Skip to content

Instantly share code, notes, and snippets.

@thesaravanakumar

thesaravanakumar/cloud_vpn.md

Last active September 29, 2022 03:33
Show Gist options
  • Save thesaravanakumar/70d025964b775f379bda375889a23790 to your computer and use it in GitHub Desktop.
Save thesaravanakumar/70d025964b775f379bda375889a23790 to your computer and use it in GitHub Desktop.
Download ZIP
Short overview for cloud vpn (GCP)
Raw
cloud_vpn.md

Cloud VPN (site to site)

image

Cloud VPN securely connects your peer network to your VPC network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted and decrypted by VPN gateway.

Features

  • useful for low-volume data connections
  • 99.9% SLA (availability)
  • supports
    • site-to-site VPN
    • static routes
    • dynamic routes (cloud router)
    • IKEv1 and IKEv2 ciphers (pre-shared)
    • Uses Encapsulated Security Payload (ESP) in tunnel mode with authentication.

Note: ESP Authentication Headers (AH) or ESP in Transport mode are not supported.

Performance

  • Each VPN has a maximum throughput of 3Gbps.
  • Maximum transmission unit or MTU for your on-premises VPN gateway cannot be greater than 1,460 bytes because (small packets = lesser throughput) and for Encapsulating Security Payload (ESP) overhead it should be less than 1460.
  • For ingress and egress, the recommended maximum packet rate for each Cloud VPN tunnel is 250,000 (more tunnels = high rate)

Cloud VPN Components

Types of Cloud VPN

There are two types of Cloud VPN gateways:

  • Classic VPN
  • HA VPN

Classic VPN

  • Classic VPN gateways have a single interface, a single external IP address, and support tunnels that use dynamic (BGP) or static routing (policy-based or route-based).
  • Classic VPN provides an SLA of 99.9% service availability.
  • Classic VPN would be deprecated
  • Do not support IPv6

static

Need an external IPs, tunnels, gateways for a single project. (Total = 2IPs, 2tunnels, 2gateways)

image image (1) image (2)

Remember you used route-based so if you add an another instance in a new subnet it will not be pinged/connected. You need to add routes for the newly added instance so this is why dynamic routing comes in.

dynamic

HA VPN

On-premises hosts communicate through one or more IPsec VPN tunnels to Compute Engine virtual machine (VM) instances in your project's Virtual Private Cloud (VPC) networks.

ha-vpn-gcp-to-on-prem-2-a Screenshot 2022-09-29 at 8 15 14 AM

Need 2 external IPs, 2 tunnels, 2 gateways for a single project. (Total = 4 IPs, 4 tunnels, 4 gateways)

image image (1) image (2)

Classic VPN vs HA VPN

Feature HA VPN Classic VPN
SLA Provides a 99.99% SLA when configured with two interfaces and two external IP addresses. Provides a 99.9% SLA.
Creation of external IP addresses and forwarding rules External IP addresses created from a pool; no forwarding rules required. External IP addresses and forwarding rules must be created.
Supported routing options Only dynamic routing (BGP). Static routing (policy-based, route-based). Dynamic routing is only supported for tunnels that connect to third-party VPN gateway software running on Google Cloud VM instances.
Two tunnels from one Cloud VPN gateway to the same peer gateway Supported Not supported
API resources Known as the vpn-gateway resource. Known as the target-vpn-gateway resource.
IPv6 traffic Supported in Preview (IPv4 and IPv6 configuration) Not supported

Active/active and active/passive routing options for HA VPN

  • If a Cloud VPN tunnel goes down, it restarts automatically.
  • If an entire virtual VPN device fails, Cloud VPN automatically instantiates a new one with the same configuration.
  • The new gateway and tunnel connect automatically.

Depending on the way that you configure route priorities for HA VPN tunnels, you can create an active/active or active/passive routing configuration. For both of these routing configurations, both VPN tunnels remain active.

Feature Active/active Active/passive
Throughput The effective aggregate throughput is the combined throughput of both tunnels. After reducing from two active tunnels to one, the effective overall throughput is cut in half, which can result in slower connectivity or dropped packets.
Route advertisement Peer gateway advertises the peer network’s routes with identical MED values for each tunnel. Egress traffic sent to the peer network uses equal-cost multipath (ECMP) routing. Peer gateway advertises the peer network’s routes with different MED values for each tunnel. Egress traffic sent to the peer network uses the route with the highest priority, as long as the associated tunnel is available. Peer gateway can only use the tunnel with the highest priority to send traffic to Google Cloud.
Failover If one tunnel becomes unavailable, Cloud Router withdraws the learned custom dynamic routes whose next hops are the unavailable tunnel. This withdrawal process can take up to 40 seconds, during which packet loss is expected. Uses a maximum of one tunnel at a time so that the second tunnel is able to handle all your egress bandwidth if the first tunnel fails and needs to be failed over.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment