This page describes concepts related to Google Cloud VPN.
To create a virtual private network (VPN), see Choosing a VPN Routing Option.
Cloud VPN securely connects your on-premises network to your Google Cloud Platform (GCP) Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway, then decrypted by the other VPN gateway. This protects your data as it travels over the Internet.
Cloud VPN includes the following features:
- Provides an SLA of 99.9% service availability.
- Supports site-to-site VPN as a simple topology or with redundancy.
- Supports both dynamic routes that use Cloud Router , and static routes, to manage traffic between your Compute Engine Virtual Machine (VM) instances and your existing infrastructure.
- Supports both IKEv1 and IKEv2 using a shared secret (IKE pre-shared key). Supports these IKE ciphers.
- Uses ESP in Tunnel mode with authentication. Cloud VPN does not support AH or ESP in Transport mode. Note that Cloud VPN does not perform policy-related filtering on incoming authentication packets. Outgoing packets are filtered based on the IP range configured on the Cloud VPN gateway.
This diagram shows a simple VPN connection between your Cloud VPN gateway and your on-premises VPN gateway.
With Cloud VPN, your on-premises hosts communicate through one or more IPsec VPN tunnels to Compute Engine Virtual Machine (VM) instances in your project's VPC networks.
Choosing VPN for hybrid networking
See How to choose an Interconnect type to determine whether to use Cloud VPN, Cloud Interconnect – Dedicated or Cloud Interconnect – Partner as your hybrid networking connection to GCP. This page also covers what type of VPN scenarios Cloud VPN supports.
The following terms are used throughout the VPN documentation:
- Project ID
- The ID of your GCP project. This is not the project name, which is the user-created friendly name of your project. To find the ID, see the Project ID column in the GCP Console. For more information, see Identifying Projects.
- Internet Key Exchange (IKE)
- IKE is the protocol used for authentication and to negotiate a session key for encrypting traffic.
- Cloud VPN gateway
- A virtual VPN gateway running in GCP managed by Google, using a configuration you specify in your project. Each Cloud VPN gateway is a regional resource using a regional external IP address. A Cloud VPN gateway can connect to an on-premises VPN gateway or another Cloud VPN gateway.
- On-premises VPN gateway
- The VPN gateway not in GCP, connected to a Cloud VPN gateway, can be a physical device in your data center or a physical or software-based VPN offering in another cloud provider's network. Cloud VPN instructions are written from the point of view of your VPC network, so the “on-premises gateway” is the gateway connecting to Cloud VPN.
- VPN tunnel
- A VPN tunnel connects two VPN gateways and serves as a virtual medium through which encrypted traffic is passed. Two VPN tunnels must be established to create a connection between two VPN gateways: Each tunnel defines the connection from the perspective of its gateway, and traffic can only pass once the pair of tunnels is established. A Cloud VPN tunnel is always associated with a specific Cloud VPN gateway resource.
Tunnel routing options
Cloud VPN offers three different routing methods for VPN tunnels:
- Dynamic (BGP) routing
- A Cloud Router can manage routes for a Cloud VPN tunnel using Border Gateway Protocol (BGP) if the corresponding or on-premises VPN gateway supports it. This routing method allows for routes to be updated and exchanged without changing the tunnel configuration. Routes to GCP subnets are exported to the on-premises VPN gateway, and routes to on-premises subnets learned from the on-premises VPN gateway are applied to your VPC network, both according to the dynamic routing option of the network. Dynamic routing is recommended because it does not require that tunnels be re-created when routes change.
- Policy based routing
- With this routing option, you specify remote network IP ranges and local subnets when creating the Cloud VPN tunnel. From the perspective of Cloud VPN, the remote network IP ranges are the “right side,” and the local subnets are the “left side” of the VPN tunnel. GCP automatically creates static routes for each of the remote network ranges when the tunnel is created. When creating the corresponding tunnel at the on-premises VPN gateway, the right and left side ranges are reversed.
- Route based VPN
- With this routing option, you only specify the remote network IP ranges (right side). All incoming traffic is accepted through the tunnel, subject to routes you create manually.
For more details about network types and routing options, see the Choosing a VPC Network Type and Routing Option page.
It is technically possible to create a hub-and-spoke configuration that links two or more on-premises locations to each other via VPNs and a GCP network, but such a setup is a violation of the Terms of Service. You can create a hub-and-spoke linking of GCP networks as long as no more than one on-premises location is involved.
Cloud VPN has the following specifications:
- If IP address ranges for on-premise subnets overlap with IP addresses used by subnets in your VPC network, refer to Order of routes to determine how routing conflicts are resolved.
Cloud VPN can be used in conjunction with Private Google Access for on-premises hosts so that on-premises hosts can use internal IP addresses rather than external IP addresses to reach Google APIs and services. For more information, see Private Access Options in the VPC documentation.
Each Cloud VPN gateway must be connected to another Cloud VPN gateway or an on-premises VPN gateway.
The on-premises VPN gateway must have a static external IP address. You'll need to know its IP address in order to configure Cloud VPN.
- If your on-premises VPN gateway is behind a firewall, you must configure the firewall to pass ESP (IPSec) protocol and IKE (UDP 500 and UDP 4500) traffic to it. If the firewall provides Network Address Translation (NAT), refer to UDP encapsulation and NAT-T.
Cloud VPN only supports a pre-shared key (shared secret) for authentication. You must specify a shared secret when you create the Cloud VPN tunnel. This same secret must be specified when creating the tunnel at the on-premises gateway. Refer to these guidelines for creating a strong shared secret.
Cloud VPN uses a Maximum Transmission Unit (MTU) of 1460 bytes. On-premises VPN gateways must be configured to use a MTU of no greater than 1460 bytes.
- To account for ESP overhead, you may need to set the MTU values for systems sending traffic through the tunnel to lower values. Refer to MTU Considerations for a detailed discussion and recommendations.
Cloud VPN requires that the on-premises VPN gateway be configured to support prefragmentation. Packets must be fragmented before being encapsulated.
Cloud VPN uses replay detection with a window of 4096 packets. You cannot turn this off.
Refer to Supported IKE Ciphers for ciphers and configuration parameters supported by Cloud VPN.
Maintenance and availability
Cloud VPN undergoes periodic maintenance. During maintenance, Cloud VPN tunnels are taken offline, resulting in brief drops in network traffic. When maintenance completes, Cloud VPN tunnels are automatically re-established.
Maintenance for Cloud VPN is a normal, operational task that may happen at any time without prior notice. Maintenance periods are designed to be short enough so that the Cloud VPN SLA is not impacted.
You can design highly available VPN configurations by using multiple tunnels. Some strategies for doing this are discussed on the Redundant and High-throughput VPNs page.
UDP encapsulation and NAT-T
Cloud VPN only supports one-to-one NAT via UDP encapsulation for NAT-Traversal (NAT-T). One-to-many NAT and port-based address translation are not supported. In other words, Cloud VPN cannot connect to multiple on-premises or peer VPN gateways that share a single public IP address.
When using one-to-one NAT, an on-premises VPN gateway must be configured to identify itself using a public IP address, not its internal (private) address. When you configure a Cloud VPN tunnel to connect to an on-premises VPN gateway, you specify an external IP address. Cloud VPN expects an on-premises VPN gateway to use its external IP address for its identity.
For more details about VPN gateways behind one-to-one NAT, refer to the troubleshooting page.
Use these best practices to build your Cloud VPN in the most effective way.