Cloud VPN (site to site)
Cloud VPN securely connects your peer network to your VPC network through an IPsec
VPN connection. Traffic traveling between the two networks is encrypted and decrypted by VPN gateway.
- useful for low-volume data connections
- 99.9% SLA (availability)
- supports
- site-to-site VPN
- static routes
- dynamic routes (cloud router)
- IKEv1 and IKEv2 ciphers (pre-shared)
- Uses Encapsulated Security Payload (ESP) in tunnel mode with authentication.
Note: ESP Authentication Headers (AH) or ESP in Transport mode are not supported.
- Each VPN has a maximum throughput of
3Gbps
. - Maximum transmission unit or MTU for your on-premises VPN gateway cannot be greater than
1,460 bytes
because (small packets = lesser throughput) and for Encapsulating Security Payload (ESP) overhead it should be less than 1460. - For ingress and egress, the recommended maximum packet rate for each Cloud VPN tunnel is
250,000
(more tunnels = high rate)
There are two types of Cloud VPN gateways:
- Classic VPN
- HA VPN
- Classic VPN gateways have a single interface, a single external IP address, and support tunnels that use dynamic (BGP) or static routing (policy-based or route-based).
- Classic VPN provides an SLA of 99.9% service availability.
- Classic VPN would be deprecated
- Do not support IPv6
Remember you used route-based so if you add an another instance in a new subnet it will not be pinged/connected. You need to add routes for the newly added instance so this is why dynamic routing comes in.
On-premises hosts communicate through one or more IPsec VPN tunnels to Compute Engine virtual machine (VM) instances in your project's Virtual Private Cloud (VPC) networks.
Feature | HA VPN | Classic VPN |
---|---|---|
SLA | Provides a 99.99% SLA when configured with two interfaces and two external IP addresses. | Provides a 99.9% SLA. |
Creation of external IP addresses and forwarding rules | External IP addresses created from a pool; no forwarding rules required. | External IP addresses and forwarding rules must be created. |
Supported routing options | Only dynamic routing (BGP). | Static routing (policy-based, route-based). Dynamic routing is only supported for tunnels that connect to third-party VPN gateway software running on Google Cloud VM instances. |
Two tunnels from one Cloud VPN gateway to the same peer gateway | Supported | Not supported |
API resources | Known as the vpn-gateway resource. | Known as the target-vpn-gateway resource. |
IPv6 traffic | Supported in Preview (IPv4 and IPv6 configuration) | Not supported |
- If a Cloud VPN tunnel goes down, it restarts automatically.
- If an entire virtual VPN device fails, Cloud VPN automatically instantiates a new one with the same configuration.
- The new gateway and tunnel connect automatically.
Depending on the way that you configure route priorities for HA VPN tunnels, you can create an active/active or active/passive routing configuration. For both of these routing configurations, both VPN tunnels remain active.
Feature | Active/active | Active/passive |
---|---|---|
Throughput | The effective aggregate throughput is the combined throughput of both tunnels. | After reducing from two active tunnels to one, the effective overall throughput is cut in half, which can result in slower connectivity or dropped packets. |
Route advertisement | Peer gateway advertises the peer network’s routes with identical MED values for each tunnel. Egress traffic sent to the peer network uses equal-cost multipath (ECMP) routing. |
Peer gateway advertises the peer network’s routes with different MED values for each tunnel. Egress traffic sent to the peer network uses the route with the highest priority , as long as the associated tunnel is available. Peer gateway can only use the tunnel with the highest priority to send traffic to Google Cloud. |
Failover | If one tunnel becomes unavailable, Cloud Router withdraws the learned custom dynamic routes whose next hops are the unavailable tunnel. This withdrawal process can take up to 40 seconds , during which packet loss is expected. |
Uses a maximum of one tunnel at a time so that the second tunnel is able to handle all your egress bandwidth if the first tunnel fails and needs to be failed over. |