This page describes advanced configuration details necessary for high-availability, high throughput, or multiple subnet VPN scenarios. The Cloud VPN overview describes the basic concepts of Cloud VPN.
Advanced settings and configurations
While you can configure the VPN types described in Choosing a VPN routing option using only the steps outlined in the set-up instructions, the more advanced configurations listed above require additional details.
Order of routes
It is possible to create a VPN tunnel that has the same IP range as another tunnel, a subset of the other tunnel's range, or a superset of the other tunnel's range.
For details, see Configuring VPN tunnels with overlapping IP ranges.
Configuring IKE, including multiple subnet support
You can view detailed information about how Cloud VPN supports multiple IKE ciphers at Supported IKE ciphers.
Cloud VPN only supports one-to-one NAT via UDP encapsulation for NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple peer VPN gateways that share a single public IP address.
When using one-to-one NAT, a peer VPN gateway must be configured to identify itself using a public IP address, not its internal (private) address. When you configure a Cloud VPN tunnel to connect to a peer VPN gateway, you specify an external IP address. Cloud VPN expects an on-premises VPN gateway to use its external IP address for its identity.
For more details about VPN gateways behind one-to-one NAT, refer to the troubleshooting page.
Maximum Transfer Unit (MTU) considerations
The Cloud VPN MTU size is 1460. See MTU Considerations for a description of how to configure your peer VPN gateway to support this MTU size, if required.
High availability, failover, and higher-throughput VPNs
HA VPN is the recommended method of implementing highly-available and higher-throughput VPNs. If your peer VPN gateway supports BGP, you can configure an HA VPN gateway with a 99.99% uptime SLA (at GA) using an active/active or active/passive tunnel configuration.
For Classic VPN gateways, you can provide VPN redundancy and failover by using these options. However, you receive a 99.9% availability SLA for this configuration.