- Cloud VPN securely connects customer sites to a GCP VPC network through an encrypted IPSec VPN Tunnel over the Internet
- Suitable for low volume data connections
- There is a VPN gateway at each end of the connection
- Supported features:
- Static and dynamic routing
- IKEv1 and IKEv2 ciphers
- MTU =
1460 bytes
- Max packet rate per tunnel =
250,000 packets per second (pps)
- Authentication:
Pre-shared key
only
- 2 types of VPN topology:
- Classic which is
deprecated from October 2021
- HA VPN which should be used going forwards
- Classic which is
- Both topology types require 2 tunnels for a successful connection – 1 in each direction
Classic VPN
Uses one Cloud VPN gateway with a tunnel in each direction
For redundancy the GCP Cloud VPN gateway can peer with separate gateways on the customer side
HA VPN
Note: 2 VPN tunnels are required in each of the following topologies – the main difference is where the peer IPs are located
HA VPN Gateway -> 2 x on-premise gateways each with it’s own IP
REDUNDANCY_TYPE = TWO_IPS_REDUNDANCY
In this configuration, there are separate on-premise gateways each with it’s own external IP address terminating a separate cloud gateway VPN tunnel.
HA VPN Gateway -> 1 x on-premise gateway with 2 x IP
REDUNDANCY_TYPE = TWO_IPS_REDUNDANCY
In this configuration there is 1 on-premise customer VPN gateway with 2 external IPs each terminating a separate cloud gateway tunnel
HA VPN Gateway -> 1 x on-premise gateway with 1 x IP
REDUNDANCY_TYPE = SINGLE_IP_INTERNALLY_REDUNDANT
In this configuration there is a single on-premise gateway but only a single external IP for peering, meaning that 2 x cloud gateway tunnels peer with the same on-premise gateway.
Other HA Topologies
HA VPN between Google cloud networks
2 GCP VPCs networks can be connected with a HA VPN gateway in each network as shown below.
HA VPN to AWS peer gateways
Connecting to AWS requires 4 tunnels along with 4 external IPs on AWS.
SLA
- Each of the above HA Topologies has a
99.99% availability
SLA on the Google Cloud side - Requires a separate VPN tunnel from
each of the HA Interfaces
on the Google Cloud VPN Gateway - Full mesh configuration is not required to meet this SLA on the Google side i.e. each HA interface on the GCP cloud gateway requires a single peer to a separate interfaces on the customer side
Routing
- Supports both static and dynamic routing
- Dynamic routing requires the configuration of a Cloud Router
- Notice in the above diagrams, each Cloud HA Gateway is accompanied by a Cloud Router
- Cloud Router uses BGP
- BGP sessions are established over the private network
169.254.0.0/16
which is used for routing information only and is commonly referred to the IPV4 Link Local Network