Creating an HA VPN gateway to a Peer VPN gateway

This page describes how to create a highly available VPN gateway that connects to a peer VPN gateway.

HA VPN gateways use the HA VPN API and provide a 99.99% SLA. This configuration uses a tunnel pair, with one tunnel on each HA VPN gateway interface.

There are two gateway components to configure for HA VPN:

  • An HA VPN gateway in Google Cloud.
  • Your peer VPN gateway or gateways—one or more physical VPN gateway devices or software applications in the peer network to which the HA VPN gateway connects. The peer gateway can be either an on-premises VPN gateway or one hosted by another cloud provider. You need to create an external VPN gateway resource in Google Cloud for each peer gateway device or service.

For diagrams of this topology, see the Topologies page.

For more information on how to choose a VPN type, see the Choosing a VPN Option.

Before you begin

  • Review information about how dynamic routing works in Google Cloud.
  • Make sure your peer VPN gateway supports BGP.

Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

  4. Install and initialize the Cloud SDK.
  1. If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

    gcloud config set project project-id
  
  1. You can also view a project ID that has already been set:
    gcloud config list --format='text(core.project)'
  

Redundancy types

The HA VPN API contains an option for REDUNDANCY_TYPE, which represents the number of interfaces you configure for the external VPN gateway resource.

gcloud commands automatically infer the following values of REDUNDANCY_TYPE from the number of interfaces you provide in the interface ID when you configure an external VPN gateway resource:

  • One external VPN interface is SINGLE_IP_INTERNALLY_REDUNDANT
  • Two external VPN interfaces are TWO_IPS_REDUNDANCY
  • Four external VPN interfaces are FOUR_IPS_REDUNDANCY

When configuring external VPN gateways, you must use the following interface identification numbers for the stated number of external VPN interfaces:

  • For one external VPN interface, use a value of 0.
  • For two external VPN interfaces, use values 0 and 1.
  • For four external VPN interfaces, use values 0,1,2, and 3.

When configuring an HA VPN external VPN gateway to Amazon Web Services (AWS), the supported topology requires two AWS Virtual Private Gateways, A and B, each with two public IP addresses. This topology yields four public IP addresses total in AWS: A1, A2, B1, and B2.

  1. Configure the four AWS IP addresses as a single external HA VPN gateway with FOUR_IPS_REDUNDANCY, where:
    • AWS IP 0=A1
    • AWS IP 1=A2
    • AWS IP 2=B1
    • AWS IP 3=B2
  2. Create four tunnels on the HA VPN gateway to meet the 99.99% SLA. using the following configuration:
    • HA VPN interface 0 to AWS interface 0
    • HA VPN interface 0 to AWS interface 1
    • HA VPN interface 1 to AWS interface 2
    • HA VPN interface 1 to AWS interface 3

Overview of high-level configurations steps to set up HA VPN with Amazon Web Services (AWS):

  1. Create the HA VPN gateway and a Cloud Router. This creates 2 public IP addresses on the GCP side.
  2. Create two AWS Virtual Private Gateways. This creates 4 public addresses on the AWS side.
  3. Create two AWS Site-to-Site VPN connections and customer gateways, one for each AWS Virtual Private Gateway. Specify a non-overlapping link-local Tunnel IP Range for each tunnel, 4 total. For example, 169.254.1.4/30.
  4. Download the AWS configuration files for the generic device type.
  5. Create four VPN tunnels on the HA VPN gateway.
  6. Configure BGP sessions on the Cloud Router using the BGP IP addresses from the downloaded AWS configuration files.

Creating a custom Virtual Private Cloud network and subnet

Before creating an HA VPN gateway and tunnel pair, you must create a Virtual Private Cloud network and at least one subnet in the region where the HA VPN gateway will reside.

The examples in this document also use VPC global dynamic routing mode so that all instances of Cloud Router apply the to on-premises routes that they learn to all subnets of the VPC network. In global routing mode, routes to all subnets in the VPC network are shared with on-premises routers.

Creating only an HA VPN gateway

You can create a HA VPN gateway without the following resources and configure those resources later.

  • VPN tunnels
  • A peer VPN gateway resource
  • BGP sessions

You must create these resources before your gateway can become operational.

Console

  1. Go to the VPN page in the Google Cloud Console.
    Go to the VPN page
    1. If you are creating a gateway for the first time, select the Create VPN connection button.
    2. If you already have VPN gateways, select the gray Create VPN gateways button.
  2. Specify a VPN gateway name
  3. Select a VPC network for your gateway.
  4. Select a region for your gateway.
  5. Click Create.
  6. On the VPN status screen, you can view the details for your new gateway.

gcloud

  1. Create an HA VPN gateway. When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

    In the following commands, replace the options as noted below:

    • Replace network with the name of your Google Cloud network.
    • Replace region with the Google Cloud region where you need to create the gateway and tunnel.
    • Replace gw-name with the name of the gateway.
     gcloud compute vpn-gateways create gw-name \
       --network network \
       --region region
    

    The gateway you create should look similar to the following example output. A public IP address has been automatically assigned to each gateway interface:

     Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/ha-vpn-gw-a].
     NAME        INTERFACE0    INTERFACE1   NETWORK   REGION
     ha-vpn-gw-a 203.0.113.16  203.0.113.23 network-a us-central1
    

API

To create an HA VPN gateway, make a POST request to the vpnGateways.insert method, as in the following example. The type of VPC network can be global or regional, depending on how the network is configured.

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpnGateways
 {
   "name": "ha-vpn-gw-a",
   "region": "us-central1",
   "network": "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a"
 }

Creating an HA VPN gateway and tunnel pair to a peer VPN

Follow the instructions in this section to create a HA VPN gateway, a pair of tunnels, a peer VPN gateway resource, and BGP sessions.

Console

The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, tunnels, a peer VPN gateway resource, and BGP sessions.

Create a Cloud VPN gateway

  1. Go to the VPN page in the Google Cloud Console.
    Go to the VPN page
    1. If you are creating a gateway for the first time, select the Create VPN connection button.
    2. Select the VPN setup wizard.
  2. Select the radio button for an HA VPN gateway.
  3. Click Continue.
  4. Specify a VPN gateway name.
  5. Under VPC network, select an existing network or the default network.
  6. Select a Region.
  7. Click Create and Continue.
  8. The console screen refreshes and displays your gateway information. Two public IP addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.

Create a Peer VPN gateway resource

The peer VPN gateway resource represents your non-Google Cloud gateway in Google Cloud.

  1. On the Create a VPN screen, under Peer VPN gateway, select On-prem or Non-Google Cloud.
  2. Under Peer VPN gateway name, choose an existing peer gateway, or click Create a new peer VPN gateway. If you choose an existing gateway, Cloud Console selects the number of tunnels to configure based on the number of peer interfaces you configured on the existing peer gateway. To create a new peer gateway, complete the following steps:
    1. Specify a Name for the peer VPN gateway.
    2. Under Peer VPN gateway interfaces, select one, two, or four interfaces, depending on the type of interfaces your peer gateway has. See the Topologies page for examples of each type.
    3. In the field for each peer VPN interface, specify the public IP address used for that interface. For more information, refer to Configuring the peer VPN gateway.
    4. Click Create.

Create VPN tunnels

  • If you configured your peer VPN gateway resource with one interface, you configure your single tunnel in the single VPN tunnel dialog box on the Create VPN screen. You must create a second tunnel for a 99.99% SLA.
  • If you configured your peer VPN gateway resource with two or four interfaces, you must configure the associated dialog boxes that appear at the bottom of the Create VPN screen.
  1. Under Cloud Router, If you haven't already, create a Cloud Router specifying the following options. You can use an existing Cloud Router if the router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect.
    1. To create a new Cloud Router, specify a Name, an optional Description, and Google ASN for the new router. You can use any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router and you cannot change the ASN later.
    2. Click Create to create the new router.
  2. If applicable, under Associated Cloud VPN gateway interface, select the HA VPN interface and IP address combination that you want to associate with your peer VPN gateway interface for this tunnel.
  3. Under Associated peer VPN gateway interface, select the peer VPN gateway interface and IP address combination that you want to associate with this tunnel and with the HA VPN interface. This interface must match the interface on your actual peer router.
    1. Specify a Name for the tunnel.
    2. Specify an optional Description.
    3. Specify the IKE version. IKE v2, the default setting, is recommended if your peer router supports it.
    4. Specify an IKE pre-shared key using your shared secret, which must correspond with the shared secret for the partner tunnel that you create on your peer gateway. If you haven't configured a shared secret on your peer VPN gateway and want to generate one, click the Generate and copy button. Make sure that you record the pre-shared key in a secure location, because it cannot be retrieved after you create your VPN tunnels.
    5. Click Done.
    6. Repeat the tunnel creation steps for any remaining tunnel dialog boxes on the Create VPN screen.
  4. When you have configured all tunnels, click Create and continue.

Create BGP sessions

  1. If you don't want to configure BGP sessions now, click the Configure BGP sessions later button, which opens Summary and Reminder screen.
  2. If you want to configure BGP sessions now, click the Configure button for the first VPN tunnel.
  3. On the Create BGP session screen, use the following steps:
    1. Specify a Name for the BGP session.
    2. Specify the Peer ASN configured for the peer VPN gateway.
    3. (Optional) Specify the Advertised Route Priority.
    4. Specify the Cloud Router BGP IP address and the BGP Peer IP address. Each of these addresses must use a link-local address from the 169.254.0.0/16 CIDR block in the same /30 subnet. Make sure that these addresses aren't the network or broadcast address of the subnet.
    5. (Optional) Click the Advertised routes drop-down menu and create custom routes.
    6. Click Save and continue.
  4. Repeat the previous steps for the rest of the tunnels configured on the gateway, using a different Cloud Router BGP IP address and BGP Peer IP address for each tunnel.
  5. When you have configured all BGP sessions, click Save BGP configuration.

Summary and reminder

  1. The Summary section of this screen lists information for the HA VPN gateway and the peer VPN gateway profile.
  2. For each VPN tunnel, you can view the VPN tunnel status, the BGP session name, the BGP session status, and the MED value (advertised route priority).
  3. The Reminder section of this screen lists the steps that you must complete to have a fully operational VPN connection between Cloud VPN and your peer VPN.
  4. Click Ok after reviewing the information on this screen.

Create an additional tunnel on a single-tunnel gateway.

Follow the steps in this section to configure a second tunnel on the second interface of a HA VPN gateway. Do this in the following circumstances:

  • When you've configured a HA VPN gateway to a peer VPN gateway that has a single peer VPN interface.
  • If you set up a single tunnel previously on a HA VPN for a peer VPN gateway that contains any number of interfaces, but now want a 99.99% uptime SLA for your HA VPN gateway.

    1. Go to the VPN page in the Google Cloud Console.
      Go to the VPN page
    2. Click the Create VPN tunnel button.
    3. From the drop-down menu, select the gateway that requires the second tunnel.
    4. Click Continue.
    5. Choose a Cloud Router. If you haven't configured a Cloud Router, follow the steps for creating one in the Create VPN tunnels procedure.
    6. For Peer VPN gateway, select On-prem or Non Google Cloud.
    7. For Peer VPN gateway name, choose the existing peer VPN gateway resource that the new tunnel will use. You can check existing peer VPN gateway names for this Cloud VPN gateway by clicking the View all existing tunnels link under VPN gateway name near the top of the screen.
    8. You might receive a warning that a tunnel with the same peer VPN gateway interface is already associated with the same local Cloud VPN gateway interface. To fix this issue, under Associated Cloud VPN gateway interface, select the other HA VPN interface.
    9. Configure the remainder of the steps as listed in the Create VPN tunnels procedure to finish configuring the tunnel.

gcloud


Create the HA VPN gateway

Complete the following command sequence to create the HA VPN gateway:

  1. Create an HA VPN gateway. When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

    In the following commands, replace the following options:

    • Replace network with the name of your Google Cloud network.
    • Replace region with the Google Cloud region where you need to create the gateway and tunnel.
    • Replace gw-name with the name of the gateway.
      gcloud compute vpn-gateways create gw-name \
        --network network \
        --region region
    

    The gateway you create should look similar to the following example output. A public IP address has been automatically assigned to each gateway interface:

      Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/ha-vpn-gw-a].
      NAME        INTERFACE0    INTERFACE1   NETWORK   REGION
      ha-vpn-gw-a 203.0.113.16  203.0.113.23 network-a us-central1
    

Create Cloud Router

  1. Complete the following command sequence to create a Cloud Router. In the following commands, replace the following options:

    • Replace router-name with the name of the Cloud Router in the same region as the Cloud VPN gateway.
    • Replace google-asn with any private ASN (64512 through 65534, 4200000000 through 4294967294) that you are not already using in the peer network. The Google ASN is used for all BGP sessions on the same Cloud Router and it cannot be changed later.
      gcloud compute routers create router-name \
        --region region \
        --network network \
        --asn google-asn
    

    The router you create should look similar to the following example output:

      Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a].
      NAME      REGION      NETWORK
      router-a us-central1 network-a
    

Create an External VPN Gateway resource

Create an external VPN gateway resource that provides information to Google Cloud about your peer VPN gateway or gateways. Depending on the HA recommendations for your peer VPN gateway, you can create external VPN gateway resource for the following different types of on-premises VPN gateways:

  • Two separate peer VPN gateway devices where the two devices are redundant with each other and each device has its own public IP address.
  • A single peer VPN gateway that uses two separate interfaces, each with its own public IP address. For this kind of peer gateway, you can create a single external VPN gateway with two interfaces.
  • A single peer VPN gateway with a single public IP address.

Option 1: Create an External VPN Gateway resource for two separate peer VPN gateway devices

  1. For this type of peer gateway, each interface of the external VPN gateway has one public IP address, and each address is from one of the peer VPN gateway devices. In the following gcloud command, replace the following options:

    • Replace peer-gw_name with a name representing the peer gateway.
    • Replace peer-gw-ip-0 with the public IP addresses for a peer gateway.
    • Replace peer-gw-ip-1 with the public IP address for another peer gateway.
      gcloud compute external-vpn-gateways create peer-gw-name \
        --interfaces 0=peer-gw-ip-0,1=peer-gw-ip-1 \
    

    The External VPN Gateway resource created should look like the following example where peer-gw-ip-0 and peer-gw-ip-1 show the actual public addresses of the peer gateway interfaces:

      Created [https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways/peer-gw].
      NAME      INTERFACE0      INTERFACE1
      peer-gw   peer-gw-ip-0    peer-gw-ip-1
    

Option 2: Create an External VPN Gateway resource for a single peer VPN gateway with two separate interfaces

  1. For this type of peer gateway, create a single external VPN gateway with two interfaces. In the following gcloud command, replace the following options:

    • Replace peer-gw-name with a name representing the peer gateway.
    • Replace peer-gw-ip-0 with the public IP address for one interface from the peer gateway.
    • Replace peer-gw-ip-1 with the public IP address for another interface from the peer gateway.

      gcloud compute external-vpn-gateways create peer-gw-name \
       --interfaces 0=on-prem-gw-ip-0,1=on-prem-gw-ip-1 \
      

      The External VPN Gateway resource created should look like the following example where peer-gw-ip-0 and peer-gw-ip-1 show the actual public addresses of the peer gateway interfaces:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
      NAME      INTERFACE0      INTERFACE1
      peer-gw   peer-gw-ip-0  peer-gw-ip-1
      

Option 3: Create an External VPN Gateway resource for a single peer VPN gateway with a single public IP address

  1. For this type of peer gateway, create an external VPN gateway with one interface. In the following gcloud command, replace the following options:

    • Replace peer-gw-name with a name representing the peer gateway.
    • Replace peer-gw-ip-0 with the public IP address for the interface from the peer gateway.
      gcloud compute external-vpn-gateways create peer-gw-name \
        --interfaces 0=peer-gw-ip-0 \
    

    The External VPN Gateway resource you created should look like the following example where peer-gw-ip-0 shows the actual public addresses of the peer gateway interface:

      Created [https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways/peer-gw].
      NAME      INTERFACE0
      peer-gw   peer-gw-ip-0
    

Create two VPN tunnels, one for each interface on the HA VPN gateway

When creating VPN tunnels, specify the peer side of the VPN tunnels as the external VPN gateway you created earlier. Depending on the redundancy type of the external VPN gateway, configure the tunnels using one of the following two options.

Option 1: If the external VPN gateway is two separate peer VPN gateway devices or a single device with two IP addresses

  1. In this case, one VPN tunnel needs to connect to interface 0 of the external VPN gateway, and the other VPN tunnel needs to connect to interface 1 of the external VPN gateway.

    In the following commands to create each tunnel, replace the following options:

    • Replace tunnel-name-if0 and tunnel-name-if1 with a name for the tunnel. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
    • Replace gw-name with the name of the HA VPN gateway.
    • (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation..
    • Replace peer-gw-name with a name of the external peer gateway created earlier.
    • Replace peer-ext-gw-if0 and peer-ext-gw-if1 with the interface number configured earlier on the external peer gateway.
    • Replace ike-vers with 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
    • Replace shared-secret with your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. See Generating a strong pre-shared key for recommendations.
    • Replace int-num-0 with the number 0 for the first interface on the HA VPN gateway you created earlier.
    • Replace int-num-1 with the number 1 for the second interface on the HA VPN gateway you created earlier.

        gcloud compute vpn-tunnels create tunnel-name-if0 \
          --peer-external-gateway peer-gw-name \
          --peer-external-gateway-interface peer-ext-gw-if0  \
          --region region \
          --ike-version ike-vers \
          --shared-secret shared-secret \
          --router router-name \
          --vpn-gateway gw-name \
          --interface int-num-0
      
       gcloud compute vpn-tunnels create tunnel-name-if1 \
          --peer-external-gateway peer-gw-name \
          --peer-external-gateway-interface peer-ext-gw-if1 \
          --region region \
          --ike-version ike-vers \
          --shared-secret shared-secret \
          --router router-name \
          --vpn-gateway gw-name \
          --interface int-num-1
      

      The command output should look similar to the following example:

        Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
        NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
        tunnel-a-to-on-prem-if-0  us-central1  ha-vpn-gw-a    0               peer-gw        0
        Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
        NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
        tunnel-a-to-on-prem-if-1  us-central1  ha-vpn-gw-a    1               peer-gw        1
      

Option 2: If the external VPN gateway is a single peer VPN gateway with a single public IP address

  1. In this case, both VPN tunnels need to connect to interface 0 of the external VPN gateway.

    In the following commands to create each tunnel, replace the following options:

    • Replace tunnel-name-if0 and tunnel-name-if1 with a name for the tunnel. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
    • Replace peer-gw-name with the name of the external peer gateway created earlier.
    • Replace peer-ext-gw-if0 with the interface number configured earlier on the external peer gateway.
    • (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
    • Replace ike-vers with 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
    • Replace shared-secret with your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. See Generating a strong pre-shared key for recommendations.
    • Replace int-num-0 with the number 0 for the first interface on the HA VPN gateway you created earlier.
    • Replace int-num-1 with the number 1 for the second interface on the HA VPN gateway you created earlier.
      gcloud compute vpn-tunnels create tunnel-name-if0 \
        --peer-external-gateway peer-gw-name \
        --peer-external-gateway-interface peer-ext-gw-if0  \
        --region region \
        --ike-version ike-vers \
        --shared-secret shared-secret \
        --router router-name \
        --vpn-gateway gw-name \
        --interface int-num-0
    
      gcloud compute vpn-tunnels create tunnel-name_if1 \
        --peer-external-gateway peer-gw-name \
        --peer-external-gateway-interface [peer-ext-gw-if0] \
        --region region \
        --ike-version ike-vers \
        --shared-secret shared-secret \
        --router router-name \
        --vpn-gateway gw-name \
        --interface int-num-1
    

    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
      NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
      tunnel-a-to-on-prem-if-0  us-central1  ha-vpn-gw-a    0               peer-gw        0
      Created [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
      NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
      tunnel-a-to-on-prem-if-1  us-central1  ha-vpn-gw-a    1               peer-gw        0
    

Create Cloud Router interfaces and BGP peers

  1. Create a Cloud Router BGP interface and BGP peer for each tunnel you previously configured on the HA VPN gateway interfaces.
    In the following commands, replace the following options:

    • Replace router-interface-name-0 and router-interface-name-1 with a name for the Cloud Router BGP interface. It can be helpful to use names related to the tunnel names configured previously.
    • If you use the manual configuration method, replace ip-address-0 and ip-address-1 with the BGP IP address for the HA VPN gateway interface you configure. Each tunnel uses a different gateway interface.
    • Use a mask-length of 30.
    • Replace tunnel-name-0 and tunnel-name-1 with the tunnel associated with the HA VPN gateway interface you configured.

    Choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers:

    Automatic

    To let Google Cloud automatically choose the link-local BGP IP addresses, use the following steps.

    For the first VPN tunnel

    1. Add a BGP interface to the Cloud Router.

      gcloud compute routers add-interface router-name \
          --interface-name router-interface-name-0 \
          --mask-length mask-length \
          --vpn-tunnel tunnel-name-0 \
          --region region
      

      The command output should look similar to the following example:

      Updated [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a].
      
    2. Add a BGP peer to the interface for the first tunnel . Replace peer-name with a name for the peer VPN interface, and peer-asn with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer router-name \
          --peer-name peer-name \
          --peer-asn peer-asn \
          --interface router-interface-name-0 \
          --region region \
      

      The command output should look similar to the following example:

      Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
      

    For the second VPN tunnel

    1. Add a BGP interface to the Cloud Router.

      gcloud compute routers add-interface router-name \
          --interface-name router-interface-name-1 \
          --mask-length mask-length \
          --vpn-tunnel tunnel-name-1 \
          --region region
      
    2. Add a BGP peer to the interface for the second tunnel . Replace peer-name with a name for the peer VPN interface, and peer-asn with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer router-name \
          --peer-name peer-name \
          --peer-asn peer-asn \
          --interface router-interface-name-1 \
          --region region \
      

    Manual

    To manually assign the BGP IP addresses associated with the Google Cloud BGP interface and peer, use the following steps:

    1. For each VPN tunnel, decide on a pair of link-local BGP IP addresses in a /30 block from the 169.254.0.0/16 range (four addresses total). For each tunnel, assign one of these BGP IP addresses to the Cloud Router, and the other BGP IP address to your peer VPN gateway. You must also configure your peer VPN device to use the peer BGP IP address. Use the following options in the commands below:
      • google-bgp-ip-0 represents the BGP IP of the Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 0. on-prem-bgp-ip-0 represents the BGP IP of its peer.
      • google-bgp-ip-1 represents the BGP IP of the Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 1. on-prem-bgp-ip-1 represents the BGP IP of its peer.

    For the first VPN tunnel

    1. Add a BGP interface to the Cloud Router. Supply a name for the interface by replacing router-interface-name-0.

      gcloud compute routers add-interface router-name \
          --interface-name router-interface-name-0 \
          --vpn-tunnel tunnel-name-0 \
          --ip-address google-bgp-ip-0 \
          --mask-length 30 \
          --region region \
      

      The command output should look similar to the following example:

      Updated [https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a].
      
    2. Add a BGP peer to the interface. Replace peer-name with a name for the peer, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer router-name \
          --peer-name peer-name \
          --peer-asn peer-asn \
          --interface router-interface_name-0 \
          --peer-ip-address on-prem-bgp-ip-0 \
          --region region \
      

      The command output should look similar to the following example:

      Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
      

    For the second VPN tunnel

    1. Add a BGP interface to the Cloud Router. Specify a name for the interface by replacing router-interface-name-1.

      gcloud compute routers add-interface router-name \
          --interface-name router-interface-name-1 \
          --vpn-tunnel tunnel-name-1 \
          --ip-address google-bgp-ip-1 \
          --mask-length 30 \
          --region region \
      
    2. Add a BGP peer to the interface. Replace peer-name with a name for the peer, and peer-asn with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer router-name \
          --peer-name peer-name \
          --peer-asn peer-asn \
          --interface router-interface-name-1 \
          --peer-ip-address on-prem-bgp-ip-1 \
          --region region \
      

Verify the Cloud Router configuration

  1. List the BGP IP addresses chosen by Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. The Peer IP Address is the BGP IP address you should use to configure your peer VPN gateway.

     gcloud compute routers get-status router-name \
         --region region \
         --format='flattened(result.bgpPeerStatus[].name,
           result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
    

    Expected output for a Cloud Router managing a two Cloud VPN tunnels (index 0) and (index 1) looks like the following example, where:

    • google-bgp-ip-0 represents the BGP IP of Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 0 and on-prem-bgp-ip-0 represents the BGP IP of its peer.
    • google-bgp-ip-1 represents the BGP IP of Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 1 and on-prem-bgp-ip-1 represents the BGP IP of its peer.
    result.bgpPeerStatus[0].ipAddress:     169.254.0.1 [GOOGLE_BGP_IP_0]
    result.bgpPeerStatus[0].name:          bgp-peer-tunnel-a-to-on-prem-if-0
    result.bgpPeerStatus[0].peerIpAddress: 169.254.0.2 [ON_PREM_BGP_IP_0]
    result.bgpPeerStatus[1].ipAddress:     169.254.1.1 [GOOGLE_BGP_IP_1]
    result.bgpPeerStatus[1].name:          bgp-peer-tunnel-a-to-on-prem-if-1
    result.bgpPeerStatus[1].peerIpAddress: 169.254.1.2 [ON_PREM_BGP_IP_1]
    

    You can also use the following command to get a full listing of the Cloud Router configuration:

    gcloud compute routers describe router-name \
        --region region
    

    The full listing should look like the following example:

    bgp:
      advertiseMode: DEFAULT
      asn: 65001
    bgpPeers:
    - interfaceName: if-tunnel-a-to-on-prem-if-0
      ipAddress: 169.254.0.1
      name: bgp-peer-tunnel-a-to-on-prem-if-0
      peerAsn: 65002
      peerIpAddress: 169.254.0.2
    - interfaceName: if-tunnel-a-to-on-prem-if-1
      ipAddress: 169.254.1.1
      name: bgp-peer-tunnel-a-to-on-prem-if-1
      peerAsn: 65004
      peerIpAddress: 169.254.1.2
    creationTimestamp: '2018-10-18T11:58:41.704-07:00'
    id: '4726715617198303502'
    interfaces:
    - ipRange: 169.254.0.1/30
      linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0
      name: if-tunnel-a-to-on-prem-if-0
    - ipRange: 169.254.1.1/30
      linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1
      name: if-tunnel-a-to-on-prem-if-1
      kind: compute#router
      name: router-a
      network: https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a
      region: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1
      selfLink: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/routers/router-a
    
  2. To complete the gateway configuration, continue to Completing the configuration.

API

To create the full configuration for an HA VPN gateway. use the following API commands.

STEP ONE: To create an HA VPN gateway, make a POST request with the vpnGateways.insert method:

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpnGateways
 {
   "name": "ha-vpn-gw-a",
   "network": "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a"
 }

STEP TWO: To create Cloud Router, make a POST request with the routers.insert method:

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers
 {
   "name": "router-a",
   "network": "https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a"
 }

You can use an existing Cloud Router as long as the router does not already manage a BGP session for an interconnect attachment associated with a Partner Interconnect. Otherwise, create another Cloud Router.

STEP THREE: To create an External VPN Gateway resource, make a POST request with the externalVpnGateways.insert method.

  • For an external (peer) VPN gateway that has one interface, use the example below, but specify only one interface ID and one ipAddress, with a redundancyType of SINGLE_IP_INTERNALLY_REDUNDANT.
  • For an external VPN gateway with two interfaces, or two external VPN gateways with one interface each, use the TWO_IPS_REDUNDANCY example below.
  • For one or more external VPN gateways with four external VPN interfaces; for example, Amazon Web Services (AWS), use the example below, but specify four instances of the interface ID and ipAddress and use a redundancyType of FOUR_IPS_REDUNDANCY.

 POST https://www.googleapis.com/compute/v1/projects/project-id/global/externalVpnGateways
 {
   "name": "my-peer-gateway",
   "interfaces": [
     {
       "id": 0,
       "ipAddress": "192.0.2.1"
     },
     {
       "id": 1,
       "ipAddress": "192.0.2.2"
     }
   ],
   "redundancyType": "TWO_IPS_REDUNDANCY"
 }

STEP FOUR: To create two VPN tunnels, one for each interface on the HA VPN gateway, make a POST request with the vpnTunnels.insert method.

Enter the following command to create the first tunnel:

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpnTunnels
 {
   "name": "ha-vpn-gw-a-tunnel-0",
   "ikeVersion": 2,
   "peerExternalGateway": "https://www.googleapis.com/compute/v1/projects/project-id/global/external-vpn-gateways/my-peer-gateway",
   "peerExternalGatewayInterface": 0,
   "peerIp": "192.0.2.1",
   "router": "https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers/router-a",
   "sharedSecret": "shared_secret",
   "vpnGateway": "https://www.googleapis.com/compute/v1/projects/project-id/regions/region/vpn-gateways/ha-vpn-gw-a",
   "vpnGatewayInterface": 0
 }

To create the second tunnel, repeat this command, but change the following parameters:

  • name
  • peerExternalGatewayInterface
  • peerIp
  • sharedSecret or sharedSecretHash(if needed)
Change thevpnGatewayInterface to the value of the other HA VPN gateway interface. In this example, you would change this value to 1.

STEP FIVE: To create a Cloud Router BGP interface, make either a PATCH or UPDATE request with the routers.patch method or the routers.update method. PATCH updates only the parameters you include. UPDATE updates all parameters for Cloud Router.

Create a BGP interface for each VPN tunnel on the first HA VPN gateway. For the second BGP interface, use a different name, linkedVpnTunnel name, and ipRange from the same /30 subnet as the ipRange for the first tunnel. Repeat this step and command for each VPN tunnel on the second HA VPN gateway.

 PATCH https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers/{resourceId}
 {
   "interfaces": [
     {
       "name": "if-tunnel-a-to-on-prem-if-0",
       "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",
       "ipRange": "169.254.0.1/30"
      }
    ]
 }

STEP SIX: To add a BGP peer to Cloud Router for a VPN tunnel, make a POST request with the routers.insert method. Repeat this command for the other VPN tunnel, changing all options except nameand peerAsn.

 POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers
 {
   "name": "router-a",
   "network": "network-a",
   "bgpPeers": [
   {
     "interfaceName": "if-tunnel-a-to-on-prem-if-0",
     "ipAddress": "169.254.0.1",
     "name": "bgp-peer-tunnel-a-to-on-prem-if-0",
     "peerAsn": "65002",
     "peerIpAddress": "169.254.0.2",
     "advertiseMode": "DEFAULT"
    }
  ]
 }

STEP SEVEN: Verify the Cloud Router configuration with the routers.getRouterStatus method, using an empty request body:

POST https://www.googleapis.com/compute/v1/projects/project-id/regions/region/routers

Completing the configuration

You must complete the following steps before you can use a new Cloud VPN gateway and its associated VPN tunnels:

  1. Set up the peer VPN gateway and configure the corresponding tunnel or tunnels there. Refer to these pages:
  2. Configure firewall rules in Google Cloud and your peer network as required. See the firewall rules page for suggestions.
  3. Check the status of your VPN tunnels.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...