1.9.2 High Availability VPN (in progress) - grzzboot/pingpong-service GitHub Wiki
High Availability VPN - dynamic routing
This part shows how to set up the slightly more complicated, and production attractive solution, High-Availability VPN. High Availability VPN uses dynamic routing and handles seamless failover much better than the Classic VPN.
Get connected
This article assumes that you've performed the steps in the parent article.
In this part we're going to explore the High Availability (HA) VPN variant and specifically the one that connects two GCP projects together. We can't easily explore the one connecting to an arbitrary On-Prem gateway since neither you or I own a such, but they are fairly similar.
Google lists some general requirements for our case that I recommend you to take a look at. They motivate some of the choices that have been made, such as the number of VPN-tunnels, the location of the projects, etc.
Throughout this part we'll be jumping back and forth between the projects setting up one part at the time on each side. This is because the setup of one part on site 1 is usually an input for setting up another on site 2. So be sure you're working on the correct project and if something seems to behave REALLY weird, then maybe you in the wrong project 😄 ? To assist you I've added the --project "pingpong-site<?>-gcp-demo" option. This should solve the problem if those ARE you project names, otherwise it's just gonna be even harder... sorry...
This is a picture from Googles documentation that shown roughly what we are going to set up. The regions are different in our case and we have a simplified resource situation to the left, but other than that...
Create the gateways
The HA VPN setup will automatically allocate two IP-addresses for our gateways and this is not something that we are in control of, it's just so.
To create the HA VPN gateway in pingpong-site1-gcp-demo use the following command:
gcloud compute --project "pingpong-site1-gcp-demo" vpn-gateways create pingpong-site1-vpn-gateway \
--network pingpong-site1-net \
--region europe-west3
Then do the same in pingpong-site2-gcp-demo:
gcloud compute --project "pingpong-site2-gcp-demo" vpn-gateways create pingpong-site2-vpn-gateway \
--network pingpong-site2-net \
--region europe-west3
For both you should see some feedback in the console that, among other things, describes the interface IP-addresses. These are important when configuring the tunnels on either side. Example (you'll most likely obtain different IP:s):
NAME INTERFACE0 INTERFACE1 NETWORK REGION
pingpong-site1-vpn-gateway 35.242.19.66 35.220.19.68 pingpong-site1-net europe-west3
Create Cloud Routers
After having created the gateways we need to create a pair of Cloud Routers for managing the BGP sessions that this solution depends on. When creating the routers we will specify an ASN (autonomous system number) for each side that sort of represents the routing identity of it. The ASN numbers that we define here will come in play later when we hook up the BGP sessions to one another. Valid ASN numbers are between and inclusive 64512 - 65534, 4200000000 - 4294967294.
gcloud compute --project "pingpong-site1-gcp-demo" routers create pingpong-site1-vpn-router \
--region europe-west3 \
--network pingpong-site1-net \
--asn 4200000001
We just randomly choose ASN 4200000001 for site 1. The important thing is just to choose something else for site 2.
gcloud compute --project "pingpong-site2-gcp-demo" routers create pingpong-site2-vpn-router \
--region europe-west3 \
--network pingpong-site2-net \
--asn 4200000002
You should see feedback similar to this if the creation process completes successfully:
NAME REGION NETWORK
pingpong-site1-vpn-router europe-west3 pingpong-site1-net