The ability to connect your private, on premises network to secured resources on Google Cloud Platform is incredibly powerful. By connecting your GCP resources to your private network over a virtual private network (VPN), you are able to create an encrypted tunnel that places GCP resources on the same private network as the rest of your organization. This guide will show you how to create and configure a basic VPN connection (or tunnel) to GCP.
First, a few parameters:
- Cloud VPN operates over an IPsec connection using a shared secret (IKEv1 or IKEv2)
- Cloud VPN supports both static and dynamic routes (when using Cloud Router)
- Cloud VPN is for site to site VPN connections (i.e. router-to-router), but does not support client-to-site, such as what you would connect to with a laptop.
Before we begin, you will need from your on-premises network router:
- Router IP address
- Subnets on your network that you will connect via VPN
- A shared secret configured for your on-premises router VPN settings.
Choose a region for VPN tunnel (GCP side)
By default, a GCP project has a subnet in every worldwide region, all on the same private network. You can set up the VPN tunnel on any region, and have it be accessible from the others.
For best performance, you should create the VPN tunnel in the same region as your hosted GCP resources, such as a virtual server that needs access to your on-premises network.
For example, if most of your GCP resources were in ‘subnet-a’ in us-central1, you would want to attach your VPN tunnel to the same us-central1 region. Note that you can have multiple subnets in the same region, however the VPN connection only cares about the single region it is attached to.
Reserve static IP address for VPN tunnel
Before you create your VPN tunnel, you will need to reserve a static IP address. Below are the steps to do so.
- From the GCP console, from the top left menu, navigate to Networking – VPC Network – External IP addresses.
- Choose Reserve static address.
- Give the reserved address a name for reference (we will use ‘vpn-tunnel’ for this demo).
- Select the same region that our VPN tunnel will use. Static IP’s are only available in the region they are reserved in. Note that multiple subnets can exist in the same region.
- Leave all other settings as default, and click Reserve.
Create the VPN tunnel
Now that we have a static IP address reserved, now comes the fun part in creating our VPN tunnel.
From your GCP console, in the top left menu, navigate to Networking – Interconnect – VPN.
Click Create VPN connection.
This brings you to the primary menu to create your VPN tunnel. There is a lot to go over here, so let’s break it down. We will first configure our VPN gateway.
- Give the VPN connection a name; we will use ‘vpn-1’.
- Choose which VPC network to use, we will use the default network.
- Select the region create your VPN connection. We are using us-central1.
- Select a reserved IP address. Note that if we reserved an IP address in a different region, it would not be accessible.
Next we need to configure the tunnel to our on-premises network that the VPN gateway will use. You can have multiple tunnels on a single VPN gateway in the same region.
- The Remote peer IP address is the IP address of your on-premises VPN router. Enter it into this field.
- Leave IKE version as IKEv2.
- Enter the shared secret, which you need to configure in your on-premises router.
- Since we are using static routing for this demo, under routing options, choose Static and enter the on-premises network subnets that this VPN tunnel needs to access.
- Leave all other settings as default, and click Create.
After a brief delay, your Cloud VPN connection will be successfully completed and your GCP resources will then have private network access to your company’s on-premises network.