Cloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection.
Cloud VPN
- Site-to-Site VPN.
- IKEv1 and IKEv2 cipher support.
- Does not support were computers need dail-in to VPN connection using client software.
- MTU on-prem should not be more than 1460 bytes. (Due to encryption and encapsulation of packets)
- Max Transmission Unit is the largest packet supported over the network layer protocol.
- Since the packet is encrypted and encapsulated which should fit inside the MTU of the outer packet, its MTU should be smaller.
- Configure your peer VPN gateway to use an MTU of no greater than 1460 bytes.
- Recommend a value of 1460 bytes because that matches the default MTU setting for Google Cloud virtual machine (VM) instances.
VPN Topology
|< -----encrypted ------->|
[On prem network] ======= [internet] ======= [Cloud VPN gateway]
external IP GCP regional
| external IP
| |
On prem |
subnets \ --> GCP resources [us-west1]
|
\ --> GCP resources [us-east1]
Dynamic routing with Cloud router.
- To create dynamic routes we need to use cloud router.
- Clou router uses to route the traffice using BGP.
- Routes/subnet can be updated without much of changes.
- New networks can be propageted using the BGP session over the network.
- To automatically propagate network configuration changes the VPN tunnel uses
Cloud Router
to establish a BGP session between the VPC and the on-premise VPN gateway which must support BGP.
Peer Network
GCP [169.254.1.2]
-----[Google VPN Network] ===============[internet]================[Peer Gatway]---> [Rack 1]
| | ^ | | | |---> [Rack 2]
| [Cloud router]--------^ ------------------/ | |---> [Rack 3]
| | [169.254.1.1] | \
| |.................link local IP......................./ \ ------> [Rack 4 **new** subnet]
\-> [test]
\-> [prod]
\-> [staging **new**]
Note: 169.254.0.0/16 are not part of either of the network
But are only used to establish a BGP session.
Types of VPN gateways.
- HA VPN
- Classic VPN
HA VPN
- HA VPN is Highly available Cloud VPN.
- Lets you connect to the onprem network to your VPC using IPSec VPN Connection in a single region.
- HA VPN hasis 99.99% SLA.
- Creates 2 external IP for each interfaces.
- IP address are automatically choosen.
- Each HA VPN getway inerface supports mutiple tunnels.
Google image.
Classic VPN
- Has single interface.
- Tunnels use dynamic BGP or static routing.
- 99.9% SLA.
Example Commands using gcloud
For creating VPC.
We are creating a VPC between 2 networks in US and Europe region.
Creating VPC network.
# vpn-1-static-ip
gcloud compute addresses create vpn-1-static-ip --project=my-learning-project --region=us-central1
# vpn-2-static-ip
gcloud compute addresses create vpn-2-static-ip --project=my-learning-project --region=europe-west1
Creating Hybrid connectivity. Classic VPN
.
[VPN-1]---to--->[VPN-2]
# Create Gateway
gcloud compute target-vpn-gateways create vpn-1 --project=my-learning-project --region=us-central1 --network=vpn-network-1
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-1-rule-esp --project=my-learning-project --region=us-central1 --address=35.193.28.250 --ip-protocol=ESP --target-vpn-gateway=vpn-1
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-1-rule-udp500 --project=my-learning-project --region=us-central1 --address=35.193.28.250 --ip-protocol=UDP --ports=500 --target-vpn-gateway=vpn-1
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-1-rule-udp4500 --project=my-learning-project --region=us-central1 --address=35.193.28.250 --ip-protocol=UDP --ports=4500 --target-vpn-gateway=vpn-1
# Creating VPN Tunnel
gcloud compute vpn-tunnels create tunnel1to2 --project=my-learning-project --region=us-central1 --peer-address=35.241.141.161 --shared-secret=gcprocks --ike-version=2 --local-traffic-selector=0.0.0.0/0 --remote-traffic-selector=0.0.0.0/0 --target-vpn-gateway=vpn-1
# Creating route
gcloud compute routes create tunnel1to2-route-1 --project=my-learning-project --network=vpn-network-1 --priority=1000 --destination-range=10.1.3.0/24 --next-hop-vpn-tunnel=tunnel1to2 --next-hop-vpn-tunnel-region=us-central1
[VPN-2]---to--->[VPN-1]
# Create Gateway
gcloud compute target-vpn-gateways create vpn-2 --project=my-learning-project --region=europe-west1 --network=vpn-network-2
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-2-rule-esp --project=my-learning-project --region=europe-west1 --address=35.241.141.161 --ip-protocol=ESP --target-vpn-gateway=vpn-2
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-2-rule-udp500 --project=my-learning-project --region=europe-west1 --address=35.241.141.161 --ip-protocol=UDP --ports=500 --target-vpn-gateway=vpn-2
# FWD Rules us --> europe
gcloud compute forwarding-rules create vpn-2-rule-udp4500 --project=my-learning-project --region=europe-west1 --address=35.241.141.161 --ip-protocol=UDP --ports=4500 --target-vpn-gateway=vpn-2
# Creating VPN Tunnel
gcloud compute vpn-tunnels create tunnel2to1 --project=my-learning-project --region=europe-west1 --peer-address=35.193.28.250 --shared-secret=gcprocks --ike-version=2 --local-traffic-selector=0.0.0.0/0 --remote-traffic-selector=0.0.0.0/0 --target-vpn-gateway=vpn-2
# Creating route
gcloud compute routes create tunnel2to1-route-1 --project=my-learning-project --network=vpn-network-2 --priority=1000 --destination-range=10.5.4.0/24 --next-hop-vpn-tunnel=tunnel2to1 --next-hop-vpn-tunnel-region=europe-west1
Cloud Interconnect and Peering.
- Layer 3 - Direct peering (Dedicated), Carrier peering (Shared)
- Cloud VPN
- Connectivity to google suite etc.
- Layer 2 - Dedicated Interconnect (Dedicated), Partner Interconnect (Shared).
- Provides a direct connection to google network.
- connections use a VLAN that pipes directly into your GCP environment, providing connectivity to internal IP addresses in the RFC 1918 address space.
Dedicated Interconnect
Google Platform ---
[My-network] ------| | On prem
(my Project) | |
| | ______________________ |
| | | (zone1) | | (local link addr) [192.168.0.0/24]
\-> [Compute] <--- [Cloud Router] ---|--->|[Google] Peering Edge]| | [On Prem] ---------->[User 1] |
(10.128.0.2) 169.254.10.1 | |______________________| | 169.254.10.2 |--------->[User 2] |
| ^ |__ ^ ___________________________________|
------| | |
\--my-interconnect---/
|_____________________________________________________|
Co-location
- Physical connect between on-prem and gcp network.
- Cross connection to the google network from router in a
co-location
facility. - BGP interconnect to the Cloud Router and on-prem router. (using the local link IP)
- Network has to meet in a co-location facility.
- If we are not near any co-location facility then we need to go with partner interconnect.
Partner Interconnect
Google Platform ------------------- \ /----------
[My-network] --------| | Service provider | | On Prem network
(my Project) | | | |
| ______________________ | | | | |-> subnet|
| | (zone1) | | | (local link addr)| | [BGP] | |
\-> [Compute] <--- [Cloud Router] ------>|[Google] Peering Edge]|----|----| [On Prem] ---------->[On Prem router] |
(10.128.0.2) 169.254.10.1 |______________________| | | 169.254.10.2 | | ^ |
^ _____/ | __ _______________/ \___ | ___________ |
| |
| |
|_____________________________________________________________________________|
BGP
- Connect to google network in a partner facility.
- Our router connect to the partner peering edge.
- Does a BGP connection to the cloud router and connects to the GCP project network.
Comparison VPN, Dedicated, Partner Interconnect
Connection | Provides | capacity | Requirments | Access Type |
---|---|---|---|---|
IP Sec VPN | Encrypted VPC | 1.5-3 Gpbs | On-prem VPN Getway | Internal IP Address |
Dedicated Interconnect | Direct connection | 10 to 100 Gbps | Connection in a co-location* | Internal IP Address |
Partner Interconnect | Dedicated bandwidth | 50 Mbps to 10Gbps | connection in partner location* | Internal IP Address |
Peering
- Direct peering.
- Direct Peering enables you to establish a direct peering connection between your business network and Google’s edge network and exchange high-throughput cloud traffic.
- When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses.
- Carrier peering.
- Carrier Peering enables you to access Google applications, such as Google Workspace, by using a
service provider
to obtain enterprise-grade network services that connect your infrastructure to Google. [https://cloud.google.com/network-connectivity/docs/carrier-peering]
- Carrier Peering enables you to access Google applications, such as Google Workspace, by using a
Compare Peering.
Connection | Provides | capacity | Requirments | Access Type |
---|---|---|---|---|
Direct peering | Dedicated connection to google network | 10Gbps | Connection to POPs | Public IP |
Carrier Peering | peering through Service provide | based on the service provider | service provide | public IP |
Which connection
Interconnect (Direct Access in VPC and with SLA) | Peering (no SLA) |
---|---|
Dedicated Interconnect / PartnerInterconnect / Cloud VPN | Direct and Carrier |
Shared VPC Networks / VPC Network Peering
- Shared VPC over multiple projects with org.
- Multiple project to connect resource between them.
- This allows all the resources to communicate with each other over different projects.
- Efficient as it uses internal IP address (traffic is with in gcp)
- Same organization
- VPC Network Peering allows private interconnect between same org projects or different organization.
- Sharing
RFC 1918
connectivity across two VPC networks. - Regardless of the project/org they belong to.
- Its a peer from A -> abd B -> A as below. [Active]
- Internal IP addresses.
- Sharing
Shared VPC
______
[On Prem]----\ | Shared VPC /-----------> [Other servcices] project1
| | |---------/
---->|----->[Web Application] -------> [Database]project2
| | |
[Clients]----/ | \------------> [Analytics]project3
|______
VPC Peering
private IP
| VPC A| ---------------->| |
| | <----------------| VPC B|