With route based VPN, you specify only the remote traffic selector. If you need to specify a local traffic selector, create a Cloud VPN tunnel that uses policy based routing instead.
Routing option differences
Policy based routing should be considered when a peer VPN gateway cannot use Border Gateway Protocol (BGP) to dynamically exchange routes. With this option, local IP ranges (left side) and remote IP ranges (right side) are defined. These local and remote IP are the traffic selectors for the tunnel.
Policy based routing uses local and a remote traffic selectors.
Route based VPN tunnels are similar to tunnels that use policy based routing,
except that only the remote IP ranges (right side) are specified. The list of
local IP ranges is assumed to be any network (
0.0.0.0/0), so you only specify
the remote traffic selector.
As with policy based routing, Google Cloud automatically creates a static route for each remote IP address range.
Review the following documentation for background information before setting up either type of static routing option:
- Information about traffic selectors
- How Cloud VPN handles multiple IP ranges in traffic selectors.
- See the Classic VPN Topologies page for sample topologies.
For even more details see the entire Networks and tunnel routing page.
Before you begin
Setting up the following items in Google Cloud makes it easier to configure Cloud VPN:
Faça login na sua Conta do Google.
Se você ainda não tiver uma, inscreva-se.
Selecione ou crie um projeto do Google Cloud Platform.
Verifique se o faturamento foi ativado no projeto do Google Cloud Platform.
- Instale e inicialize o SDK do Cloud.
- If you are using
gcloudcommands, set your project ID with the following command. The gcloud instructions on this page assume that you have set your project ID before issuing commands.
gcloud config set project [PROJECT_ID]
You can also view a project ID that has already been set:
gcloud config list --format='text(core.project)'
Permissions required for this task
To perform this task, you must have been granted the following permissions OR the following IAM roles.
Creating a custom Virtual Private Cloud network and subnet
Before creating an Classic VPN gateway and tunnel, you must create a Virtual Private Cloud network and at least one subnet in the region where the Classic VPN gateway will reside.
- To create a custom mode (recommended) VPC network, see Creating a custom mode network.
- To create subnets, see Working with subnets.
Creating a gateway and tunnel
The VPN setup wizard is the only console option for creating a Classic VPN gateway. The wizard includes all required configuration steps for creating a Classic VPN gateway, tunnels, BGP sessions, and an external VPN gateway resource. However, you can complete certain steps later. For example, configuring BGP sessions.
The Create a VPN button only supports creating HA VPN gateways.
Configure the Gateway
- Go to the VPN page in the Google Cloud Console.
Go to the VPN page
- Click VPN setup wizard.
- On the Create a VPN page, specify Classic VPN.
- Click Continue.
- On the Create a VPN connection page, specify the following gateway
- Name — The name of the VPN gateway. The name cannot be changed later.
- Description — Optionally, add a description.
- Network — Specify an existing VPC network in which to create the VPN gateway and tunnel.
- Region — Cloud VPN gateways and tunnels are regional objects. Choose a Google Cloud region where the gateway will be located. Instances and other resources in different regions can use the tunnel for egress traffic subject to the order of routes. For best performance, locate the gateway and tunnel in the same region as relevant Google Cloud resources.
- IP address — Create or choose an existing regional external
Specify the following settings in the Tunnels section for the new tunnel:
- Name — The name of the VPN tunnel. The name cannot be changed later.
- Description — Optionally, type a description.
- Remote peer IP address — Specify the public IP address of the peer VPN gateway.
- IKE version — Choose the appropriate IKE version supported by the peer VPN gateway. IKEv2 is preferred if it's supported by the peer device.
- Shared secret — Provide a pre-shared key used for authentication. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
For Policy based tunnels
- Under Routing options, select Policy-based.
- Under Remote network IP ranges, provide a space-separated list of the IP ranges used by the peer network. This is the remote traffic selector: the "right side" from the perspective of Cloud VPN.
- Under Local IP ranges, select one of the following methods:
- Use the Local subnetworks menu to choose an existing local IP range, or
- Use the Local IP ranges field to enter a list of space-separated IP ranges used in your VPC network. Refer to traffic selectors for important considerations.
For Route based tunnels
- Routing options — Select Route-based.
- Remote network IP ranges — Provide a space-separated list of the IP ranges used by the peer network. These ranges are used to create custom static routes whose next hop is this VPN tunnel.
If you need to create more tunnels on the same gateway, click Add tunnel and repeat the previous step. You can also add more tunnels later.
In the following commands, replace:
- project-id with the ID of your project.
- network with the name of your Google Cloud network.
- region with the Google Cloud region where you need to create the gateway and tunnel.
- (Optional) The
--target-vpn-gateway-regionis the region of the Classic VPN gateway to operate on. Its value should be the same as
--region. If not specified, this option is automatically set. This option overrides the default compute/region property value for this command invocation.
- gw-name with the name of the gateway.
- gw-ip-name with a name for the external IP used by the gateway.
Complete the following command sequence to create a Google Cloud gateway:
Create the resources for the Cloud VPN gateway:
Create the target VPN gateway object.
gcloud compute target-vpn-gateways create gw-name \ --network network \ --region region \ --project project-id
Reserve a regional external (static) IP address:
gcloud compute addresses create gw-ip-name \ --region region \ --project project-id
Note the IP address (so you can use it when you configure your peer VPN gateway):
gcloud compute addresses describe gw-ip-name \ --region region \ --project project-id \ --format='flattened(address)'
Create three forwarding rules. These rules instruct Google Cloud to send ESP (IPsec), UDP 500, and UDP 4500 traffic to the gateway.
gcloud compute forwarding-rules create fr-gw-name-esp \ --ip-protocol ESP \ --address gw-ip-name \ --target-vpn-gateway gw-name \ --region region \ --project project-id
gcloud compute forwarding-rules create fr-gw-name-udp500 \ --ip-protocol UDP \ --ports 500 \ --address gw-ip-name \ --target-vpn-gateway gw-name \ --region region \ --project project-id
gcloud compute forwarding-rules create fr-gw-name-udp4500 \ --ip-protocol UDP \ --ports 4500 \ --address gw-ip-name \ --target-vpn-gateway gw-name \ --region region \ --project project-id
Create the Cloud VPN tunnel with the following details:
- Replace tunnel-name with a name for the tunnel.
- Replace on-prem-ip with the external IP address of the peer VPN gateway.
- Replace ike-vers with
1for IKEv1 or
- Replace shared-secret with your shared secret. The shared secret for the Cloud VPN tunnel must match the one used when you configure the counterpart tunnel on the peer VPN gateway. You can follow these directions to generate a cryptographically strong shared secret.
For Policy based VPN:
- Replace local-ip-ranges with a comma-delimited list of the Google Cloud IP ranges. For example, you can supply the CIDR block for each subnet in a VPC network. This is the "left side" from the perspective of Cloud VPN.
- Replace remote-ip-ranges with a comma-delimited list of the peer network IP ranges. This is the "right side" from the perspective of Cloud VPN.
Policy based VPN command:
gcloud compute vpn-tunnels create tunnel-name \ --peer-address on-prem-ip \ --ike-version ike-vers \ --shared-secret shared-secret \ --local-traffic-selector=local-ip-ranges \ --remote-traffic-selector=remote-ip-ranges \ --target-vpn-gateway gw-name \ --region region \ --project project-id
For Route based VPN:
- For Route based VPN, both the local and remote traffic selectors are
0.0.0.0/0as defined in routing options and traffic selectors.
gcloud compute vpn-tunnels create tunnel-name \ --peer-address on-prem-ip \ --ike-version ike-vers \ --shared-secret shared-secret \ --local-traffic-selector=0.0.0.0/0 \ --remote-traffic-selector=0.0.0.0/0 \ --target-vpn-gateway gw-name \ --region region \ --project project-id
Create a static route for each remote IP range you specified in the
--remote-traffic-selectoroption in the previous step. Repeat this command for each remote IP range, replacing route-name with a unique name for the route and
[REMOTE_IP_RANGE]with the appropriate remote IP range.
gcloud compute routes create route-name \ --destination-range remote-ip-range \ --next-hop-vpn-tunnel tunnel-name \ --network network \ --next-hop-vpn-tunnel-region region \ --project project-id
You must complete the following steps before you can use a new Cloud VPN gateway and tunnel:
- Set up the peer VPN gateway and configure the corresponding tunnel there. Refer to these pages:
- Configure firewall rules in Google Cloud and your peer network as required. Refer to the Firewall Rules page for suggestions.
- Check the status of your tunnel, including forwarding rules.
- You can view your VPN routes by visiting the project routing table
and filtering for 'Next hop type:VPN tunnel'.