Google Cloud Platform offers two types of Cloud VPN gateways, HA VPN and Classic VPN.
For information on moving to HA VPN, see Moving to HA VPN from Classic VPN.
HA VPN is a high-availability (HA) Cloud VPN solution that let you securely connect your on-premises network to your GCP Virtual Private Cloud network through an IPsec VPN connection in single region. HA VPN provides an SLA of 99.99% service availability (at GA).
When you create an HA VPN gateway, GCP automatically chooses two public IP addresses, one for each of its fixed number of two interfaces. Each IP address is automatically chosen from a unique address pool to support high availability. Each of the HA VPN gateway interfaces supports multiple tunnels. You can also create multiple HA VPN gateways.
In addition, you don't need to create any forwarding rules for HA VPN gateways.
You can configure an HA VPN gateway with only one active interface and one public IP address; however, this configuration does not provide a 99.99% service availability SLA.
The following diagram shows the HA VPN concept. For more detailed HA VPN topologies (configuration scenarios), see the Cloud VPN Topologies page.
gateways are referred to as
VPN gateways, rather than
target VPN gateways,
in the API documentation and in gcloud commands.
HA VPN requirements
Your Cloud VPN configuration must meet the following requirements to achieve a service-level availability of 99.99% (at GA) for HA VPN:
- When you connect an HA VPN gateway to a non-GCP peer gateway, 99.99% availability (at GA) is guaranteed only on the GCP side of the connection. End-to-end availability is subject to proper configuration of the peer VPN gateway.
- If both sides are GCP gateways and are properly configured, end-to-end 99.99% availability is guaranteed.
- In order to achieve high availability when both VPN gateways are located in VPC networks, you must use two HA VPN gateways, and both of them must be located in the same region. Even though both gateways must be located in the same region, the routes to their subnets that they share with each other can be located in any region if your Virtual Private Cloud network uses global dynamic routing mode. If your VPC network uses regional dynamic routing mode, only routes to subnets in the same region are shared with the peer network, and learned routes are applied only to subnets in the same region as the VPN tunnel. For more information about the dynamic routing mode of a VPC network, refer to the VPC networks overview.
- HA VPN rejects GCP IP addresses when they are configured in an external VPN gateway resource. An example of this is using the external IP address of a VM instance as the public IP address for the external VPN gateway resource. The only supported HA VPN GCP-to-GCP topology is where HA VPN is used on both sides, as documented in Creating GCP to GCP HA VPN gateways.
- You must configure two VPN tunnels from the perspective of the Cloud VPN gateway:
- If you have two peer VPN gateway devices, each of the tunnels from each interface on the Cloud VPN gateway must be connected to its own peer gateway.
- If you have a single peer VPN gateway device with two interfaces, each of the tunnels from each interface on the Cloud VPN gateway must be connected to its own interface on the peer gateway.
- If you have a single peer VPN gateway device with a single interface, both of the tunnels from each interface on the Cloud VPN gateway must be connected to the same interface on the peer gateway.
- A peer VPN device must be configured with adequate redundancy. The details of an adequately redundant configuration are specified by the device vendor, and may or may not include multiple hardware instances. Refer to the vendor documentation for the peer VPN device for details. If two peer devices are required, each peer device must be connected to a different HA VPN gateway interface. If the peer side is another cloud provider like AWS, VPN connections must be configured with adequate redundancy on the AWS side as well.
- Your peer VPN gateway device must support dynamic (BGP) routing.
In contrast, Classic VPN gateways have a single interface, a single external IP address, and support tunnels using dynamic (BGP) or static routing (route based or policy based). They provide an SLA of 99.9% service availability.
For supported Classic VPN topologies, see the Classic VPN topologies page.
Classic VPNs are referred to as
target VPN gateways in the API
documentation and in gcloud commands.
The following table compares HA VPN features with those for Classic VPN.
|HA VPN||Classic VPN|
|SLA||Provides a 99.99% SLA when configured with two interfaces and two public IPs||Provides a 99.9% SLA|
|Creation of public IPs and forwarding rules||Public IPs created from a pool. No forwarding rules required||Public IPs and forwarding rules must be created|
|Routing options supported||Only Dynamic Routing (BGP)||Static Routing (policy based, route based) or Dynamic Routing using BGP|
|Two tunnels from one Cloud VPN gateway to the same peer gateway||Supported||Not supported|
|API resources||Known as the vpn-gateway resource||Known as the target-vpn-gateway resource|
Creating HA VPNs
Creating Classic VPNs
- See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.