_ID
For Route based VPN:
- For Route based VPN, both the local and remote traffic selectors are
0.0.0.0/0
as defined in routing options and traffic selectors.
gcloud compute vpn-tunnels create TUNNEL_NAME \ --peer-address ON_PREM_IP \ --ike-version IKE_VERS \ --shared-secret SHARED_SECRET \ --local-traffic-selector=0.0.0.0/0 \ --remote-traffic-selector=0.0.0.0/0 \ --target-vpn-gateway GW_NAME \ --region REGION \ --project PROJECT_ID
- Replace
Create a static route for each remote IP range you specified in the
--remote-traffic-selector
option in the previous step. Repeat this command for each remote IP range, replacingROUTE_NAME
with a unique name for the route and[REMOTE_IP_RANGE]
with the appropriate remote IP range.gcloud compute routes create ROUTE_NAME \ --destination-range REMOTE_IP_RANGE \ --next-hop-vpn-tunnel TUNNEL_NAME \ --network NETWORK \ --next-hop-vpn-tunnel-region REGION \ --project PROJECT_ID
Follow-up steps
You must complete the following steps before you can use a new Cloud VPN gateway and tunnel:
- Set up the peer VPN gateway and configure the corresponding tunnel
there. Refer to these pages:
- For specific configuration guidance for certain VPN devices, refer to the VPN Interoperability Guides.
- For general configuration parameters, refer to Configuring the Peer VPN Gateway.
- Configure firewall rules in Google Cloud and your peer network as required. Refer to the Firewall Rules page for suggestions.
- Check the status of your tunnel, including forwarding rules.
- You can view your VPN routes by visiting the project routing table
and filtering for 'Next hop type:VPN tunnel'.
Applying an organization policy constraint that restricts the IP addresses of peer VPN gateways
You can create a Google Cloud organization policy constraint that defines a set of IP addresses that are allowed or denied to peer VPN gateways through Classic VPN or HA VPN tunnels. This constraint contains an allow list or a deny list of these peer IP addresses, which goes into effect for Cloud VPN tunnels created after you apply the constraint. For details, see the Cloud VPN overview.
Required permissions
To set a peer IP constraint at the organization or project level, you must first be granted
the Organization Policy Administrator
(orgpolicy.policyAdmin
) role for your organization.
How to set constraints
To create an organization policy and associate it with an organization, a folder, or a project, use the examples listed in the next sections and follow the steps in Using constraints.
Constraining connectivity from specific peer IP addresses through a Cloud VPN tunnel
To only allow specific peer IP addresses, perform the following steps:
- Find your organization ID by entering the following command:
gcloud organizations list
The command output should look like the following example.
DISPLAY NAME ID example-organization 29252605212
-
Create a JSON file that defines your policy. You must provide a policy as a JSON file, as in the following example:
{ "constraint": "constraints/compute.restrictVpnPeersIPs", "listPolicy": { "allowedValues": [ "100.1.1.1", ], } }
-
Use the gcloud Resource Manager
set-policy
command to set the organization policy, passing in the JSON file and using the `ORGANIZATION_ID` that you found in the previous step.
Constraining connectivity from any peer IPs through a Cloud VPN tunnel
To prohibit the creation of any new Cloud VPN tunnel, follow the steps in this example constraint.
- Find your organization ID or the ID for the node in your resource hierarchy where you want to set a policy.
-
Create a JSON file like the following example.
{ "constraint": "constraints/compute.restrictVpnPeersIPs", "listPolicy": { "allValues": "DENY" } }
-
Pass in the JSON file by entering the same command that you would use for restricting specific peer IP addresses.