Create a Classic VPN connection to a remote site  |  Google Cloud (2024)

Console

1. Go to the Reserve a static address page.

   Go to Reserve a static address

2. Choose a name for the new address.

3. Specify whether it is an IPv4 or IPv6 address. IPv6addresses can only be global and can only be used with global loadbalancers.

4. Specify whether this IP address is regional or global. If you arereserving a static IP address for an instance or for a regionalload balancer, choose Regional. If you are reserving a static IPaddress for a global load balancer, choose Global.

5. If this is a regional IP address, select the region to create the addressin.

6. Optional: Select a resource to attach to the IP address.

7. Click Reserve to reserve the IP address.

gcloud

To reserve a static external IP address using gcloud compute, use thecompute addresses create command.

To reserve a global IP address, use the --global and--ip-version fields. For the --ip-version field, specify either IPV4 or IPV6. IPv6 addresses can only be global and can only be used with global load balancers.

Replace the ADDRESS_NAME with the name forthis address.

gcloud compute addresses create ADDRESS_NAME \ --global \ --ip-version [IPV4 | IPV6]

To reserve a regional IP address, use the --region field:

gcloud compute addresses create ADDRESS_NAME \ --region=REGION

Replace the following:

• ADDRESS_NAME: the name for thisaddress.
• REGION: the region in which to reserve this address.This region should be the same region as the resource to which the IPaddress is assigned. All regional IP addresses are IPv4.

Use the compute addresses describe commandto view the result:

gcloud compute addresses describe ADDRESS_NAME

API

To create a regional IPv4 address, call theregional addresses.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/addresses

Your request body should contain the following:

{ "name": "ADDRESS_NAME"}

Replace the following:

• ADDRESS_NAME: the name of the address
• REGION: the name of the region for this request
• PROJECT_ID: the project ID for this request

For global static IPv4 addresses, call theglobalAddresses.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses

Your request body should contain the following:

{ "name": "ADDRESS_NAME"}

For global static IPv6 addresses, call theglobalAddresses.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/addresses

Your request body should contain the following:

{ "name": "ADDRESS_NAME", "ipVersion": "IPV6"}

Use the addresses.get methodto see the result.

Terraform

You can use a Terraformmodule to create an external IP address.

In the following example, the Terraform arguments have example values thatyou can change. The example creates three regional external IPv4 addresses.

module "address" { source = "terraform-google-modules/address/google" version = "~> 4.0" project_id = var.project_id # Replace this with your service project ID in quotes region = "europe-west1" address_type = "EXTERNAL" names = [ "regional-external-ip-address-1", "regional-external-ip-address-2", "regional-external-ip-address-3" ]}

The following example creates a global external IPv6 address:

resource "google_compute_global_address" "default" { project = var.project_id # Replace this with your service project ID in quotes name = "ipv6-address" address_type = "EXTERNAL" ip_version = "IPV6"}

Console

1. Go to the VM instances page.
   Go to VM instances
2. Click Create instance.
3. In Boot disk, ensure that you have selected a Linux image; for example,Debian GNU/Linux.
4. Click Networking, Disks, Security, Management, Sole-tenancy
5. Click Networking.
6. For IP forwarding, select Enable.
7. Specify any other instance parameters.
8. Click Create.

gcloud

When you create an instance using gcloud, add the --can-ip-forward flag toyour command:

gcloud compute instances create ... --can-ip-forward

API

When you create an instance, use the canIpForward field to enable IPforwarding.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances{ "canIpForward": true, ...other fields}

Replace the following:

• PROJECT_ID: the ID of the project where your instance iscreated.
• ZONE: the Google Cloud zone where the instance iscreated.

For more information, refer to theinstances.insertmethod.

Terraform

You can use the Terraformresource to create a VM instance with IP forwarding enabled.

In this example, the Terraform arguments have assigned values that you canchange.

resource "google_compute_instance" "default" { project = var.project_id # Replace this with your project ID in quotes zone = "southamerica-east1-b" name = "instance-next-hop" machine_type = "e2-medium" boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" } can_ip_forward = true}

Console

1. Go to the Routes page in the Google Cloud console.
   Go to Routes
2. Click Create route.
3. Specify a Name and a Description for the route.
4. Select an existing Network where the route will apply.
5. Specify a Destination IP range to define the destination of the route.
6. Specify a Priority for the route. A priority is only used toto determine routing order if routes have equivalent destinations.See Route parameters for more details.
7. To make the route applicable only to instances with matchingnetwork tags, specify those in the Instance tags field. Leave thefield blank to make the route applicable to all instances in the network,or if you select an internal TCP/UDP load balancer as the route's nexthop. Network tags don't apply to routes that have an internal TCP/UDPload balancer as a next hop.

8. Select a Next hop for the route:

   • Specify an instance allows you to select an instance by name.Traffic will be routed to that instance (or any replacement instancewith the same name in the same zone) even if its IP address changes.
   • Specify IP address allows you to enter an IP address of anexisting instance in the VPC network. Refer toNext hops and features for importantrestrictions on valid next hop IP addresses.

9. Click Create.

gcloud

Create a new static route:

gcloud compute routes create ROUTE_NAME \ --destination-range=DESTINATION_RANGE \ --network=NETWORK \ NEXT_HOP_SPECIFICATION

Replace the placeholders:

• ROUTE_NAME is the name of the route.
• DESTINATION_RANGE represents the destination IP addresses towhich this route will apply. The broadest possible destination is 0.0.0.0/0.
• NETWORK is the name of the VPC network that willcontain the route.
• NEXT_HOP_SPECIFICATION represents the next hop for the staticroute. You must specify only one of the following as a next hop. For moreinformation about the different types of next hops, see Next hops andfeatures.
  • --next-hop-instance=INSTANCE_NAME and--next-hop-instance-zone=ZONE: Use this next hop todirect traffic to an existing VM instance by name and zone. Traffic issent to the primary internal IP address for the VM's network interfacelocated in the same network as the route.
  • --next-hop-address=ADDRESS: Use this next hop to directtraffic to the IP address of an existing VM instance.

To make the static route only apply to select VMs by network tag, addthe --tags flag and specify one or more network tags. For moreinformation about how network tags and static routes work together,see Applicable routes. You can usetags with any static route.

See the SDK documentationfor additional information about the gcloud syntax.

API

Create a new static route.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/routes{ "destRange": "DESTINATION_RANGE", "name": "ROUTE_NAME", "network": "NETWORK_NAME", "priority": PRIORITY, "NEXT_HOP_SPECIFICATION": VALUE}

Replace the placeholders:

• PROJECT_ID is the ID of the project where your route iscreated.
• DESTINATION_RANGE represents the destination IP addresses towhich this route will apply. The broadest possible destination is0.0.0.0/0.
• ROUTE_NAME a name for the route.
• NETWORK_NAME is the name of the VPC network thatwill contain the route.
• The VALUE for the NEXT_HOP_SPECIFICATION representsthe next hop for the static route. ForNEXT_HOP_SPECIFICATION, you must specify only one of thefollowing next-hop fields: nextHopIp,nextHopInstance. For moreinformation about the different types of next hops and features, seeNext hops and features.

For more information, refer to theroutes.insert method.

Terraform

You can create a static route by using aTerraform module.

This static route creates a default route to the internet.

module "google_compute_route" { source = "terraform-google-modules/network/google//modules/routes" version = "~> 9.0" project_id = var.project_id # Replace this with your project ID in quotes network_name = "default" routes = [ { name = "egress-internet" description = "route through IGW to access internet" destination_range = "0.0.0.0/0" tags = "egress-inet" next_hop_internet = "true" } ]}

Console

Configure the gateway

1. In the Google Cloud console, go to the VPN page.

   Go to VPN

2. If you are creating a gateway for the first time, clickCreate VPN connection.

3. Select the VPN setup wizard.

4. Select the Classic VPN option button.

5. Click Continue.

6. On the Create a VPN connection page, specify the following gatewaysettings:

   • Name: The name of the VPN gateway. The name cannot bechanged later.
   • Description: Optionally, add a description.
   • Network: Specify an existing VPC networkin which to create the VPN gateway and tunnel.
   • Region: Cloud VPN gateways and tunnels areregional objects. Choose a Google Cloudregion where the gateway will belocated. Instances and other resources in different regions can usethe tunnel for egress traffic subject to the order ofroutes.For best performance, locate the gateway and tunnel in the same regionas relevant Google Cloud resources.
   • IP address: Create or choose an existing regional externalIP address.

Configure tunnels

1. For the new tunnel, in the Tunnels section, specify the followingsettings:

   • Name: The name of the VPN tunnel. The name cannot bechanged later.
   • Description: Optionally, type a description.
   • Remote peer IP address: Specify the external IP address of thepeer VPN gateway.
   • IKE version: Choose the appropriate IKE version supportedby the peer VPN gateway. IKEv2 is preferred if it'ssupported by the peer device.
   • IKE pre-shared key: Provide a pre-shared key (shared secret) used forauthentication. The pre-shared key for the Cloud VPN tunnelmust match the one used when you configure the counterpart tunnel onthe peer VPN gateway. To generate a cryptographically strongpre-shared key, followthese directions.
   • Select policy-based tunnels
   • Under Routing options, select Policy-based.
   • Under Remote network IP ranges, provide a space-separated list ofthe IP address ranges used by the local traffic on the on-premisesVPN setup.
   • In the Local IP ranges field, enter the external IP address rangethat you created earlier with a subnet prefix /32.
   • Click Done.
   • Click Create.

gcloud

To create a Cloud VPN gateway, complete the following commandsequence. In the commands, replace the following:

• PROJECT_ID: the ID of your project
• NETWORK: the name of your Google Cloud network
• REGION: the Google Cloudregion where you create thegateway and tunnel
• GW_NAME: the name of the gateway
• GW_IP_NAME: a name for the external IP address usedby the gateway
• Optional: The --target-vpn-gateway-region is the region of theClassic VPN gateway to operate on. Its value shouldbe the same as --region. If not specified, this option isautomatically set. This option overrides the default compute/regionproperty value for this command invocation.

Configure the gateway resources

1. Create the target VPN gateway object:

   gcloud compute target-vpn-gateways create GW_NAME \ --network=NETWORK \ --region=REGION \ --project=PROJECT_ID

2. Reserve a regional external (static) IP address:

   gcloud compute addresses create GW_IP_NAME \ --region=REGION \ --project=PROJECT_ID

3. Note the IP address (so you can use it when you configure yourpeer VPN gateway):

   gcloud compute addresses describe GW_IP_NAME \ --region=REGION \ --project=PROJECT_ID \ --format='flattened(address)'

4. Create three forwarding rules; these rules instructGoogle Cloud to send ESP (IPsec), UDP 500, and UDP 4500traffic to the gateway:

   gcloud compute forwarding-rules create fr-GW_NAME-esp \ --load-balancing-scheme=EXTERNAL \ --network-tier=PREMIUM \ --ip-protocol=ESP \ --address=GW_IP_NAME \ --target-vpn-gateway=GW_NAME \ --region=REGION \ --project=PROJECT_ID

   gcloud compute forwarding-rules create fr-GW_NAME-udp500 \ --load-balancing-scheme=EXTERNAL \ --network-tier=PREMIUM \ --ip-protocol=UDP \ --ports=500 \ --address=GW_IP_NAME \ --target-vpn-gateway=GW_NAME \ --region=REGION \ --project=PROJECT_ID

   gcloud compute forwarding-rules create fr-GW_NAME-udp4500 \ --load-balancing-scheme=EXTERNAL \ --network-tier=PREMIUM \ --ip-protocol=UDP \ --ports=4500 \ --address=GW_IP_NAME \ --target-vpn-gateway=GW_NAME \ --region=REGION \ --project=PROJECT_ID

Create the Cloud VPN tunnel

1. In the commands, replace the following:

   • TUNNEL_NAME: a name for the tunnel
   • ON_PREM_IP: the external IP address of the peerVPN gateway
   • IKE_VERS: 1 for IKEv1 or 2 for IKEv2
   • SHARED_SECRET: your pre-shared key (sharedsecret). The pre-shared key for the Cloud VPN tunnelmust match the one used when you configure the counterpart tunnel onthe peer VPN gateway. To generate a cryptographically strongpre-shared key, followthese directions.

   For policy-based VPN:

   • LOCAL_IP_RANGES: a comma-delimited list of theGoogle Cloud IP address ranges. For example, you can supplythe CIDR block for each subnet in a VPC network. Thisis the left side from the perspective of Cloud VPN.
   • REMOTE_IP_RANGES: a comma-delimited list of thepeer network IP address ranges. This is the right side fromthe perspective of Cloud VPN.

   To configure a policy-based VPN tunnel, run the following command:

   gcloud compute vpn-tunnels create TUNNEL_NAME \ --peer-address=ON_PREM_IP \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --local-traffic-selector=LOCAL_IP_RANGES \ --remote-traffic-selector=REMOTE_IP_RANGES \ --target-vpn-gateway=GW_NAME \ --region=REGION \ --project=PROJECT_ID

   For route-based VPN, both the local and remote traffic selectors are0.0.0.0/0 as defined in routing options and trafficselectors.

   To configure a route-based VPN tunnel, run the following command:

   gcloud compute vpn-tunnels create TUNNEL_NAME \ --peer-address=ON_PREM_IP \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --local-traffic-selector=0.0.0.0/0 \ --remote-traffic-selector=0.0.0.0/0 \ --target-vpn-gateway=GW_NAME \ --region=REGION \ --project=PROJECT_ID

2. Create a static route for each remote IP address range that you specified in the--remote-traffic-selector option in the previous step. Repeat thiscommand for each remote IP address range. Replace ROUTE_NAMEwith a unique name for the route, and replaceREMOTE_IP_RANGE with the appropriate remote IPaddress range.

   gcloud compute routes create ROUTE_NAME \ --destination-range=REMOTE_IP_RANGE \ --next-hop-vpn-tunnel=TUNNEL_NAME \ --network=NETWORK \ --next-hop-vpn-tunnel-region=REGION \ --project=PROJECT_ID