Open in app

Sign in

Write

Sign in

GCP Cloud VPN

Rajamohan Naidu
12 min readNov 7, 2023

--

Cloud VPN overview:

Cloud VPN is a secure way to connect your on-premises network to your cloud network. It uses an IPsec tunnel to encrypt traffic between the two networks, so your data is protected as it travels over the public internet.

Types of Cloud VPN

1 . HA VPN

HA VPN is a more reliable and scalable VPN solution than Classic VPN. It uses two VPN gateways in an active-active or active-passive configuration to provide high availability and performance. HA VPN also supports dynamic routing, which makes it easier to manage complex network topologies.

2. Classic VPN

Classic VPN is a legacy VPN solution that is still widely used. It is less reliable and scalable than HA VPN, but it is also simpler to configure and manage. Classic VPN does not support dynamic routing, so it may not be suitable for complex network topologies.

HA VPN & Classic VPN Features

Cloud HA-VPN Setup:

we will set up two VPCs and add a cloud HA-VPN gateway in each. we will run two tunnels from each VPN gateway to demonstrate the HA-VPN gateway configuration for 99.99% SLA.

Task 1. Cloud VPC setup

  • From Cloud Shell, create a vpc network called vpc-demo:
gcloud compute networks create vpc-demo --subnet-mode custom

Create subnets

  1. Now create subnet vpc-demo-subnet1 in us-central1 region:
gcloud beta compute networks subnets create vpc-demo-subnet1 --network vpc-demo --range 10.1.1.0/24 --region us-central1

2. Create subnet vpc-demo-subnet2 in us-west1 region:

gcloud beta compute networks subnets create vpc-demo-subnet2 --network vpc-demo --range 10.2.1.0/24 --region us-west1

Create firewall rules

  1. Create a firewall rule to allow all internal traffic within the network:
gcloud compute firewall-rules create vpc-demo-allow-internal  --network vpc-demo  --allow tcp:0-65535,udp:0-65535,icmp --source-ranges 10.0.0.0/8

2. Create a firewall rule to allow ssh, icmp from anywhere:

gcloud compute firewall-rules create vpc-demo-allow-ssh-icmp --network vpc-demo  --allow tcp:22,icmp

Create vm instances in network vpc-demo

  1. Create a vm instance vpc-demo-instance1 in zone us-central1-a:
gcloud compute instances create vpc-demo-instance1 --zone us-central1-a --subnet vpc-demo-subnet1

2. Create a vm instance vpc-demo-instance2 in zone us-west1-a:

gcloud compute instances create vpc-demo-instance2 --zone us-west1-a --subnet vpc-demo-subnet2

Task 2. Simulate on-premises setup

  • Create a vpc network called on-prem:
gcloud compute networks create on-prem --subnet-mode custom

Create subnets

  • Create subnet on-prem-subnet1:
gcloud beta compute networks subnets create on-prem-subnet1 --network on-prem --range 192.168.1.0/24 --region us-central1

Create firewall rules

  1. Create a firewall rule to allow all internal traffic within the network:
gcloud compute firewall-rules create on-prem-allow-internal --network on-prem  --allow tcp:0-65535,udp:0-65535,icmp  --source-ranges 192.168.0.0/16

2. Create a firewall rule to allow ssh, rdp, http, icmp to the instances:

gcloud compute firewall-rules create on-prem-allow-ssh-icmp  --network on-prem  --allow tcp:22,icmp

Create a test instance in network on-prem

  • Create an instance vpc-demo-instance1 in region us-central1
gcloud compute instances create on-prem-instance1 --zone us-central1-a --subnet on-prem-subnet1

Task 3. HA-VPN setup

  1. Create a Cloud HA-VPN in network vpc-demo:
gcloud beta compute vpn-gateways create vpc-demo-vpn-gw1 --network vpc-demo --region us-central1

2. Create a Cloud HA-VPN in network on-prem:

gcloud beta compute vpn-gateways create on-prem-vpn-gw1 --network on-prem --region us-central1

View details of the vpn-gateways

  1. View details of vpn-gateway vpc-demo-vpn-gw1:
gcloud beta compute vpn-gateways describe vpc-demo-vpn-gw1 --region us-central1

2. View details of vpn-gateway on-prem-vpn-gw1:

gcloud beta compute vpn-gateways describe on-prem-vpn-gw1 --region us-central1

Create cloud routers

  1. Create a cloud router in network vpc-demo:
gcloud compute routers create vpc-demo-router1  --region us-central1  --network vpc-demo --asn 65001

2. Create a cloud router in network on-prem:

gcloud compute routers create on-prem-router1  --region us-central1   --network on-prem --asn 65002

Create two VPN tunnels

  1. Create the first VPN tunnels in network vpc-demo:
gcloud beta compute vpn-tunnels create vpc-demo-tunnel0  --peer-gcp-gateway on-prem-vpn-gw1   --region us-central1   --ike-version 2    --shared-secret [SHARED_SECRET]  --router vpc-demo-router1 --vpn-gateway vpc-demo-vpn-gw1  --interface 0

2. Now create the second tunnel:

gcloud beta compute vpn-tunnels create vpc-demo-tunnel1  --peer-gcp-gateway on-prem-vpn-gw1    --region us-central1   --ike-version 2  --shared-secret [SHARED_SECRET]   --router vpc-demo-router1    --vpn-gateway vpc-demo-vpn-gw1  --interface 1

Create two vpn tunnels in network on-prem

  1. Create on-prem-tunnel0 with the following command:
gcloud beta compute vpn-tunnels create on-prem-tunnel0  --peer-gcp-gateway vpc-demo-vpn-gw1    --region us-central1 --ike-version 2  --shared-secret [SHARED_SECRET] --router on-prem-router1  --vpn-gateway on-prem-vpn-gw1  --interface 0

2. Create on-prem-tunnel1 with the following command:

gcloud beta compute vpn-tunnels create on-prem-tunnel1  --peer-gcp-gateway vpc-demo-vpn-gw1  --region us-central1  --ike-version 2  --shared-secret [SHARED_SECRET]  --router on-prem-router1  --vpn-gateway on-prem-vpn-gw1 --interface 1

Create bgp peering for each tunnel

  1. Create the router interface for tunnel0 in network vpc-demo:
gcloud compute routers add-interface vpc-demo-router1    --interface-name if-tunnel0-to-on-prem    --ip-address 169.254.0.1  --mask-length 30  --vpn-tunnel vpc-demo-tunnel0   --region us-central1

2. And the bgp peer for tunnel0 in network vpc-demo:

gcloud compute routers add-bgp-peer vpc-demo-router1  --peer-name bgp-on-prem-tunnel0    --interface if-tunnel0-to-on-prem  --peer-ip-address 169.254.0.2    --peer-asn 65002  --region us-central1

3. Create router interface for tunnel1 in network vpc-demo:

gcloud compute routers add-interface vpc-demo-router1  --interface-name if-tunnel1-to-on-prem  --ip-address 169.254.1.1  --mask-length 30  --vpn-tunnel vpc-demo-tunnel1 --region us-central1

4. And the bgp peer for tunnel1 in network vpc-demo:

gcloud compute routers add-bgp-peer vpc-demo-router1  --peer-name bgp-on-prem-tunnel1    --interface if-tunnel1-to-on-prem    --peer-ip-address 169.254.1.2  --peer-asn 65002   --region us-central1

5. Create router interface for tunnel0 in network on-prem:

gcloud compute routers add-interface on-prem-router1 --interface-name if-tunnel0-to-vpc-demo  --ip-address 169.254.0.2  --mask-length 30  --vpn-tunnel on-prem-tunnel0  --region us-central1

6. And the bgp peer for tunnel0 in network on-prem:

gcloud compute routers add-bgp-peer on-prem-router1  --peer-name bgp-vpc-demo-tunnel0  --interface if-tunnel0-to-vpc-demo  --peer-ip-address 169.254.0.1  --peer-asn 65001  --region us-central1

7. Create router interface for tunnel1 in network on-prem:

gcloud compute routers add-interface  on-prem-router1  --interface-name if-tunnel1-to-vpc-demo  --ip-address 169.254.1.2  --mask-length 30  --vpn-tunnel on-prem-tunnel1  --region us-central1

8. And the bgp peer for tunnel1 in network on-prem:

gcloud compute routers add-bgp-peer  on-prem-router1  --peer-name bgp-vpc-demo-tunnel1  --interface if-tunnel1-to-vpc-demo  --peer-ip-address 169.254.1.1  --peer-asn 65001  --region us-central1

Verify router configurations

  1. View details of Cloud Router vpc-demo-router1 to verify its settings:
gcloud compute routers describe vpc-demo-router1  --region us-central1

2. View details of Cloud Router on-prem-router1 to verify its settings:

gcloud compute routers describe on-prem-router1  --region us-central1

Configure Firewall rules to allow traffic from the remote VPC

  1. Allow traffic from network vpc on-prem to vpc-demo:
gcloud compute firewall-rules create vpc-demo-allow-subnets-from-on-prem  --network vpc-demo  --allow tcp,udp,icmp  --source-ranges 192.168.1.0/24

2. Allow traffic from vpc-demo to network vpc on-prem:

gcloud compute firewall-rules create on-prem-allow-subnets-from-vpc-demo  --network on-prem  --allow tcp,udp,icmp  --source-ranges 10.1.1.0/24,10.2.1.0/24

Verify the status of the tunnels

  1. List the VPN tunnels you just created. There should be four vpn tunnels — two tunnels for each VPN gateway:
gcloud beta compute vpn-tunnels list

2. Now, verify that each tunnel is up. First, vpc-demo-tunnel0:

gcloud beta compute vpn-tunnels describe vpc-demo-tunnel0  --region us-central1

3. Next, vpc-demo-tunnel:

gcloud beta compute vpn-tunnels describe vpc-demo-tunnel1  --region us-central1

4. Next, on-prem-tunnel0:

gcloud beta compute vpn-tunnels describe on-prem-tunnel0  --region us-central1

5. Next, on-prem-tunnel1:

gcloud beta compute vpn-tunnels describe on-prem-tunnel1  --region us-central1

Verify private connectivity over VPN

  1. Next, ssh into the instance in network on-prem:
gcloud compute ssh on-prem-instance1 --zone us-central1-a

2. Type “y” to confirm you want to continue.

3. Press Enter twice to skip creating a password.

4. Now, from this instance in network on-prem, try to reach instances in network vpc-demo.

5. On the instance on-prem-instance1, ping 10.1.1.2:

ping 10.1.1.2

6. Press CTRL+C to stop the command.

Global routing with VPN

Remember, HA-VPN is a regional resource and cloud router by default only sees the routes in the region it is deployed. To reach instances in a different region than the cloud router, you need to enable global routing mode for the VPC. This allows the cloud router to see and advertise routes from other regions.

  1. Open a new Cloud Shell tab and update the bgp-routing mode from vpc-demo to GLOBAL:
gcloud compute networks update vpc-demo --bgp-routing-mode GLOBAL

2. Verify the change:

gcloud compute networks describe vpc-demo

3. Now, from the instance in network on-prem, ping the instance vpc-demo-instance2 in region us-west1

ping 10.2.1.2

4. Pings will be successful.

5. Press CTRL+C to stop the command.

Verify high availability of tunnels

  1. Open a new Cloud Shell tab.
  2. Bring tunnel0 in network vpc-demo down:
gcloud compute vpn-tunnels delete vpc-demo-tunnel0  --region us-central1

3. Respond Y when asked to verify the deletion.

The respective tunnel0 in network on-prem will go down.

4. Verify that the tunnel is down by running:

gcloud compute vpn-tunnels describe on-prem-tunnel0  --region us-central1

The status should show as FIRST_HANDSHAKE.

5. Go back to the first Cloud Shell tab and verify pings between the instances in network vpc-demo and network on-prem:

ping 10.1.1.2

6. Press CTRL+C to stop the command.

7. Pings are still successful as the traffic is now sent over the second tunnel.

Task 4. Cleanup

Delete VPN tunnels

  • From Cloud Shell, run the following commands to delete the remaining tunnels, confirming this action when asked:
gcloud compute vpn-tunnels delete on-prem-tunnel0  --region us-central1
gcloud compute vpn-tunnels delete vpc-demo-tunnel1  --region us-central1
gcloud compute vpn-tunnels delete on-prem-tunnel1  --region us-central1

Remove BGP peering

. Run the following commands from each BGP peer to remove peering:

gcloud compute routers remove-bgp-peer vpc-demo-router1 --peer-name bgp-on-prem-tunnel0 --region us-central1
gcloud compute routers remove-bgp-peer vpc-demo-router1 --peer-name bgp-on-prem-tunnel1 --region us-central1
gcloud compute routers remove-bgp-peer on-prem-router1 --peer-name bgp-vpc-demo-tunnel0 --region us-central1
gcloud compute routers remove-bgp-peer on-prem-router1 --peer-name bgp-vpc-demo-tunnel1 --region us-central1

Delete cloud routers

  • Run each command to delete the routers, confirming this action when asked:
gcloud compute  routers delete on-prem-router1 --region us-central1
gcloud compute  routers delete vpc-demo-router1 --region us-central1

Delete VPN gateways

  • Run each command to delete the VPN gateways, confirming this action when asked:
gcloud beta compute vpn-gateways delete vpc-demo-vpn-gw1 --region us-central1
gcloud beta compute vpn-gateways delete on-prem-vpn-gw1 --region us-central1

Delete instances

  • Run the following commands to delete each instance, confirming this action when asked:
gcloud compute instances delete vpc-demo-instance1 --zone us-central1-a
gcloud compute instances delete vpc-demo-instance2 --zone us-west1-a
gcloud compute instances delete on-prem-instance1 --zone us-central1-a

Delete firewall rules

  • Run the following to delete the firewall rules, confirming this action when asked:
gcloud beta compute firewall-rules delete vpc-demo-allow-internal
gcloud beta compute firewall-rules delete on-prem-allow-subnets-from-vpc-demo
gcloud beta compute firewall-rules delete on-prem-allow-ssh-icmp
gcloud beta compute firewall-rules delete on-prem-allow-internal
gcloud beta compute firewall-rules delete vpc-demo-allow-subnets-from-on-prem
gcloud beta compute firewall-rules delete vpc-demo-allow-ssh-icmp

Delete subnets

  • Run the following to delete the subnets, confirming this action when asked:
gcloud beta compute networks subnets delete vpc-demo-subnet1 --region us-central1
gcloud beta compute networks subnets delete vpc-demo-subnet2 --region us-west1
gcloud beta compute networks subnets delete on-prem-subnet1 --region us-central1

Delete VPC

  • Finally, run these commands to delete the VPCs, confirming this action when asked:
gcloud compute networks delete vpc-demo
gcloud compute networks delete on-prem
Gcp

--

--

Rajamohan Naidu

Written by Rajamohan Naidu

0 Followers

Google Cloud Architect

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams