Route-based Quickstart for GCP Console

This quickstart, which uses the Google Cloud Platform Console, illustrates Google Cloud VPN concepts by connecting two Virtual Private Cloud networks. This configuration simulates setting up a Cloud VPN gateway that connects to your on-premises VPN gateway using static routing.

For an introduction to Cloud VPN, see the VPN Overview.

Before you begin

Set up Google Cloud Platform

Before you get started, setting up the following items in GCP makes it easier to use this quickstart.

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a Google Cloud Platform project.

    Go to the Manage resources page

  3. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

  4. Install and initialize the Cloud SDK.

Determine billing requirements

For detailed information about product billing, see the following product pricing pages:

Quickstart topology

For this quickstart, each VPN gateway you configure for your project is located on a different custom network and subnet in a different Google Cloud Platform region.

The VPN gateway configured in us-central1 acts as the Cloud VPN gateway on the Google Cloud Platform side, while the Cloud VPN gateway in europe-west1 simulates your on-premises gateway.

Route based topology (click to enlarge)
Route based quickstart topology

Naming and addressing reference

For reference, this quickstart uses the following naming and IP addressing:

Google Cloud Platform side

  • Network name: cloud-vpn-network
  • Subnet name: subnet-us-central-10-0-1
  • Region: us-central1
  • Subnet range: 10.0.1.0/24
  • External IP address name: cloud-vpn-ip
  • VPN gateway name: vpn-us-central
  • VPN tunnel name: vpn-us-central-tunnel-1

"On-premises" side

  • Network name: on-prem-vpn-network
  • Subnet name: subnet-europe-west-10-0-2
  • Region: europe-west1
  • Subnet range: 10.0.2.0/24
  • External IP address name: on-prem-vpn-ip
  • VPN gateway name: vpn-europe-west
  • VPN tunnel name:vpn-europe-west-tunnel-1

Generating a strong pre-shared key (shared secret)

To create a cryptographically strong pre-shared key for Cloud VPN, see these guidelines.

Supported IKE ciphers

For supported IKEv1 and IKEv2 ciphers, see the IKE Ciphers reference page.

Create custom VPC networks and subnets

The networks and subnets on either side of the VPN connection must use IP ranges that do not overlap each other or any existing connected networks. For example, you cannot connect VPN gateways located on two auto mode networks because the IP ranges overlap. For this quickstart, you'll configure 2 custom mode networks, each with its own subnet.

To create two custom networks and their subnets:

  1. Go to the VPC Networks page in the Google Cloud Platform Console.
    Go to the VPC Networks page
  2. Click Create VPC network.
  3. Enter a Name of cloud-vpn-network.
  4. Under Subnets, Subnet creation mode, select the Custom tab.
    1. Enter a Name of subnet-us-central-10-0-1.
    2. Select a Region of us-central1.
    3. Enter an IP address range of 10.0.1.0/24.
    4. In the Subnets window, click Done.
  5. Click Create.
  6. You're returned to the VPC Networks screen, where it takes about a minute for this network and its subnet to appear.
  7. Repeat the above steps for the second, "on-premises" network, but with the following differences:
    1. Name: on-prem-vpn-network.
    2. Subnet Name:subnet-europe-west-10-0-2.
    3. Region: europe-west1.
    4. IP address range of 10.0.2.0/24.

Create external IP addresses

In this step, you create an external IP address for each VPN gateway:

  1. Go to the VPC Networks External IP address page in the Google Cloud Platform Console.
    Go to the External IP Address page
  2. Click Reserve Static Address.
  3. Populate the following fields for the Cloud VPN address:
    • Name — The name of the address. Use cloud-vpn-ip.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you wish to reach. In this case, use us-central1.
  4. Click Reserve.
  5. Repeat the above steps to create a second external address for the "on-premises" VPN gateway, but populate the following fields differently:
    • Name — The name of the address. Use on-prem-vpn-ip.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you wish to reach. In this case, use europe-west1.
  6. Make note of these IP addresses so that you can use them to configure the VPN gateways in the next section.

Create the VPN gateways

In this step, you create both VPN gateways.

  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Make sure to use the same GCP project that you used when creating the VPC network and subnets.
  3. Click Create VPN connection.
  4. Populate the following fields for the gateway:
    • Name — The name of the VPN gateway. This name is displayed in the console to reference the gateway. Use vpn-us-central.
    • Network — The VPC network containing the instances the VPN gateway will serve. Use cloud-vpn-network.
    • Region — The region where you want to locate the VPN gateway. Normally, this is the region that contains the instances you wish to reach. Use us-central1.
    • IP address — Select the pre-existing static external IP address, cloud-vpn-ip, that you created for this gateway in the previous section.
  5. Populate the fields for one tunnel:
    • Name — The name of the VPN tunnel. Use vpn-us-central-tunnel-1.
    • Remote peer IP address — Public IP address of the peer gateway. This is the external IP address of the other VPN gateway. Use the IP address you created for on-prem-vpn-ip.
    • IKE versionIKEv2 or IKEv1. Use IKEv2 since it's supported by the "on-premises" gateway.
    • Shared secret — Used in establishing encryption for this tunnel. You must enter the same shared secret into both VPN gateways.
    • Routing options — Select Route-based.
    • Remote network IP range — The range of the "on-premises" subnet on the other side of the tunnel from this gateway. Configure as 10.0.2.0/24.
  6. Click Create to create the gateway and initiate the tunnel, though the VPN gateways will not connect until you've created firewall rules to allow traffic through the tunnel between them. This step automatically creates a static route to 10.0.2.0/24 as well as forwarding rules for udp:500, udp:4500, and esp traffic.
  7. Back on the VPN screen, make sure the Google VPN gateways tab is selected. Click Create to create a second, "on-premises", gateway, but populate the following fields differently:
    • Name — Use vpn-europe-west.
    • Network — Use on-prem-vpn-network.
    • Region — Use europe-west-1.
    • IP address — Select the pre-existing static external IP address, on-prem-vpn-ip, you created for this gateway in the previous section.
  8. Create a tunnel for the vpn-europe-west gateway, but populate the following fields differently. You must populate the IKE version, shared secret, and routing option with the same values you used for the first gateway.
    • Name — The name of the VPN tunnel. Use vpn-europe-west-tunnel-1.
    • Remote peer IP address — Use the external IP address you created for cloud-vpn-ip.
    • Remote network IP range — Configure as 10.0.1.0/24 to send traffic to any project subnet on the Cloud VPN gateway in us-central1.
  9. Click Create to create the gateway and initiate the tunnel, though the gateways will not connect until you've created firewall rules to allow traffic through the tunnel.

Create firewall rules

You must create firewall rules for both sides of the VPN tunnel. These rules allow all TCP, UDP, and ICMP traffic to ingress from the subnet on one side of the VPN tunnel to the other.

To create firewall rules:

  1. First, create rules allowing tcp, udp, and icmp traffic to ingress the Cloud VPN subnet from the "on-premises" subnet:
    1. Go to the VPN tunnels page in the Google Cloud Platform Console.
      Go to the VPN tunnels page
    2. Click vpn-us-central-tunnel-1.
    3. Under Google cloud gateway, click cloud-vpn-network.
    4. On the VPC network details page, click the Firewall rules tab.
    5. Click Add firewall rule and fill in the following fields:
      • Name: allow-tcp-udp-icmp-cloud-vpn
      • Targets: All instances in the network
      • Source filter: IP ranges
      • Source IP ranges: 10.0.2.0/24 The range for the "on-premises" subnet.
      • Allowed protocols or ports: tcp; udp; icmp
    6. Click Create.
  2. For similar rules for the "on-premises" subnet:
    1. Go to the VPN tunnels page in the Google Cloud Platform Console.
      Go to the VPN tunnels page
    2. Clickvpn-europe-west-tunnel-1.
    3. Under Google cloud gateway, click on-prem-vpn-network.
    4. Repeat the above steps, except for the following differences:
      • Name: allow-tcp-udp-icmp-on-prem-vpn
      • Source IP ranges 10.0.1.0/24for the Cloud VPN subnet.

Check the status of the VPN tunnel

To verify that your tunnel is up:

  1. Go to the VPN page in the Google Cloud Platform Console.
    Go to the VPN page
  2. Click on the tab Google VPN Tunnels.
  3. In the Status field for each tunnel, look for a green check mark and the word "Established." If these items are there, your gateways have negotiated a tunnel. If no mark appears after a few minutes, see the Troubleshooting section.

    For additional logging information related to your VPN tunnels, see Checking VPN Logs on the Troubleshooting page. For example, you can view metrics about dropped packets, tunnel status, received bytes, and sent bytes.

Clean up

To avoid incurring charges to your GCP account for the resources used in this quickstart:

After using this quickstart, you have several cleanup options:
  • Keep the project and project resources up, but temporarily disable billing.
  • Tear down some of the quickstart resources, but leave the project up.
  • Tear down the quickstart end to end, and leave the project up or delete the project.
  • Delete the project, which deletes its resources. Do this if the project was only used for this quickstart.
  • Option 1: Temporarily disable project billing

    Warning: Disabling projects that contain production traffic is not recommended. Disabling billing stops automatic payments for all services in your project. Use this option if the project is only for this Quickstart or if stopping all services is not a concern. If you disable billing, you'll still be responsible for all outstanding charges on the billing account, which will be charged to your listed form of payment. Caution: If your billing account remains disabled for a protracted period, some resources might be removed from the projects associated with that account. For example, your Compute Engine resources might be removed. Removed resources are not recoverable. To disable billing for a project:
    1. Go to the Google Cloud Platform Console.
    2. Open the left-side menu and click Billing.
    3. If you have more than one billing account, select Go to linked billing account to manage the current project's billing. To locate a different billing account, select Manage billing accounts.
    4. Under Projects linked to this billing account, locate the name of the project that you want to disable billing for, and then from its right-side menu, select Disable billing. You are prompted to confirm that you want to disable billing for this project.
    5. Click Disable billing.

    Option 2: Tear down the Quickstart VPN

    To avoid unnecessary Google Cloud Platform charges, you can use the GCP Console to delete VPN gateways and tunnels, external IP addresses, custom networks and subnets, and optionally, the project that you configured for this quickstart.

    • You must delete all tunnels for a VPN gateway before you can delete the gateway.
    • You must delete all forwarding rules from an External IP address before deleting that address.
    • Deleting a network also deletes its subnetworks, routes, and firewall rules.

    Some resources can be billed even when in a configured, but idle state. For more information, see the set-up instructions for the product billing page.

    Delete the VPN gateways

    You must delete the gateway's tunnels before deleting the gateway.

    1. Go to the VPN page in the Google Cloud Platform Console.
      Go to the VPN page
    2. On Google VPN Tunnels tab, click Delete to remove vpn-us-central-tunnel-1.
    3. Click the Google VPN Gateways tab.
    4. In the Gateway name column, click vpn-us-central.
    5. On the Details screen, check the box forvpn-us-central and click Delete. Confirm deletion.
    6. Repeat the above steps for vpn-europe-west-tunnel-1 and the vpn-europe-west gateway. These steps also remove the route and forwarding rules for each gateway.

    Release the external IP addresses

    1. Go to the VPC Networks External IP address page in the Google Cloud Platform Console.
      Go to the External IP Address page
    2. Click the checkbox next to cloud-vpn-ip and on-prem-vpn-ip. The In use by column for each address should show None, which means that the forwarding rules attached to the address have been removed by your previous removal of the gateway and tunnel.
    3. Click the Release Static Address button and confirm deletion.

    Delete the custom networks and subnets

    In the GCP console, deleting a custom network also deletes its subnets and firewall rules.

    1. Go to the VPC Networks page in the Google Cloud Platform Console.
      Go to the VPC Networks page
    2. Under the Name column, click cloud-vpn-network.
    3. Click Delete VPC network. Confirm deletion.
    4. Repeat the above steps for the on-prem-vpn-network.
    5. It can take a minute or two for the networks to be deleted.

    If you also want to delete your project, continue to Option 3.

    Option 3: Delete the project

    1. In the GCP Console, go to the Projects page.

      Go to the Projects page

    2. In the project list, select the project you want to delete and click Delete delete.
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...