Creating an HA VPN gateway to a Peer VPN gateway

This page describes how to create a highly-available VPN gateway that connects to a peer VPN gateway.

HA VPN gateways use the HA VPN API and provide a 99.99% SLA (at GA). This configuration uses a tunnel pair, with one tunnel on each HA VPN gateway interface.

There are two gateway components to configure for HA VPN:

  • An HA VPN gateway in Google Cloud Platform.
  • Your peer VPN gateway or gateways—one or more physical VPN gateway devices or software applications in the peer network to which the HA VPN gateway connects. The peer gateway can be either an on-premises VPN gateway or one hosted by another cloud provider. You'll need to create an external VPN gateway resource in GCP for each peer gateway device or service.

For diagrams of this topology, see the Topologies page.

For more information on how to choose a VPN type, see the Choosing a VPN Option.

Before you begin

  • Review information about how dynamic routing works in GCP.
  • Make sure your peer VPN gateway supports BGP.

Setting up the following items in GCP makes it easier to configure Cloud VPN:

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the Project selector page

  3. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

  4. Install and initialize the Cloud SDK.
  1. If you are using gcloud commands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.

    gcloud config set project [PROJECT_ID]
  
  1. You can also view a project ID that has already been set:
    gcloud config list --format='text(core.project)'
  

Additional set-up for using Beta gcloud commands

To enable the use of HA VPN gcloud commands during Beta, perform the following steps:

  1. Make sure you're logged in to gcloud (not required when using Cloud Shell).
    $ gcloud auth login
  2. Install the beta component if not already installed (not required when using Cloud Shell).
    $ gcloud components install beta
  3. Add the following repository once to install gcloud components related to HA VPN.
    $ gcloud components repositories add https://storage.googleapis.com/ha-vpn-gcloud-tt/components-2.json
  4. Update gcloud to pick up the new components.
    $ gcloud components update

Redundancy types

The HA VPN API contains an option for REDUNDANCY_TYPE, which represents the number of interfaces you configure for the external VPN gateway resource.

gcloud commands automatically infer the following values of REDUNDANCY_TYPE from the number of interfaces you provide in the interface ID when you configure an external VPN gateway resource:

  • One external VPN interface is SINGLE_IP_INTERNALLY_REDUNDANT
  • Two external VPN interfaces are TWO_IPS_REDUNDANCY
  • Four external VPN interfaces are FOUR_IPS_REDUNDANCY

When configuring external VPN gateways, you must use the following interface identification numbers for the stated number of external VPN interfaces:

  • For one external VPN interface, use a value of 0.
  • For two external VPN interfaces, use values 0 and 1.
  • For four external VPN interfaces, use values 0,1,2, and 3.

When configuring an HA VPN external VPN gateway to Amazon Web Services (AWS), the supported topology requires two AWS Virtual Private Gateways, A and B, each with two public IP addresses. This topology yields four public IP addresses total in AWS: A1, A2, B1, and B2.

  1. Configure the four AWS IP addresses as a single external HA VPN gateway with FOUR_IPS_REDUNDANCY, where:
    • AWS IP 0=A1
    • AWS IP 1=A2
    • AWS IP 2=B1
    • AWS IP 3=B2
  2. Create four tunnels on the HA VPN gateway to meet the 99.99% SLA. using the following configuration:
    • HA VPN interface 0 to AWS interface 0
    • HA VPN interface 0 to AWS interface 1
    • HA VPN interface 1 to AWS interface 2
    • HA VPN interface 1 to AWS interface 3

Overview of high-level configurations steps to set up HA VPN with Amazon Web Services (AWS):

  1. Create the HA VPN gateway and a Cloud Router. This creates 2 public IP addresses on the GCP side.
  2. Create two AWS Virtual Private Gateways. This creates 4 public addresses on the AWS side.
  3. Create two AWS Site-to-Site VPN connections and customer gateways, one for each AWS Virtual Private Gateway. Specify a non-overlapping link-local Tunnel IP Range for each tunnel, 4 total. For example, 169.254.1.4/30.
  4. Download the AWS configuration files for the generic device type.
  5. Create four VPN tunnels on the HA VPN gateway.
  6. Configure BGP sessions on the Cloud Router using the BGP IP addresses from the downloaded AWS configuration files.

Creating an HA VPN gateway and tunnel pair to a peer vpn

gcloud


Create a custom Virtual Private Cloud network

  1. If you haven't already, create a VPC network. These example instructions create a custom mode VPC network with one subnet in one region and another subnet in another region.

    This network uses global dynamic routing mode so that all instances of Cloud Router apply the "to on premises" routes they learn to all subnets of the VPC network. In Global Routing mode, routes to all subnets in the VPC network are shared with on-premises routers.

    In the following commands, replace the options as noted below:

    • [NETWORK] assign a network name.
    • [SUBNET_MODE] set as custom.
    • [BGP_ROUTING_MODE] set as global.
      gcloud compute networks create [NETWORK] \
        --subnet-mode [SUBNET_MODE]  \
        --bgp-routing-mode [BGP_ROUTING_MODE]
    
    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a].
      NAME       SUBNET_MODE  BGP_ROUTING_MODE  IPV4_RANGE  GATEWAY_IPV4
      network-a  CUSTOM       GLOBAL
    

Create subnets

  1. Create two subnets in [NETWORK] as follows:

    • A subnet named [SUBNET_NAME_1] in [REGION_1] that uses the IP range [RANGE_1]
    • A subnet named [SUBNET_NAME_2] in [REGION_2] that uses the IP range [RANGE_2].

    In the following commands, replace the options as noted below:

    • [NETWORK] is the network name for the network created in the previous step.
    • [SUBNET_NAME_1] and [SUBNET_NAME_2] are the names for each subnet.
    • [REGION_1] and [REGION_2] are the two different regions used in this example.
    • [RANGE_1] and [RANGE_2] are the two different subnet IP ranges used in this example.
      gcloud compute networks subnets create [SUBNET_NAME_1]  \
        --network  [NETWORK] \
        --region [REGION_1] \
        --range [RANGE_1]
    
      gcloud compute networks subnets create [SUBNET_NAME_2] \
        --network [NETWORK] \
        --region [REGION_2] \
        --range [RANGE_2]
    

    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/subnetworks/subnet-a-central].
      NAME              REGION       NETWORK    RANGE
      subnet-a-central  us-central1  network-a  10.0.1.0/24
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-west1/subnetworks/subnet-a-west.
      NAME              REGION       NETWORK    RANGE
      subnet-a-west     us-west1     network-a  10.0.2.0/24
    

Create the HA VPN gateway

Complete the following command sequence to create the HA VPN gateway:

  1. Create an HA VPN gateway. When the gateway is created, two external IP addresses are automatically allocated, one for each gateway interface.

    In the following commands, replace the options as noted below:

    • Replace [NETWORK] with the name of your GCP network.
    • Replace [REGION] with the GCP region where you need to create the gateway and tunnel.
    • Replace [GW_NAME] with the name of the gateway.
      gcloud beta compute vpn-gateways create [GW_NAME] \
        --network [NETWORK] \
        --region [REGION]
    

    The gateway you create should look similar to the following example output. Note that a public IP address has been automatically assigned to each gateway interface:

      Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/vpnGateways/ha-vpn-gw-a].
      NAME        INTERFACE0    INTERFACE1   NETWORK   REGION
      ha-vpn-gw-a 203.0.113.16  203.0.113.23 network-a us-central1
    

Create Cloud Router

  1. Complete the following command sequence to create a Cloud Router. In the following commands, replace the options as noted below:

    • Replace [ROUTER_NAME] with the name of the Cloud Router in the same region as the Cloud VPN gateway.
    • Replace [GOOGLE_ASN] with any private ASN (64512 - 65534, 4200000000 - 4294967294) that you are not already using in the peer network. The Google ASN is used for all BGP sessions on the same Cloud Router and it cannot be changed later.
      gcloud compute routers create [ROUTER_NAME] \
        --region [REGION] \
        --network [NETWORK] \
        --asn [GOOGLE_ASN]
    

    The router you create should look similar to the following example output:

      Created [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a].
      NAME      REGION      NETWORK
      router-a us-central1 network-a
    

Create an External VPN Gateway resource

Create an external VPN gateway resource that provides information to GCP about your peer VPN gateway or gateways. Depending on the HA recommendations for your peer VPN gateway, you can create external VPN gateway resource for the following different types of on-premises VPN gateways:

  • Two separate peer VPN gateway devices where the two devices are redundant with each other and each device has its own public IP address.
  • A single peer VPN gateway that uses two separate interfaces, each with its own public IP address. For this kind of peer gateway, you can create a single external VPN gateway with two interfaces.
  • A single peer VPN gateway with a single public IP address.

Option 1: Create an External VPN Gateway resource for two separate peer VPN gateway devices

  1. For this type of peer gateway, each interface of the external VPN gateway has one public IP address, and each address is from one of the peer VPN gateway devices. In the following gcloud command, replace the options as noted below:

    • Replace [PEER_GW_NAME] with a name representing the peer gateway.
    • Replace [PEER_GW_IP_0] with the public IP addresses for a peer gateway.
    • Replace [PEER_GW_IP_1] with the public IP address for another peer gateway.
      gcloud beta compute external-vpn-gateways create [PEER_GW_NAME] \
        --interfaces 0=[PEER_GW_IP_0],1=[PEER_GW_IP_1] \
    

    The External VPN Gateway resource created should look like the following example where [PEER_GW_IP_0] and [PEER_GW_IP_1] show the actual public addresses of the peer gateway interfaces:

      Created [https://www.googleapis.com/compute/beta/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
      NAME      INTERFACE0      INTERFACE1
      peer-gw   PEER_GW_IP_0    PEER_GW_IP_1
    

Option 2: Create an External VPN Gateway resource for a single peer VPN gateway with two separate interfaces

  1. For this type of peer gateway, create a single external VPN gateway with two interfaces. In the following gcloud command, replace the options as noted below:

    • Replace [PEER_GW_NAME] with a name representing the peer gateway.
    • Replace [PEER_GW_IP_0] with the public IP address for one interface from the peer gateway.
    • Replace [PEER_GW_IP_1] with the public IP address for another interface from the peer gateway.

      gcloud beta compute external-vpn-gateways create [PEER_GW_NAME] \
       --interfaces 0=[ON_PREM_GW_IP_0],1=[ON_PREM_GW_IP_1] \
      

      The External VPN Gateway resource created should look like the following example where [PEER_GW_IP_0] and [PEER_GW_IP_1] show the actual public addresses of the peer gateway interfaces:

      Created [https://www.googleapis.com/compute/beta/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
      NAME      INTERFACE0      INTERFACE1
      peer-gw   PEER_GW_IP_0    PEER_GW_IP_1
      

Option 3: Create an External VPN Gateway resource for a single peer VPN gateway with a single public IP address

  1. For this type of peer gateway, create an external VPN gateway with one interface. In the following gcloud command, replace the options as noted below:

    • Replace [PEER_GW_NAME] with a name representing the peer gateway.
    • Replace [PEER_GW_IP_0] with the public IP address for the interface from the peer gateway.
      gcloud beta compute external-vpn-gateways create [PEER_GW_NAME] \
        --interfaces 0=[PEER_GW_IP_0] \
    

    The External VPN Gateway resource you created should look like the following example where [PEER_GW_IP_0] shows the actual public addresses of the peer gateway interface:

      Created [https://www.googleapis.com/compute/beta/projects/PROJECT_ID/global/externalVpnGateways/peer-gw].
      NAME      INTERFACE0
      peer-gw   PEER_GW_IP_0
    

Create two VPN tunnels, one for each interface on the HA VPN gateway

When creating VPN tunnels, specify the peer side of the VPN tunnels as the external VPN gateway you created earlier. Depending on the redundancy type of the external VPN gateway, configure the tunnels using one of the following two options.

Option 1: If the external VPN gateway is two separate peer VPN gateway devices or a single device with two IP addresses

  1. In this case, one VPN tunnel needs to connect to interface 0 of the external VPN gateway, and the other VPN tunnel needs to connect to interface 1 of the external VPN gateway.

    In the following commands to create each tunnel, replace the options as noted below:

    • Replace [TUNNEL_NAME_IF0] and [TUNNEL_NAME_IF1]with a name for the tunnel. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
    • Replace [GW_NAME] with the name of the HA VPN gateway.
    • (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation..
    • Replace [PEER_GW_NAME] with a name of the external peer gateway created earlier.
    • Replace [PEER_EXT_GW_IF0] and [PEER_EXT_GW_IF1] with the interface number configured earlier on the external peer gateway.
    • Replace [IKE_VERS] with 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
    • Replace [SHARED_SECRET] with your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. See Generating a strong pre-shared key for recommendations.
    • Replace [INT_NUM_0] with the number 0 for the first interface on the HA VPN gateway you created earlier.
    • Replace [INT_NUM_1] with the number 1 for the second interface on the HA VPN gateway you created earlier.

        gcloud beta compute vpn-tunnels create [TUNNEL_NAME_IF0] \
          --peer-external-gateway [PEER_GW_NAME] \
          --peer-external-gateway-interface [PEER_EXT_GW_IF0]  \
          --region [REGION] \
          --ike-version [IKE_VERS] \
          --shared-secret [SHARED_SECRET] \
          --router [ROUTER_NAME] \
          --vpn-gateway [GW_NAME] \
          --interface [INT_NUM_0]
      
       gcloud beta compute vpn-tunnels create [TUNNEL_NAME_IF1] \
          --peer-external-gateway [PEER_GW_NAME] \
          --peer-external-gateway-interface [PEER_EXT_GW_IF1] \
          --region [REGION] \
          --ike-version [IKE_VERS] \
          --shared-secret [SHARED_SECRET] \
          --router [ROUTER_NAME] \
          --vpn-gateway [GW_NAME] \
          --interface [INT_NUM_1]
      

      The command output should look similar to the following example:

        Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
        NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
        tunnel-a-to-on-prem-if-0  us-central1  ha-vpn-gw-a    0               peer-gw        0
        Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
        NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
        tunnel-a-to-on-prem-if-1  us-central1  ha-vpn-gw-a    1               peer-gw        1
      

Option 2: If the external VPN gateway is a single peer VPN gateway with a single public IP address

  1. In this case, both VPN tunnels need to connect to interface 0 of the external VPN gateway.

    In the following commands to create each tunnel, replace the options as noted below:

    • Replace [TUNNEL_NAME_IF0] and [TUNNEL_NAME_IF1]with a name for the tunnel. Naming the tunnels by including the gateway interface name can help identify the tunnels later.
    • Replace [PEER_GW_NAME] with the name of the external peer gateway created earlier.
    • Replace [PEER_EXT_GW_IF0] with the interface number configured earlier on the external peer gateway.
    • (Optional) The --vpn-gateway-region is the region of the HA VPN gateway to operate on. Its value should be the same as --region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
    • Replace [IKE_VERS] with 1 for IKEv1 or 2 for IKEv2. If possible, use IKEv2 for the IKE version. If your peer gateway requires IKEv1, replace --ike-version 2 with --ike-version 1.
    • Replace [SHARED_SECRET] with your shared secret, which must correspond with the shared secret for the partner tunnel you create on your peer gateway. See Generating a strong pre-shared key for recommendations.
    • Replace [INT_NUM_0] with the number 0 for the first interface on the HA VPN gateway you created earlier.
    • Replace [INT_NUM_1] with the number 1 for the second interface on the HA VPN gateway you created earlier.
      gcloud beta compute vpn-tunnels create [TUNNEL_NAME_IF0] \
        --peer-external-gateway [PEER_GW_NAME] \
        --peer-external-gateway-interface [PEER_EXT_GW_IF0]  \
        --region [REGION] \
        --ike-version [IKE_VERS] \
        --shared-secret [SHARED_SECRET] \
        --router [ROUTER_NAME] \
        --vpn-gateway [GW_NAME] \
        --interface [INT_NUM_0]
    
      gcloud beta compute vpn-tunnels create [TUNNEL_NAME_IF1] \
        --peer-external-gateway [PEER_GW_NAME] \
        --peer-external-gateway-interface [PEER_EXT_GW_IF0] \
        --region [REGION] \
        --ike-version [IKE_VERS] \
        --shared-secret [SHARED_SECRET] \
        --router [ROUTER_NAME] \
        --vpn-gateway [GW_NAME] \
        --interface [INT_NUM_1]
    

    The command output should look similar to the following example:

      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0].
      NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
      tunnel-a-to-on-prem-if-0  us-central1  ha-vpn-gw-a    0               peer-gw        0
      Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1].
      NAME                      REGION       GATEWAY        VPN_INTERFACE   PEER_GATEWAY   PEER_INTERFACE
      tunnel-a-to-on-prem-if-1  us-central1  ha-vpn-gw-a    1               peer-gw        0
    

Create Cloud Router interfaces and BGP peers

  1. Create a Cloud Router BGP interface and BGP peer for each tunnel you previously configured on the HA VPN gateway interfaces.
    In the following commands, replace the options as noted below:

    • Replace [ROUTER_INTERFACE_NAME_0] and [ROUTER_INTERFACE_NAME_1]with a name for the Cloud Router BGP interface. It can be helpful to use names related to the tunnel names configured previously.
    • If you use the manual configuration method, replace [IP_ADDRESS_0] and [IP_ADDRESS_1]with the BGP IP address for the HA VPN gateway interface you configure. Note that each tunnel uses a different gateway interface.
    • Use a [MASK_LENGTH] of 30.
    • Replace [TUNNEL_NAME_0] and [TUNNEL_NAME_1] with the tunnel associated with the HA VPN gateway interface you configured.

    Choose the automatic or manual configuration method of configuring BGP interfaces and BGP peers:

    Automatic

    To let GCP automatically choose the link-local BGP IP addresses:

    For the first VPN tunnel

    1. Add a new BGP interface to the Cloud Router.

      gcloud compute routers add-interface [ROUTER_NAME] \
          --interface-name [ROUTER_INTERFACE_NAME_0] \
          --mask-length [MASK_LENGTH] \
          --vpn-tunnel [TUNNEL_NAME_0] \
          --region [REGION]
      

      The command output should look similar to the following example:

      Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a].
      
    2. Add a BGP peer to the interface for the first tunnel . Replace [PEER_NAME] with a name for the peer VPN interface, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer [ROUTER_NAME] \
          --peer-name [PEER_NAME] \
          --peer-asn [PEER_ASN] \
          --interface [ROUTER_INTERFACE_NAME_0] \
          --region [REGION] \
      

      The command output should look similar to the following example:

      Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
      

    For the second VPN tunnel

    1. Add a new BGP interface to the Cloud Router.

      gcloud compute routers add-interface [ROUTER_NAME] \
          --interface-name [ROUTER_INTERFACE_NAME_1] \
          --mask-length [MASK_LENGTH] \
          --vpn-tunnel [TUNNEL_NAME_1] \
          --region [REGION]
      
    2. Add a BGP peer to the interface for the second tunnel . Replace [PEER_NAME] with a name for the peer VPN interface, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer [ROUTER_NAME] \
          --peer-name [PEER_NAME] \
          --peer-asn [PEER_ASN] \
          --interface [ROUTER_INTERFACE_NAME_1] \
          --region [REGION] \
      

    Manual

    To manually assign the BGP IP addresses associated with the GCP BGP interface and peer:

    1. For each VPN tunnel, decide on a pair of link-local BGP IP addresses in a /30 block from the 169.254.0.0/16 range (four addresses total). For each tunnel, assign one of these BGP IP addresses to the Cloud Router, and the other BGP IP address to your peer VPN gateway. You must also configure your peer VPN device to use the peer BGP IP address. Use the following options in the commands below:
      • [GOOGLE_BGP_IP_0] represents the BGP IP of the Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 0. [ON_PREM_BGP_IP_0] represents the BGP IP of its peer.
      • [GOOGLE_BGP_IP_1] represents the BGP IP of the Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 1. [ON_PREM_BGP_IP_1]represents the BGP IP of its peer.

    For the first VPN tunnel

    1. Add a new BGP interface to the Cloud Router. Supply a name for the interface by replacing [ROUTER_INTERFACE_NAME_0].

      gcloud compute routers add-interface [ROUTER_NAME] \
          --interface-name [ROUTER_INTERFACE_NAME_0] \
          --vpn-tunnel [TUNNEL_NAME_0] \
          --ip-address [GOOGLE_BGP_IP_0] \
          --mask-length 30 \
          --region [REGION] \
      

      The command output should look similar to the following example:

      Updated [https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/us-central1/routers/router-a].
      
    2. Add a BGP peer to the interface. Replace [PEER_NAME] with a name for the peer, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer [ROUTER_NAME] \
          --peer-name [PEER_NAME] \
          --peer-asn [PEER_ASN] \
          --interface [ROUTER_INTERFACE_NAME_0] \
          --peer-ip-address [ON_PREM_BGP_IP_0] \
          --region [REGION] \
      

      The command output should look similar to the following example:

      Creating peer [bgp-peer-tunnel-a-to-on-prem-if-0] in router [router-a]...done.
      

    For the second VPN tunnel

    1. Add a new BGP interface to the Cloud Router. Specify a name for the interface by replacing [ROUTER_INTERFACE_NAME_1].

      gcloud compute routers add-interface [ROUTER_NAME] \
          --interface-name [ROUTER_INTERFACE_NAME_1] \
          --vpn-tunnel [TUNNEL_NAME_1] \
          --ip-address [GOOGLE_BGP_IP_1] \
          --mask-length 30 \
          --region [REGION] \
      
    2. Add a BGP peer to the interface. Replace [PEER_NAME] with a name for the peer, and [PEER_ASN] with the ASN configured for the peer VPN gateway.

      gcloud compute routers add-bgp-peer [ROUTER_NAME] \
          --peer-name [PEER_NAME] \
          --peer-asn [PEER_ASN] \
          --interface [ROUTER_INTERFACE_NAME_1] \
          --peer-ip-address [ON_PREM_BGP_IP_1] \
          --region [REGION] \
      

Verify the Cloud Router configuration

  1. List the BGP IP addresses chosen by Cloud Router. If you added a new interface to an existing Cloud Router, the BGP IP addresses for the new interface should be listed with the highest index number. The Peer IP Address is the BGP IP address you should use to configure your peer VPN gateway.

     gcloud compute routers get-status [ROUTER_NAME] \
         --region [REGION] \
         --format='flattened(result.bgpPeerStatus[].name,
           result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
    

    Expected output for a Cloud Router managing a two Cloud VPN tunnels (index 0) and (index 1) looks like the following example, where:

    • [GOOGLE_BGP_IP_0] represents the BGP IP of Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 0 and [ON_PREM_BGP_IP_0] represents the BGP IP of its peer.
    • [GOOGLE_BGP_IP_1] represents the BGP IP of Cloud Router's interface for the tunnel on Cloud VPN gateway Interface 1 and [ON_PREM_BGP_IP_1] represents the BGP IP of its peer.
    result.bgpPeerStatus[0].ipAddress:     169.254.0.1 [GOOGLE_BGP_IP_0]
    result.bgpPeerStatus[0].name:          bgp-peer-tunnel-a-to-on-prem-if-0
    result.bgpPeerStatus[0].peerIpAddress: 169.254.0.2 [ON_PREM_BGP_IP_0]
    result.bgpPeerStatus[1].ipAddress:     169.254.1.1 [GOOGLE_BGP_IP_1]
    result.bgpPeerStatus[1].name:          bgp-peer-tunnel-a-to-on-prem-if-1
    result.bgpPeerStatus[1].peerIpAddress: 169.254.1.2 [ON_PREM_BGP_IP_1]
    

    You can also use the following command to get a full listing of the Cloud Router configuration:

    gcloud compute routers describe [ROUTER_NAME] \
        --region [REGION]
    

    The full listing should look like the following example:

    bgp:
      advertiseMode: DEFAULT
      asn: 65001
    bgpPeers:
    - interfaceName: if-tunnel-a-to-on-prem-if-0
      ipAddress: 169.254.0.1
      name: bgp-peer-tunnel-a-to-on-prem-if-0
      peerAsn: 65002
      peerIpAddress: 169.254.0.2
    - interfaceName: if-tunnel-a-to-on-prem-if-1
      ipAddress: 169.254.1.1
      name: bgp-peer-tunnel-a-to-on-prem-if-1
      peerAsn: 65004
      peerIpAddress: 169.254.1.2
    creationTimestamp: '2018-10-18T11:58:41.704-07:00'
    id: '4726715617198303502'
    interfaces:
    - ipRange: 169.254.0.1/30
      linkedVpnTunnel: https://www.googleapis.com/compute/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-0
      name: if-tunnel-a-to-on-prem-if-0
    - ipRange: 169.254.1.1/30
      linkedVpnTunnel: https://www.googleapis.com/compute/projects/[PROJECT_ID]/regions/us-central1/vpnTunnels/tunnel-a-to-on-prem-if-1
      name: if-tunnel-a-to-on-prem-if-1
      kind: compute#router
      name: router-a
      network: https://www.googleapis.com/compute/projects/[PROJECT_ID]/global/networks/network-a
      region: https://www.googleapis.com/compute//projects/[PROJECT_ID]/regions/us-central1
      selfLink: https://www.googleapis.com/compute/projects/[PROJECT_ID]/regions/us-central1/routers/router-a
    
  2. Continue to the Completing the configuration section to complete the gateway configuration.

Completing the configuration

You must complete the following steps before you can use a new Cloud VPN gateway and its associated VPN tunnels:

  1. Set up the peer VPN gateway and configure the corresponding tunnel or tunnels there. Refer to these pages:
  2. Configure firewall rules in GCP and your peer network as required. See the firewall rules page for suggestions.
  3. Check the status of your VPN tunnels.

What's next

หน้านี้มีประโยชน์ไหม โปรดแสดงความคิดเห็น