Creating GCP to GCP HA VPN gateways

This page describes how to connect two Virtual Private Cloud networks together using a HA VPN gateway configuration. You can connect two existing VPC networks together as long as the primary and secondary subnet IP address ranges in each network don't overlap.

For a diagram of this topology, see the Topologies page.

For more information on how to choose a VPN type, see the Choosing a VPN Option.

Requirements

Make sure that you meet the following requirements when creating this configuration to ensure that you receive a 99.99% SLA (at GA):

  • Place one HA VPN gateway in each VPC network.
  • Place both HA VPN gateways in the same Google Cloud Platform region.
  • Configure a tunnel on each interface of each gateway.
  • Match gateway interfaces as described in the statement below.

Although it is also possible to connect two VPC networks together using a single tunnel between HA VPN gateways or by using Classic VPN gateways, this type of configuration is not considered highly available and does not meet the HA SLA of 99.99% availability.

Permissions requirements

Since HA VPN gateways don't always belong to you or your GCP organization, consider the following permissions requirements when you create an HA VPN gateway, or connect to one owned by someone else:

  • If you own the project where you create a HA VPN gateway, configure the recommended permissions on it.
  • If you want to connect to an HA VPN gateway that resides in a GCP organization or project that you don't own, you need to request the `compute.vpnGateways.use permission from the owner.

Before you begin

  • Review information about how dynamic routing works in GCP.
  • Make sure your peer VPN gateway supports BGP.

Setting up the following items in GCP makes it easier to configure Cloud VPN:

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the Project selector page

  3. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

  4. Install and initialize the Cloud SDK.
  1. If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
  gcloud config set project [PROJECT_ID]

You can also view a project ID that has already been set:

  gcloud config list --format='text(core.project)'

Additional set-up for using Beta gcloud commands

To enable the use of HA VPN gcloud commands during Beta, perform the following steps:

  1. Make sure you're logged in to gcloud (not required when using Cloud Shell).
    $ gcloud auth login
  2. Install the beta component if not already installed (not required when using Cloud Shell).
    $ gcloud components install beta
  3. Add the following repository once to install gcloud components related to HA VPN.
    $ gcloud components repositories add https://storage.googleapis.com/ha-vpn-gcloud-tt/components-2.json
  4. Update gcloud to pick up the new components.
    $ gcloud components update

Creating two HA VPN gateways that connect to each other

gcloud


Create two custom Virtual Private Cloud networks

  1. If you haven't already, create two VPC networks. These example instructions create two custom mode VPC networks with one subnet in one region and another subnet in another region.

    These networks use global dynamic routing mode so that all instances of Cloud Router apply the "to on premises" routes they learn to all subnets of the VPC network. In Global Routing mode, routes to all subnets in the VPC networks are shared with on-premises routers.

    In the following commands, replace the options as noted below:

    • [NETWORK_1] and [NETWORK_2] assign a network name to each network.
    • [SUBNET_MODE] set as custom.
    • [BGP_ROUTING_MODE] set as global.
      gcloud compute networks create [NETWORK_1] \
        --subnet-mode [SUBNET_MODE] \
        --bgp-routing-mode [BGP_ROUTING_MODE]
      gcloud compute networks create [NETWORK_2] \
        --subnet-mode [SUBNET_MODE] \
        --bgp-routing-mode [BGP_ROUTING_MODE]
    

    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a].
      NAME      SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE  GATEWAY_IPV4
      network-a  CUSTOM      GLOBAL
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-b].
      NAME      SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE  GATEWAY_IPV4
      network-b  CUSTOM      GLOBAL
    

Create subnets in both networks

  1. Create two subnets in [NETWORK_1] as follows:

    • A subnet named [SUBNET_NAME_1] in [REGION_1] that uses the IP range [RANGE_1]
    • A subnet named [SUBNET_NAME_2] in [REGION_2] that uses the IP range [RANGE_2].
      gcloud compute networks subnets create [SUBNET_NAME_1]  \
        --network  [NETWORK_1] \
        --region [REGION_1] \
        --range [RANGE_1]
    
      gcloud compute networks subnets create [SUBNET_NAME_2] \
        --network [NETWORK_1] \
        --region [REGION_2] \
        --range [RANGE_2]
    

    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/subnet-a-central].
      NAME              REGION       NETWORK    RANGE
      subnet-a-central  us-central1  network-a  10.0.1.0/24
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/subnetworks/subnet-a-west].
      NAME           REGION     NETWORK    RANGE
      subnet-a-west  us-west1   network-a  10.0.2.0/24
    

    1. Create two subnets in [NETWORK_2] as follows:
    2. A subnet named [SUBNET_NAME_3] in [REGION_1] that uses the IP range [RANGE_3]
    3. A subnet named [SUBNET_NAME_4] in [REGION_3] that uses the IP range [RANGE_4].
      gcloud compute networks subnets create [SUBNET_NAME_3]  \
        --network  [NETWORK_2] \
        --region [REGION_1] \
        --range [RANGE_3]
    
      gcloud compute networks subnets create [SUBNET_NAME_4] \
        --network [NETWORK_2] \
        --region [REGION_3] \
        --range [RANGE_4]
    

    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/subnet-b-central].
      NAME              REGION       NETWORK    RANGE
      subnet-b-central  us-central1  network-b  192.168.1.0/24
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-east1/subnetworks/subnet-b-east].
      NAME              REGION       NETWORK    RANGE
      subnet-b-east     us-east1     network-b  192.168.2.0/24
    

Create the HA VPN gateways

Complete the following command sequence to create two HA VPN gateways:

  1. Create an HA VPN gateway in each network in [REGION_1]. When each gateway is created, two external IP addresses are automatically allocated, one for each gateway interface. Take note of these IP addresses to use later on in the configuration steps.

    In the following commands, replace the options as noted below:

    • Replace [GW_NAME_1] and [GW_NAME_2] with the name of each gateway.
    • Replace all other options with the values you used previously.

    Create the first gateway

      gcloud beta compute vpn-gateways create [GW_NAME_1] \
        --network [NETWORK_1] \
        --region [REGION_1]
    

    The gateway you create should look similar to the following example output. Note that a public IP address has been automatically assigned to each gateway interface:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a].
      NAME        INTERFACE0    INTERFACE1     NETWORK    REGION
      ha-vpn-gw-a 203.0.113.16  203.0.113.23   network-a  us-central1
    

    Create the second gateway

      gcloud beta compute vpn-gateways create [GW_NAME_2] \
        --network [NETWORK_2] \
        --region [REGION_1]
    
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-b].
      NAME        INTERFACE0   INTERFACE1    NETWORK    REGION
      ha-vpn-gw-b 203.0.114.18 203.0.114.25  network-b  us-central1
    

Create each Cloud Router

  1. Complete the following command sequence to create a Cloud Router in each network. In the following commands, replace the options as noted below:

    • Replace [ASN_1] and [ASN_2] with any private ASN (64512 - 65534, 4200000000 - 4294967294) that you are not already using. This example uses ASN 65001 for both interfaces of [ROUTER_NAME_1] and ASN 65002 for both interfaces of [ROUTER_NAME_2].
    • Replace all other options with the values you used previously.

    Create the first router

      gcloud compute routers create [ROUTER_NAME_1] \
        --region [REGION_1] \
        --network [NETWORK_1] \
        --asn [ASN_1]
    

    The router you create should look similar to the following example output:

      Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a].
      NAME     REGION      NETWORK
      router-a us-central1 network-a
    

    Create the second router

      gcloud compute routers create [ROUTER_NAME_2] \
        --region [REGION_1] \
        --network [NETWORK_2] \
        --asn [ASN_2]
    

    The router you create should look similar to the following example output:

      Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-b].
      NAME     REGION      NETWORK
      router-b us-central1 network-b
    

Create VPN tunnels

  1. Complete the following command sequence to create two VPN tunnels on each HA VPN gateway.

    • The tunnel you create from interface 0 of [GW_NAME_1] must connect to the public IP address associated with interface 0 of [GW_NAME_2] in [NETWORK_2], and
    • The tunnel from interface 1 of [GW_NAME_1] must connect to the public IP address associated with interface 1 of [GW_NAME_2].
    • When you create VPN tunnels on [GW_NAME_1] in [NETWORK_1], you must specify the information for [GW_NAME_2] in[NETWORK_2]. Google automatically connects the tunnel from interface 0 of [GW_NAME_1] to interface 0 of [GW_NAME_2], and interface 1 of [GW_NAME_1] to interface 1 of [GW_NAME_2].

    Create two tunnels on [GW_NAME_1]

    1. Create two VPN tunnels, one on each interface, of [GW_NAME_1] in [NETWORK_1]. In the following commands, replace the options as noted below:

      • Replace [TUNNEL_NAME_GW1_IF0] and [TUNNEL_NAME_GW1_IF1]with a name for each tunnel originating from [GW_NAME_1]. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
      • Use [GW_NAME_2] for the value of --peer-gcp-gateway.
      • Replace [REGION] with the region where [GW_NAME_1] is located.
      • (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
      • Replace [IKE_VERS] with 2 for IKEv2. Since both tunnels connect to another HA VPN gateway, using IKEv2 is recommended.
      • Replace [SHARED_SECRET] with your shared secret, which must be the same shared secret that you use for the corresponding tunnel created from [GW_NAME_2] on interface 0 and on interface 1. See Generating a strong pre-shared key for recommendations.
      • Replace [INT_NUM_0] with the number 0 for the first interface on [GW_NAME_1].
      • Replace [INT_NUM_1] with the number 1 for the second interface on [GW_NAME_1].
      • If the peer-gcp-gateway is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the --peer-gcp-gateway option as a full URI or as a relative name. The following sample option is a relative name: --peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b.
      • The --peer-gcp-gateway-region, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.

      Create the first tunnel on [GW_NAME_1] [INT_NUM_0]

        gcloud beta compute vpn-tunnels create [TUNNEL_NAME_GW1_IF0] \
          --peer-gcp-gateway [GW_NAME_2] \
          --region [REGION_1]
          --ike-version [IKE_VERS] \
          --shared-secret [SHARED_SECRET] \
          --router [ROUTER_NAME_1] \
          --vpn-gateway [GW_NAME_1] \
          --interface [INT_NUM_0]
      

      Create the second tunnel on [GW_NAME_1] [INT_NUM_1]

        gcloud beta compute vpn-tunnels create [TUNNEL_NAME_GW1_IF1] \
          --peer-gcp-gateway [GW_NAME_2] \
          --region [REGION_1] \
          --ike-version [IKE_VERS] \
          --shared-secret [SHARED_SECRET] \
          --router [ROUTER_NAME_1] \
          --vpn-gateway [GW_NAME_1] \
          --interface [INT_NUM_1]
      

      The command output should look similar to the following example:
        Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0].
        NAME               REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
        tunnel-a-to-b-if-0 us-central1  ha-vpn-gw-a     0          ha-vpn-gw-b
        Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1].
        NAME               REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
        tunnel-a-to-b-if-1 us-central1  ha-vpn-gw-a     1          ha-vpn-gw-b
      

    Create two tunnels on [GW_NAME_2]

    1. Create two VPN tunnels, one on each interface, of [GW_NAME_2] in [NETWORK_2].
      • The tunnel you create from interface 0 of [GW_NAME_2] must connect to the public IP address associated with interface 0 of [GW_NAME_1] in [NETWORK_1], and
      • The tunnel from interface 1 of [GW_NAME_2] must connect to the public IP address associated with interface 1 of [GW_NAME_1].
      • Replace [REGION] with the region where [GW_NAME_2] is located.
      • (Optional) The --vpn-gateway-region is the region of the VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.

        In the following commands, replace the options as noted below:
      • Replace [TUNNEL_NAME_GW2_IF0] and [TUNNEL_NAME_GW2_IF1]with a name for each tunnel originating from GW_NAME_2. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
      • Use [GW_NAME_1] for the value of --peer-gcp-gateway.
      • The value for the --peer-gcp-gateway-region must be in the same region as the VPN tunnel. If not specified, the value is set automatically. For this example, the region is [REGION_1].
      • Replace [IKE_VERS] with 2 for IKEv2. Because these tunnels connect to the two tunnels created in the previous step, they must use the same IKE version (IKEv2 is recommended).
      • Replace [SHARED_SECRET] with your shared secret, which must correspond with the shared secret for the partner tunnel you created on each interface of [GW_NAME_1]. See Generating a strong pre-shared key for recommendations.
      • Replace [GW_NAME_2] with the name of the second gateway you configured in the Gateway configuration step.
      • Replace [INT_NUM_0] with the number 0 for the first interface on [GW_NAME_2].
      • Replace [INT_NUM_1] with the number 1 for the second interface on [GW_NAME_2].
      • If the peer-gcp-gateway is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the --peer-gcp-gateway option as a full URI or as a relative name. The following sample option is a relative name: --peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b.
      • The --peer-gcp-gateway-region, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.

    Create the first tunnel on [GW_NAME_2] [INT_NUM_0]

      gcloud beta compute vpn-tunnels create [TUNNEL_NAME_GW2_IF0] \
       --peer-gcp-gateway [GW_NAME_1] \
       --region [REGION_1]
       --ike-version [IKE_VERS] \
       --shared-secret [SHARED_SECRET] \
       --router [ROUTER_NAME_2] \
       --vpn-gateway [GW_NAME_2] \
       --interface [INT_NUM_0]
    

    Create the second tunnel on [GW_NAME_2] [INT_NUM_1]

      gcloud beta compute vpn-tunnels create [TUNNEL_NAME_GW2_IF1] \
        --peer-gcp-gateway [GW_NAME_1] \
        --region [REGION_1] \
        --ike-version [IKE_VERS] \
        --shared-secret [SHARED_SECRET] \
        --router [ROUTER_NAME_2] \
        --vpn-gateway [GW_NAME_2] \
        --interface [INT_NUM_1]
    

    The command output should look similar to the following example:
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0].
      NAME                REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
      tunnel-b-to-a-if-0  us-central1  ha-vpn-gw-b     0          ha-vpn-gw-a
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1].
      NAME                REGION       VPN_GATEWAY     INTERFACE  PEER_GCP_GATEWAY
      tunnel-b-to-a-if-1  us-central1  ha-vpn-gw-b     1          ha-vpn-gw-a
    

    After this step, wait a few minutes, then check the status of each VPN tunnel.

    A VPN tunnel's state changes to Established only when the corresponding partner tunnel is also available and properly configured. A valid IKE and Child Security Association (SA) must also be negotiated between them.

    For example, tunnel-a-to-b-if-0 on ha-vpn-gw-a can only be established if tunnel-b-to-a-if-0 on ha-vpn-gw-b is configured and available.

Create Cloud Router interfaces and BGP peers

  1. Create a BGP interface and BGP peer on [ROUTER_NAME_1] for the tunnel [TUNNEL_NAME_GW1_IF0]. This BGP interface connects [TUNNEL_NAME_GW1_IF0] on interface 0 of [GW_1] to interface 0 of [GW_2] using two BGP IP addresses. In the following commands, replace the options as noted below:

    • Replace [ROUTER_1_INTERFACE_NAME_0] with a name for the Cloud Router BGP interface. Using a name related to [TUNNEL_NAME_GW1_IF0] can be helpful.
    • Replace [IP_ADDRESS] with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.0.1.
    • Use a [MASK_LENGTH] of 30.
    • Replace [PEER_NAME] with a name describing the BGP peer. Using a name related to [TUNNEL_NAME_GW1_IF0] can be helpful.
    • Replace [PEER_IP_ADDRESS] with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.0.2.
    • Replace the [PEER_ASN] with the ASN number used for all interfaces on the other Cloud Router, [ROUTER_NAME_2]. This example uses ASN number 65002.

      1. To create a BGP interface for [TUNNEL_NAME_GW1_IF0], enter the following command:

        gcloud compute routers add-interface [ROUTER_NAME_1] \
           --interface-name [ROUTER_1_INTERFACE_NAME_0] \
           --ip-address [IP_ADDRESS] \
           --mask-length [MASK_LENGTH] \
           --vpn-tunnel [TUNNEL_NAME_GW1_IF0] \
           --region [REGION_1]
        
      2. To create a BGP peer for [TUNNEL_NAME_GW1_IF0], enter the following command:

        gcloud compute routers add-bgp-peer [ROUTER_NAME_1] \
           --peer-name [PEER_NAME] \
           --interface [ROUTER_1_INTERFACE_NAME_0] \
           --peer-ip-address [PEER_IP_ADDRESS] \
           --peer-asn [PEER_ASN] \
           --region [REGION_1]
        

        The command output should look similar to the following example:

         Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a].
        
  2. Create a BGP interface and BGP peer on [ROUTER_NAME_1] for the tunnel [TUNNEL_NAME_GW1_IF1]. This BGP interface connects [TUNNEL_NAME_GW1_IF1] on interface 1 of [GW_1] to interface 1 of [GW_2] using two BGP IP addresses. In the following commands, replace the options as noted below:

    • Replace [ROUTER_1_INTERFACE_NAME_1] with a Cloud Router BGP interface name. Using a name related to [TUNNEL_NAME_GW1_IF1] can be helpful.
    • Replace [IP_ADDRESS] with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.1.1.
    • Use a [MASK_LENGTH] of 30.
    • Replace [PEER_NAME] with a name describing the BGP peer. Using a name related to [TUNNEL_NAME_GW1_IF1] can be helpful.
    • Replace [PEER_IP_ADDRESS] with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.1.2.
    • Replace the [PEER_ASN] with the ASN number used for all interfaces on the other Cloud Router, [ROUTER_NAME_2]. This example uses ASN number 65002.

      1. To create a BGP interface for [TUNNEL_NAME_GW1_IF1], enter the following command:

        gcloud compute routers add-interface [ROUTER_NAME_1] \
           --interface-name [ROUTER_1_INTERFACE_NAME_1] \
           --ip-address [IP_ADDRESS] \
           --mask-length [MASK_LENGTH] \
           --vpn-tunnel [TUNNEL_NAME_GW1_IF1] \
           --region [REGION_1]
        
      2. To create a BGP peer for [TUNNEL_NAME_GW1_IF1], enter the following command:

        gcloud compute routers add-bgp-peer [ROUTER_NAME_1]  \
           --peer-name [PEER_NAME] \
           --interface [ROUTER_1_INTERFACE_NAME_1] \
           --peer-ip-address [PEER_IP_ADDRESS] \
           --peer-asn [PEER_ASN] \
           --region [REGION_1]
        

        The command output should look similar to the following example:

         Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a ].
        
  3. Verify the settings for [ROUTER_1] by entering the following command:

    gcloud compute routers describe [ROUTER_1]  \
        --region [REGION_1]
    

    The command output should look similar to the following example:

     bgp:
       advertisemode: DEFAULT
       asn: 65001
     bgpPeers:
     — interfaceName: if-tunnel-a-to-b-if-0
       ipAddress: 169.254.0.1
       name: bgp-peer-tunnel-a-to-b-if-0
       peerAsn: 65002
       peerIpAddress: 169.254.0.2
     bgpPeers:
     — interfaceName: if-tunnel-a-to-b-if-1
       ipAddress: 169.254.1.1
       name: bgp-peer-tunnel-a-to-b-if-1
       peerAsn: 65002
       peerIpAddress: 169.254.1.2
     creationTimestamp: '2015-10-19T14:31:52.639-07:00'
     id: '4047683710114914215'
     interfaces:
     — ipRange: 169.254.0.1/30
       linkedVpnTunnel:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0
       name: if-tunnel-a-to-b-if-0
     — ipRange: 169.254.1.1/30
       linkedVpnTunnel:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1
       name: if-tunnel-a-to-b-if-1
     kind: compute#router
     name: router-a
     network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/network-a
     region: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1
     selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a
    
  4. Create a BGP interface and BGP peer on [ROUTER_NAME_2] for the tunnel [TUNNEL_NAME_GW2_IF0]. This BGP interface connects [TUNNEL_NAME_GW2_IF0] on interface 0 of [GW_2] to interface 0 of [GW_1] using two BGP IP addresses. In the following commands, replace the options as noted below:

    • Replace [ROUTER_2_INTERFACE_NAME_0] with a Cloud Router BGP interface name. Using a name related to [TUNNEL_NAME_GW2_IF0] can be helpful.
    • Replace [IP_ADDRESS] with the BGP IP address used previously for this gateway and interface. This example uses 169.254.0.2.
    • Use a [MASK_LENGTH] of 30.
    • Replace [PEER_NAME] with a name describing the BGP peer. Using a name related to [TUNNEL_NAME_GW2_IF0] can be helpful.
    • Replace [PEER_IP_ADDRESS] with the IP address used previously for the peer gateway and interface. This example uses 169.254.0.1.
    • Replace the [PEER_ASN] with the ASN number used for all interfaces on [ROUTER_NAME_1] and that was set previously. This example uses ASN number 65001.
    1. To create a BGP interface for [TUNNEL_NAME_GW2_IF0], enter the following command.

      gcloud compute routers add-interface [ROUTER_NAME_2] \
         --interface-name [ROUTER_2_INTERFACE_NAME_0] \
         --ip-address [IP_ADDRESS] \
         --mask-length [MASK_LENGTH] \
         --vpn-tunnel [TUNNEL_NAME_GW2_IF0] \
         --region [REGION_1]
      

      The command output should look similar to the following example:

    2. To create a BGP peer for [TUNNEL_NAME_GW2_IF0], enter the following command:

       gcloud compute routers add-bgp-peer [ROUTER_NAME_2] \
         --peer-name [PEER_NAME] \
         --interface [ROUTER_2_INTERFACE_NAME_0] \
         --peer-ip-address [PEER_IP_ADDRESS] \
         --peer-asn [PEER_ASN] \
         --region [REGION_1]
      

      The command output should look similar to the following example:

       Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-b ].
      
  5. Create a BGP interface and BGP peer on [ROUTER_NAME_2] for the tunnel [TUNNEL_NAME_GW2_IF1]. This BGP interface connects [TUNNEL_NAME_GW2_IF1] on interface 1 of [GW_2] to interface 1 of [GW_1] using two BGP IP addresses. In the following commands, replace the options as noted below:

    • Replace [ROUTER_2_INTERFACE_NAME_1] with a Cloud Router BGP interface name. Using a name related to [TUNNEL_NAME_GW2_IF1] can be helpful.
    • Replace [IP_ADDRESS] with the BGP IP address used previously for this gateway and interface. This example uses 169.254.1.2.
    • Use a [MASK_LENGTH] of 30.
    • Replace [PEER_NAME] with a name describing the BGP peer. Using a name related to [TUNNEL_NAME_GW2_IF1] can be helpful.
    • Replace [PEER_IP_ADDRESS] with a BGP IP address from the 169.254.0.0/16 block that's not already in use. This example uses 169.254.1.1.
    • Replace the [PEER_ASN] with the ASN number used for all interfaces on [ROUTER_NAME_1] and that was set previously. This example uses ASN number 65001.
    1. To create a BGP interface for [TUNNEL_NAME_GW2_IF1], enter the following command:

      gcloud compute routers add-interface [ROUTER_NAME_2] \
         --interface-name [ROUTER_2_INTERFACE_NAME_1] \
         --ip-address [IP_ADDRESS] \
         --mask-length [MASK_LENGTH] \
         --vpn-tunnel [TUNNEL_NAME_GW2_IF1] \
         --region [REGION_1]
      

      The command output should look similar to the following example:

      Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-b ].
      
    2. To create a BGP peer for [TUNNEL_NAME_GW2_IF1], enter the following command:

      gcloud compute routers add-bgp-peer [ROUTER_NAME_2]  \
         --peer-name [PEER_NAME] \
         --interface [ROUTER_2_INTERFACE_NAME_1] \
         --peer-ip-address [PEER_IP_ADDRESS] \
         --peer-asn [PEER_ASN] \
         --region [REGION_1]
      

      The command output should look similar to the following example:

       Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-b ].
      
  6. Verify the settings for [ROUTER_2] by entering the following command:

    gcloud compute routers describe [ROUTER_2]  \
       --region `[REGION_1]`
    

    The command output should look similar to the following example:

     bgp:
       advertiseMode: DEFAULT
       asn: 65002
     bgpPeers:
     — interfaceName: if-tunnel-b-to-a-if-0
       ipAddress: 169.254.0.2
       name: bgp-peer-tunnel-b-to-a-if-0
       peerAsn: 65001
       peerIpAddress: 169.254.0.1
     bgpPeers:
     — interfaceName: if-tunnel-b-to-a-if-1
       ipAddress: 169.254.1.2
       name: bgp-peer-tunnel-b-to-a-if-1
       peerAsn: 65001
       peerIpAddress: 169.254.1.1
     creationTimestamp: '2015-10-19T14:31:52.639-07:00'
     id: '4047683710114914215'
     interfaces:
     — ipRange: 169.254.0.1/30
       linkedVpnTunnel:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0
       name: if-tunnel-b-to-a-if-0
       — ipRange: 169.254.1.1/30
       linkedVpnTunnel:
     https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1
       name: if-tunnel-b-to-a-if-1
     kind: compute#router
     name: router-b
     network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/network-b
     region: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1
     selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-b
    

Continue on to complete the configuration

Completing the configuration

You must complete the following steps before you can use a new Cloud VPN gateway and its associated VPN tunnels:

  1. Set up the peer VPN gateway and configure the corresponding tunnel or tunnels there. Refer to these pages:
  2. Configure firewall rules in GCP and your peer network as required. See the firewall rules page for suggestions.
  3. Check the status of your VPN tunnels and check the configuration of your HA VPN gateway for high availability.

What's next

หน้านี้มีประโยชน์ไหม โปรดแสดงความคิดเห็น