Moving to HA VPN

This page describes the strategy to move from Classic VPN to HA VPN.


General requirements and guidelines

Consider the following as you plan a migration to HA VPN:

  • Your peer VPN device or service must support the Border Gateway routing Protocol (BGP). If it does not, you cannot use HA VPN.

  • The external IP address of your Cloud VPN gateway(s) cannot be preserved. Two new external IP addresses are created when you create an HA VPN gateway. Google Cloud selects these IP from two different pools as part of the HA design.

  • You cannot migrate an existing Cloud VPN tunnel or tunnels on a Classic VPN gateway to an HA VPN gateway. Instead, you need to create new tunnels and delete the old ones.

  • Migrating to HA VPN means that you can only use features supported on HA VPN connections. For example, you cannot connect a Classic VPN gateway to a HA VPN gateway.

Creating Cloud Routers

When configuring a new HA VPN gateway, you can create a new Cloud Router or you can use a Cloud Router that you are already using with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection, because of the attachment's specific ASN requirements.

Migration procedure

To move from Classic VPN to HA VPN gateways and tunnels, perform the following steps:

  1. Create a new HA VPN gateway, Cloud Router, and VPN tunnels to connect your Virtual Private Cloud network to your peer network. Follow the directions in Creating an HA VPN gateway to a Peer VPN gateway. The new HA VPN gateway you create will have two new external IP addresses.
  2. Verify that the new tunnels are working and check the configuration of your HA VPN gateway for high availability
  3. Delete the tunnel or tunnels connected to the Classic VPN gateway. if the previous VPN tunnel or tunnels were policy based or route based, remove any leftover custom static routes.
  4. Delete the Classic VPN gateway and release any static external IP addresses it used.

What's next