VPN

  • Cloud VPN securely connects customer sites to a GCP VPC network through an encrypted IPSec VPN Tunnel over the Internet
  • Suitable for low volume data connections
  • There is a VPN gateway at each end of the connection
  • Supported features:
    • Static and dynamic routing
    • IKEv1 and IKEv2 ciphers
    • MTU = 1460 bytes
    • Max packet rate per tunnel = 250,000 packets per second (pps)
    • Authentication: Pre-shared key only
  • 2 types of VPN topology:
    • Classic which is deprecated from October 2021
    • HA VPN which should be used going forwards
  • Both topology types require 2 tunnels for a successful connection – 1 in each direction

Classic VPN

Uses one Cloud VPN gateway with a tunnel in each direction

For redundancy the GCP Cloud VPN gateway can peer with separate gateways on the customer side

HA VPN

Note: 2 VPN tunnels are required in each of the following topologies – the main difference is where the peer IPs are located

HA VPN Gateway -> 2 x on-premise gateways each with it’s own IP

REDUNDANCY_TYPE = TWO_IPS_REDUNDANCY

In this configuration, there are separate on-premise gateways each with it’s own external IP address terminating a separate cloud gateway VPN tunnel.

HA VPN Gateway -> 1 x on-premise gateway with 2 x IP

REDUNDANCY_TYPE = TWO_IPS_REDUNDANCY

In this configuration there is 1 on-premise customer VPN gateway with 2 external IPs each terminating a separate cloud gateway tunnel

HA VPN Gateway -> 1 x on-premise gateway with 1 x IP

REDUNDANCY_TYPE = SINGLE_IP_INTERNALLY_REDUNDANT

In this configuration there is a single on-premise gateway but only a single external IP for peering, meaning that 2 x cloud gateway tunnels peer with the same on-premise gateway.

Other HA Topologies

HA VPN between Google cloud networks

2 GCP VPCs networks can be connected with a HA VPN gateway in each network as shown below.

HA VPN to AWS peer gateways

Connecting to AWS requires 4 tunnels along with 4 external IPs on AWS.

SLA

  • Each of the above HA Topologies has a 99.99% availability SLA on the Google Cloud side
  • Requires a separate VPN tunnel from each of the HA Interfaces on the Google Cloud VPN Gateway
  • Full mesh configuration is not required to meet this SLA on the Google side i.e. each HA interface on the GCP cloud gateway requires a single peer to a separate interfaces on the customer side

Routing

  • Supports both static and dynamic routing
  • Dynamic routing requires the configuration of a Cloud Router
  • Notice in the above diagrams, each Cloud HA Gateway is accompanied by a Cloud Router
  • Cloud Router uses BGP
  • BGP sessions are established over the private network 169.254.0.0/16 which is used for routing information only and is commonly referred to the IPV4 Link Local Network