Migrate from an IPv4 HA VPN gateway to an IPv6 HA VPN gateway

This page describes how to migrate your workloads from an HA VPN with IPv4 interfaces to an HA VPN with IPv6 interfaces.

  • To support both IPv4 and IPv6 workloads, you can use dual-stack HA VPN with external IPv6 interfaces.
  • To support only IPv6 workloads, you can use an IPv6-only HA VPN.

This page describes how to migrate a single HA VPN gateway with two tunnels. If you have more HA VPN gateways and tunnels, you can migrate them one after the other.

Before you begin

  • Analyze your existing tunnel load and plan the creation or deletion of tunnels while making sure that you don't overload any tunnel, which can result in packet loss.
  • Use non-critical workloads to test the workflow to avoid unplanned downtime on production servers due to misconfiguration.
  • If you use tunnels that allow only IPv6 workloads, IPv4 packets are dropped.
  • Verify that your organization policies allow IPv6 peer IP addresses and other hybrid features that you plan to use.
  • Note that the traffic through any individual tunnel must not exceed the 250,000 packets per second for the sum of inbound and outbound traffic. Depending on average packet size in the tunnel, 250,000 packets per second is equivalent to between 1 Gbps and 3 Gbps of bandwidth.

Set up and migrate to IPv6 HA VPN gateway

  1. Create the external IPv6 HA VPN gateways.

    • Plan for your workloads
      • If you plan to use IPv4 workloads, use the IPV4_IPV6 stack type while creating the VPN gateway.
      • If you plan to use both IPv4 and IPv6 workloads, use the multiprotocol BGP sessions.
    • Plan your BGP sessions
      • If you want to use IPv4-based BGP sessions, use the IPV4_IPV6 stack type while creating the VPN gateway.
      • If you plan to use IPv6-based BGP sessions, use the IPV4_IPV6 or IPV6_ONLY stack types while creating the VPN gateway.

    Follow the steps in Create HA VPN gateways to connect VPC networks.

  2. Make a note of the existing dynamic routes associated with the tunnels that you plan to replace.

    1. In the Google Cloud console, go to the Routes page.

      Go to Routes

    2. On the Effective routes tab, do the following:

      • Choose a VPC network.
      • Choose a region.

    3. Click View.

    4. In the Next hop column, look for the name of your tunnel. Copy the destination ranges associated with the routes.

    For more information, see Dynamic (BGP) routing.

  3. Create a new Cloud Router for the IPv6 tunnels. You can also use an existing Cloud Router.

  4. Create VPN tunnels between the HA VPN gateways and the peer gateways.

  5. Create BGP sessions.

    • Make sure the VPN tunnel and BGP session are established, and verify that the dynamic routes from step 2 are installed for the new external IPv6 tunnel.
    • Optional: If you have small workloads, consider using a higher base priority route to test that outbound traffic actually uses the IPv6 tunnels. Make sure that your throughput limit can accommodate all traffic to the advertised routes. After verifying that the new tunnels support traffic successfully, update their base priority to the same as the other tunnels.

  6. Delete the IPv4 infrastructure: BGP sessions, VPN tunnels, VPN gateways, and Cloud Routers if you created new instances.