This page describes how to add VPN tunnels to HA VPN orClassic VPN.
If you haven't set up your HA VPN gateway yet,see the following:
- Create an HA VPN gateway to a peer VPN gateway
- Create HA VPN gateways to connect VPC networks
Add an HA VPN gateway to HA VPN over Cloud Interconnect
Add a tunnel from an HA VPN gateway to a peer VPN gateway
To receive a 99.99% uptime SLA, configure a tunnel on eachHA VPN interface. This section includes thesteps to configure additional tunnels on the interface of anHA VPN gateway.
Configure additional HA VPN tunnels in the following circ*mstances:
- If you configured an HA VPN gateway to a peerVPN gateway that has a single peer VPN interface.
- If you previously set up a single tunnel on an HA VPNgateway for a peer VPN gateway that contains any number of interfaces, but you now wanta 99.99% uptime SLA for your HA VPN gateway.
- If you deployed HA VPN over Cloud Interconnect and you need to addHA VPN tunnels to accommodate the increased capacityof a VLAN attachment.
To configure additional HA VPN tunnels, complete the following steps.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor the following IAM roles.
Permissions
compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels
Roles
roles/compute.networkAdmin
Console
In the Google Cloud console, go to the VPN page.
Go to VPN
Click Create VPN tunnel.
From the drop-down menu, select the gateway that requires the additionaltunnel, and then click Continue.
Choose a Cloud Router. If you haven't configured aCloud Router, follow the steps for creating one in theCreate VPN tunnelsprocedure.
For Peer VPN gateway, select On-prem or Non Google Cloud.
For Peer VPN gateway name, choose the existing peer VPN gatewayresource that the new tunnel will use. To check existing peerVPN gateway names for this Cloud VPN gateway, underVPN gateway name near the top of the page, clickView all existing tunnels.
You might receive a warning that a tunnel with the same peer VPN gatewayinterface is already associated with the same local Cloud VPNgateway interface. To fix this issue, underAssociated Cloud VPN gateway interface, selectthe other HA VPN interface.
To finish configuring the tunnel, configure the remainder of the stepsas listed in theCreate VPN tunnelsprocedure.
Add a tunnel from an HA VPN gateway to another HA VPN gateway
This section includes the steps to configure a second tunnelon the second interface of an HA VPN gateway.
If you configured one tunnel on an HA VPN gateway toanother HA VPN gateway but want to receive a 99.99%uptime SLA, you must configure a second tunnel. Configure a tunnel on eachHA VPN interface on each side of anHA VPN-to-HA VPN gatewayconfiguration.
To configure a second tunnel, complete the following steps.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor the following IAM roles.
Permissions
compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels
Roles
roles/compute.networkAdmin
Console
In the Google Cloud console, go to the VPN page.
Go to VPN
Find the HA VPN that you want to add the tunnel to.
Click Add VPN tunnel.
Under Peer VPN gateway, select Google Cloud.
Under Project, select a Google Cloud project that will containthe new gateway.
For VPN gateway name, choose the other HA VPNgateway that the new tunnel connects to.
Select Add the second VPN tunnel to an existing VPN tunnel for highavailability.
Under Select existing VPN tunnel, make sure that the existing tunnelis selected. You can click a link to view all existing tunnelsnear the top of the same page.
Specify a tunnel Name.
Specify the same IKE version in use by the tunnel on the other gateway.
Specify an IKE pre-shared key by using your pre-shared key(shared secret), which must correspond with the pre-shared key for thepartner tunnel that you create on your peer gateway. If you haven'tconfigured a pre-shared key on your peer VPN gateway and want to generateone, click Generate and copy. Make sure that you record thepre-shared key in a secure location because it cannot be retrievedafter you create your VPN tunnels.
Click Create and continue.
Configure and save a BGP session. Otherwise, you can do this laterby following the steps in theCreate BGP sessionsprocedure.
Check the Summary and reminder page for configuration information,and then click OK.
Add a tunnel to Classic VPN
Each Cloud VPN tunnel associated with a Classic VPNgateway must connect to a unique peer VPN gateway, as identified by thepeer gateway's IP address. If you need to create a second tunnel to the samepeer gateway, you must create that tunnel from a different Cloud VPNgateway.
To configure a second tunnel, complete the following steps.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor the following IAM roles.
Permissions
compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels
Roles
roles/compute.networkAdmin
Console
In the Google Cloud console, go to the VPN page.
Go to VPN
Click the Google VPN gateways tab.
Click the name of an existing VPN gateway.
On the VPN gateway details page, in the Tunnels section, clickAdd VPN tunnel.
Supply the following information:
- In the Name field, enter a name for the tunnel.
- In the Remote peer IP address field, enter the external IPaddress of the peer VPN gateway.
- Choose an IKE version compatible with your peer VPN gateway.
- Provide the IKE pre-shared key (shared secret) forauthentication. For suggestions, seeGenerate a strong pre-shared key.
- Click the appropriateRouting option:
- To use dynamic routing, click Dynamic (BGP). On theCloud Router menu, select or create a newCloud Router. To define the BGP session parameters, in theBGP session field, clickeditEdit.Each BGP IP address range for each BGP session must beunique among all Cloud Routers in all regions of aVirtual Private Cloud (VPC) network.
- To use route-based VPN, click Route-based. In theRemote network IP ranges field, supplythe ranges of IP addresses used by the peer network.
- To use policy-based routing, click Policy-based. Supply boththe Remote network IP ranges and the Local IP ranges. Inthe Local subnetworks menu, select IP ranges of subnets in aVPC network.
Click Create.
Complete your configuration by following the steps inConfigure the peer VPN gateway.
gcloud
Follow the steps for creating a route-based VPN gateway and tunnel,but start in the sectionCreate the Cloud VPN tunnel.
If the new tunnel has the same CIDR block, you can skip toConfigure firewall rules.
Check tunnel status
After you configure an HA VPN orClassic VPN tunnel,check its status.
What's next
- To view Cloud Logging and Monitoring information, seeView logs and metrics.
- To use high-availability and high-throughput scenarios or multiplesubnet scenarios, seeAdvanced configurations.
- To help you solve common issues that you might encounter when usingCloud VPN, see Troubleshooting.