GCP Cloud VPN - ghdrako/doc_snipets GitHub Wiki
Hybrid connectivity
- VPN
- Interconnect
- Peering
Cloud VPN is a regional service that will securely connect your on-premises network to GCP VPC using an IPSec tunnel. All traffic traversing the internet through the tunnel is encrypted. Both the IKEv1 and IKEv2 ciphers are supported. The VPN connection requires a Cloud VPN gateway, an on-premises VPN gateway, and two VPN tunnels that are set up from the perspective of each gateway. A connection is established when both tunnels are created. The on-premise gateway can be either a hardware or software device. There is a special requirement that the MTU of your on-premises gateway should not be higher than 1,460 bytes. VPN supports both static and dynamic routes. Dynamic routes are managed by the routers in the VPC network and use Border Gateway Protocol (BGP), while static routes are created manually and support route next hops.
Types of VPN gateways:
- HA VPN
- Classic VPN
HA VPN
An HA VPN, as you may suspect, is a highly available VPN solution that allows us to connect our on-premises network to a GCP VPC in a single region. Due to its highly available nature, an HA VPN offers a 99.99% SLA on service availability. When we create this type of VPN, GCP automatically creates two external IP addresses – one for each of its fixed interfaces and each HA VPN gateway interface supports multiple tunnels. We should note that it is possible to configure an HA VPN with only a single active interface and one external IP, however this will not offer the SLA mentioned. There are some requirements that need to be in place to achieve the 99.99% availability SLA.
There are two gateway components to configure for HA VPN:
- HA VPN gateway in Google Cloud.
- Your peer VPN gateway or gateways - The peer gateway can be either an on-premises VPN gateway or one hosted by another cloud provider. Create an external VPN gateway resource in Google Cloud for each peer gateway device or service. All peer gateway scenarios are represented in Google Cloud by a single external peer VPN resource.
- Create a custom VPC network and subnet(at least one subnet in the region where the HA VPN gateway resides)
- Create an HA VPN gateway
gcloud compute vpn-gateways create GW_NAME \
--network=NETWORK \
--region=REGION \
--stack-type=IP_STACK
# When the gateway is created, two external IPv4 addresses are automatically allocated, one for each gateway interface.
- Create a peer VPN gateway resource
- Create an external VPN gateway resource for two separate peer VPN gateway devices
gcloud compute external-vpn-gateways create PEER_GW_NAME \
--interfaces 0=PEER_GW_IP_0,1=PEER_GW_IP_1
- Create an external VPN gateway resource for a single peer VPN gateway with two separate interfaces
- Create a Cloud Router
gcloud compute routers create ROUTER_NAME \
--region=REGION \
--network=NETWORK \
--asn=GOOGLE_ASN
- Create VPN Tunnel
gcloud compute vpn-tunnels create TUNNEL_NAME_IF0 \
--peer-external-gateway=PEER_GW_NAME \
--peer-external-gateway-interface=PEER_EXT_GW_IF0 \
--region=REGION \
--ike-version=IKE_VERS \
--shared-secret=SHARED_SECRET \
--router=ROUTER_NAME \
--vpn-gateway=GW_NAME \
--interface=INT_NUM_0
gcloud compute vpn-tunnels create TUNNEL_NAME_IF1 \
--peer-external-gateway=PEER_GW_NAME \
--peer-external-gateway-interface=PEER_EXT_GW_IF1 \
--region=REGION \
--ike-version=IKE_VERS \
--shared-secret=SHARED_SECRET \
--router=ROUTER_NAME \
--vpn-gateway=GW_NAME \
--interface=INT_NUM_1
- Create BGP sessions
# Add a BGP interface to the Cloud Router
gcloud compute routers add-interface ROUTER_NAME \
--interface-name=ROUTER_INTERFACE_NAME_0 \
--mask-length=MASK_LENGTH \
--vpn-tunnel=TUNNEL_NAME_0 \
--region=REGION
# Add a BGP peer to the interface for the first tunnel
gcloud compute routers add-bgp-peer ROUTER_NAME \
--peer-name=PEER_NAME \
--peer-asn=PEER_ASN \
--interface=ROUTER_INTERFACE_NAME_0 \
--region=REGION
Check high availability status for HA VPN gateways
gcloud compute vpn-gateways get-status GW_NAME --region=REGION
Status:
- HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_MET
- HighAvailabilityRedundancyRequirementState: CONNECTION_REDUNDANCY_NOT_MET
- redundancyUnsatisfiedReason: INCOMPLETE_TUNNELS_COVERAGE