Cloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection.

Cloud VPN

  • Site-to-Site VPN.
  • IKEv1 and IKEv2 cipher support.
  • Does not support were computers need dail-in to VPN connection using client software.
  • MTU on-prem should not be more than 1460 bytes. (Due to encryption and encapsulation of packets)
    • Max Transmission Unit is the largest packet supported over the network layer protocol.
    • Since the packet is encrypted and encapsulated which should fit inside the MTU of the outer packet, its MTU should be smaller.
    • Configure your peer VPN gateway to use an MTU of no greater than 1460 bytes.
    • Recommend a value of 1460 bytes because that matches the default MTU setting for Google Cloud virtual machine (VM) instances.

VPN Topology

                 |< -----encrypted ------->|
[On prem network] ======= [internet] ======= [Cloud VPN gateway]
  external IP                                 GCP regional 
       |                                       external IP         
       |                                           |
    On prem                                        |
    subnets                                        \ --> GCP resources [us-west1]
                                                   |
                                                   \ --> GCP resources [us-east1]

Dynamic routing with Cloud router.

  • To create dynamic routes we need to use cloud router.
  • Clou router uses to route the traffice using BGP.
  • Routes/subnet can be updated without much of changes.
  • New networks can be propageted using the BGP session over the network.
  • To automatically propagate network configuration changes the VPN tunnel uses Cloud Router to establish a BGP session between the VPC and the on-premise VPN gateway which must support BGP.
                                                                        Peer Network    
            GCP                                                        [169.254.1.2]    
   -----[Google VPN Network] ===============[internet]================[Peer Gatway]---> [Rack 1]
   |                     |                ^             |                 |   |     |---> [Rack 2]
   |                [Cloud router]--------^             ------------------/   |     |---> [Rack 3]   
   |                    | [169.254.1.1]                                       |      \   
   |                    |.................link local IP......................./        \ ------> [Rack 4 **new** subnet]                     
   \-> [test]
   \-> [prod]
   \-> [staging **new**]

Note: 169.254.0.0/16 are not part of either of the network
But are only used to establish a BGP session.

Types of VPN gateways.

  1. HA VPN
  2. Classic VPN

HA VPN

  • HA VPN is Highly available Cloud VPN.
  • Lets you connect to the onprem network to your VPC using IPSec VPN Connection in a single region.
  • HA VPN hasis 99.99% SLA.
  • Creates 2 external IP for each interfaces.
  • IP address are automatically choosen.
  • Each HA VPN getway inerface supports mutiple tunnels.

Google image. Cloud VPN

Classic VPN

  • Has single interface.
  • Tunnels use dynamic BGP or static routing.
  • 99.9% SLA.

Example Commands using gcloud For creating VPC.

We are creating a VPC between 2 networks in US and Europe region.

Creating VPC network.

# vpn-1-static-ip 
gcloud compute addresses create vpn-1-static-ip --project=my-learning-project --region=us-central1

# vpn-2-static-ip 
gcloud compute addresses create vpn-2-static-ip --project=my-learning-project --region=europe-west1

Creating Hybrid connectivity. Classic VPN.

[VPN-1]---to--->[VPN-2]

# Create Gateway
gcloud compute target-vpn-gateways create vpn-1 --project=my-learning-project --region=us-central1 --network=vpn-network-1

# FWD Rules us --> europe 
gcloud compute forwarding-rules create vpn-1-rule-esp --project=my-learning-project --region=us-central1 --address=35.193.28.250 --ip-protocol=ESP --target-vpn-gateway=vpn-1
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-1-rule-udp500 --project=my-learning-project --region=us-central1 --address=35.193.28.250 --ip-protocol=UDP --ports=500 --target-vpn-gateway=vpn-1
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-1-rule-udp4500 --project=my-learning-project --region=us-central1 --address=35.193.28.250 --ip-protocol=UDP --ports=4500 --target-vpn-gateway=vpn-1

# Creating VPN Tunnel 
gcloud compute vpn-tunnels create tunnel1to2 --project=my-learning-project --region=us-central1 --peer-address=35.241.141.161 --shared-secret=gcprocks --ike-version=2 --local-traffic-selector=0.0.0.0/0 --remote-traffic-selector=0.0.0.0/0 --target-vpn-gateway=vpn-1

# Creating route
gcloud compute routes create tunnel1to2-route-1 --project=my-learning-project --network=vpn-network-1 --priority=1000 --destination-range=10.1.3.0/24 --next-hop-vpn-tunnel=tunnel1to2 --next-hop-vpn-tunnel-region=us-central1

[VPN-2]---to--->[VPN-1]

# Create Gateway
gcloud compute target-vpn-gateways create vpn-2 --project=my-learning-project --region=europe-west1 --network=vpn-network-2

# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-2-rule-esp --project=my-learning-project --region=europe-west1 --address=35.241.141.161 --ip-protocol=ESP --target-vpn-gateway=vpn-2
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-2-rule-udp500 --project=my-learning-project --region=europe-west1 --address=35.241.141.161 --ip-protocol=UDP --ports=500 --target-vpn-gateway=vpn-2
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-2-rule-udp4500 --project=my-learning-project --region=europe-west1 --address=35.241.141.161 --ip-protocol=UDP --ports=4500 --target-vpn-gateway=vpn-2

# Creating VPN Tunnel 
gcloud compute vpn-tunnels create tunnel2to1 --project=my-learning-project --region=europe-west1 --peer-address=35.193.28.250 --shared-secret=gcprocks --ike-version=2 --local-traffic-selector=0.0.0.0/0 --remote-traffic-selector=0.0.0.0/0 --target-vpn-gateway=vpn-2

# Creating route
gcloud compute routes create tunnel2to1-route-1 --project=my-learning-project --network=vpn-network-2 --priority=1000 --destination-range=10.5.4.0/24 --next-hop-vpn-tunnel=tunnel2to1 --next-hop-vpn-tunnel-region=europe-west1

Cloud Interconnect and Peering.

  • Layer 3 - Direct peering (Dedicated), Carrier peering (Shared)
    • Cloud VPN
    • Connectivity to google suite etc.
  • Layer 2 - Dedicated Interconnect (Dedicated), Partner Interconnect (Shared).
    • Provides a direct connection to google network.
    • connections use a VLAN that pipes directly into your GCP environment, providing connectivity to internal IP addresses in the RFC 1918 address space.

Dedicated Interconnect

Google Platform                                                              ---       
[My-network]                      ------|                                    | On prem
(my Project)                            |                                    |    
   |                                    |     ______________________         |
   |                                    |    | (zone1)              |        |  (local link addr)    [192.168.0.0/24]    
   \-> [Compute] <--- [Cloud Router] ---|--->|[Google] Peering Edge]|        |   [On Prem] ---------->[User 1]         |  
    (10.128.0.2)      169.254.10.1      |    |______________________|        |  169.254.10.2   |--------->[User 2]     |  
                                        |                   ^                |__  ^ ___________________________________|          
                                  ------|                   |                     |
                                                            \--my-interconnect---/     
                                            |_____________________________________________________|                      
                                                                Co-location
  • Physical connect between on-prem and gcp network.
  • Cross connection to the google network from router in a co-location facility.
  • BGP interconnect to the Cloud Router and on-prem router. (using the local link IP)
  • Network has to meet in a co-location facility.
  • If we are not near any co-location facility then we need to go with partner interconnect.

Partner Interconnect

Google Platform                                                              ------------------- \   /----------   
[My-network]                                                    --------|    | Service provider  |  | On Prem network 
(my Project)                                                            |    |                   |  |            
   |                                         ______________________     |    |                   |  |         |-> subnet|   
   |                                        | (zone1)              |    |    |  (local link addr)|  |  [BGP]  |         |   
   \-> [Compute] <--- [Cloud Router] ------>|[Google] Peering Edge]|----|----|   [On Prem] ---------->[On Prem router]  |  
    (10.128.0.2)      169.254.10.1          |______________________|    |    |  169.254.10.2     |  |     ^             |  
                            ^                                     _____/     | __ _______________/  \___  | ___________ |
                            |                                                                             |
                            |                                                                             |
                            |_____________________________________________________________________________|                      
                                                                BGP
  • Connect to google network in a partner facility.
  • Our router connect to the partner peering edge.
  • Does a BGP connection to the cloud router and connects to the GCP project network.

Comparison VPN, Dedicated, Partner Interconnect

Connection Provides capacity Requirments Access Type
IP Sec VPN Encrypted VPC 1.5-3 Gpbs On-prem VPN Getway Internal IP Address
Dedicated Interconnect Direct connection 10 to 100 Gbps Connection in a co-location* Internal IP Address
Partner Interconnect Dedicated bandwidth 50 Mbps to 10Gbps connection in partner location* Internal IP Address

Peering

  • Direct peering.
    • Direct Peering enables you to establish a direct peering connection between your business network and Google’s edge network and exchange high-throughput cloud traffic.
    • When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses.
  • Carrier peering.
    • Carrier Peering enables you to access Google applications, such as Google Workspace, by using a service provider to obtain enterprise-grade network services that connect your infrastructure to Google. [https://cloud.google.com/network-connectivity/docs/carrier-peering]

Compare Peering.

Connection Provides capacity Requirments Access Type
Direct peering Dedicated connection to google network 10Gbps Connection to POPs Public IP
Carrier Peering peering through Service provide based on the service provider service provide public IP

Which connection

Interconnect (Direct Access in VPC and with SLA) Peering (no SLA)
Dedicated Interconnect / PartnerInterconnect / Cloud VPN Direct and Carrier

Shared VPC Networks / VPC Network Peering

  • Shared VPC over multiple projects with org.
    • Multiple project to connect resource between them.
    • This allows all the resources to communicate with each other over different projects.
    • Efficient as it uses internal IP address (traffic is with in gcp)
    • Same organization
  • VPC Network Peering allows private interconnect between same org projects or different organization.
    • Sharing RFC 1918 connectivity across two VPC networks.
    • Regardless of the project/org they belong to.
    • Its a peer from A -> abd B -> A as below. [Active]
    • Internal IP addresses.

Shared VPC

                   ______
[On Prem]----\    | Shared VPC            /-----------> [Other servcices] project1
             |    |            |---------/
             ---->|----->[Web Application] -------> [Database]project2
             |    |            |
[Clients]----/    |            \------------> [Analytics]project3   
                  |______

VPC Peering

              private IP
|  VPC A| ---------------->|      |
|       | <----------------| VPC B|

Help