Redundant and High-throughput VPNs

Redundancy and failover

If a Cloud VPN tunnel goes down, it restarts automatically. If an entire virtual VPN device fails, Cloud VPN automatically instantiates a new one with the same configuration. The new gateway and tunnel connect automatically.

You can provide VPN redundancy and failover for Cloud VPN by adding a second on-premises VPN gateway. You can also load balance gateways by using one of three options that include different configurations of Cloud VPN and on-premises gateways.

Note that it is not possible to create two VPN tunnels within the same Cloud VPN gateway to the same destination VPN gateway.

Using a second on-premises gateway

If your on-premises side is hardware based, having a second on-premises-side gateway provides redundancy and failover on that side of the connection. A second physical gateway allows you to take one of them offline for software upgrades or other scheduled maintenance. It also protects you in case of an outright failure in one of the devices.

To configure a tunnel from your Cloud VPN gateway to a second on-premises-side VPN gateway, do the following:

  1. Configure a second on-premises VPN gateway and a tunnel.
  2. Set up a second tunnel on your Cloud VPN gateway pointing to the second on-premises gateway.
  3. Forward the same routes for the second tunnel as you did for the first. If you want both tunnels to balance traffic, set their route priorities to be the same. If you want one tunnel to be primary, set a lower priority on the second tunnel.
  4. If either VPN tunnel fails due to network issues along the path, or a problem with a on-premises gateway, the Cloud VPN gateway will continue sending traffic over the healthy tunnel and will automatically resume using both tunnels once the failed tunnel recovers.

For details about configuring redundancy with dynamic routing, see the Cloud Router redundancy page.

Redundant on-premises VPN gateways diagram (click to enlarge)
Redundant on-premises VPN gateways diagram (click to enlarge)

Increasing VPN throughput and load balancing VPN gateways

Each Cloud VPN tunnel can support up to 3 Gbps when the traffic is traversing a direct peering link, or 1.5 Gbps when traversing the public Internet. Actual performances vary depending on the following factors:

  • Network capacity between the two VPN peers.
  • The capabilities of the on-premises device. See your device's documentation for more information.
  • Packet size. Because processing happens on a per-packet basis, having a significant percentage of smaller packets can reduce overall throughput.
  • High Round Trip Time (RTT) and packet loss rates, which can greatly reduce throughput for TCP.

When measuring throughput in TCP streams, it is better to measure more than one TCP stream. For instance, if you are measuring using the iperf tool, you should tune the -P parameter to add multiple streams.

It is also important to understand the on-premises VPN gateway’s throughput limitations and ensure appropriate throughput levels are supported by the on-premises VPN gateway.

There are three options for scaling a Cloud VPN configuration.

Option 1 scales your on-premises gateway configuration.

If your on-premises VPN gateway’s throughput capabilities are higher, and you would like to scale higher throughput from Cloud VPN gateway, you can set up a second Cloud VPN gateway, as shown in Option 2 below. You can also combine these strategies, as in Option 3 below.

Option 1: Scale the on-premises VPN gateway

Set up a second on-premises VPN gateway device with a different public IP address. Create a second tunnel on your existing Cloud VPN gateway that forwards the same IP range, but pointing at the second on-premises gateway IP. Your Cloud VPN gateway automatically load balances between the configured tunnels. You can set up the VPN gateways to have multiple tunnels load balanced this way to increase the aggregate VPN connectivity throughput.

Redundant on-premises VPN gateways diagram (click to enlarge)
Redundant on-premises VPN gateways diagram (click to enlarge)

Option 2: Scale the Cloud VPN gateway

Add a second Cloud VPN gateway in the same region similar to the existing VPN gateway. The second Cloud VPN gateway can have a tunnel that points to the same IP address of the on-premises VPN gateway as the tunnel on the first gateway. Once configured, traffic to the on-premises VPN gateway is automatically load balanced between the two Cloud VPN gateways and tunnels.

Redundant Cloud VPN gateways diagram (click to enlarge)
Redundant Cloud VPN gateways diagram (click to enlarge)

Option 3: Scale both the on-premises VPN gateway and the Cloud VPN gateway

Combine options 1 and 2 mentioned above to scale throughput. If you have two on-premises VPN gateways and two Cloud VPN gateways, each Cloud VPN gateway can have a tunnel pointing at each on-premises VPN gateway public IP, giving you four load balanced tunnels between the VPN gateway thereby potentially increasing four times the bandwidth.

Redundant Cloud VPN and on-premises VPN gateways diagram (click to enlarge)
Redundant Cloud VPN and on-premises VPN gateways diagram (click to enlarge)

For more information, see Building High-throughput VPNs. You can increase the number of tunnels up to your project's quota. ECMP is used to balance traffic between tunnels.

What's next

More VPN concepts

For additional information on Cloud VPN concepts, use the navigation arrows at the bottom of the page to move to the next concept or use the following links:

VPN related

Was this page helpful? Let us know how we did:

Send feedback about...