GCP Cloud VPN

GCP Cloud VPN
Hello everyone. In this documentation, we will discuss hybrid connectivity and Cloud Vpn implementation. In the google cloud platform, different applications on workloads require different network connectivity solutions. For that reason, Google does support various connectivity options to your infrastructure. These services can be separated into dedicated connections and shared connections. These services are direct peering, carrier peering, dedicated interconnect, VPN and partner interconnect. You can get additional information from this link. https://cloud.google.com/hybrid-connectivity.
In this implementation, I am going to configure VPN gateways between two networks. Also, a Cloud router will be used. End of the configuration we will check an internal communication between the two networks. (Google cloud side and On-prem side). Before moving on to the Cloud router configuration steps, let’s build our VPC networks, instances and firewall rules.
Let’s start with the VPC configuration. Go to the VPC networks and create a custom VPC.
Name — google-cloud-vpc

Let’s create an on-prem Custom VPC.
Name — equinix-data-center
Done and click a create button.
In the end, for the testing purpose, we need to open ICMP and for access to the VM instances, SSH will be needed. Consequently, let’s create our Firewall rules.
We are very close to the cloud VPN creation steps. There is one more thing we have to create. VM instances. As you know it’s pretty simple.
Because of the test environment, I choose the F1-micro machine type and assign each vm-instance to the proper VPC network.
name — web-server-cloud
machine type — f1-micro
region — us1-west1
zone — us1-west1-b
network — google-cloud-vpc
subnetwork — web-server-subnet
name — application-server-on-prem
machine type — f1-micro
region — us1-east1
zone — us1-east1-b
network — equinix-data-center
subnetwork — application-server-subnet
For the testing purpose, if you ping from web-server to the application server’s internal IP address, you will observe a 100% packet loss. Let’s test it.
It’s time to create a cloud VPN connectivity. Let’s do it step by step. From the dashboard go to the Networking ——> Hybrid Connectivity——> Cloud Routers and
Click the create router button.
Name — google-cloud-router
Network — google-cloud-vpc
Region — us-west1
Google Asn — 65001
Create an on-prem router.
Name — equinix-data-center-router
Network — equinix-data-center
Region — us-east1
Google Asn — 65002
For each router, we need a static IP address. For that reason let’s do some reservations. Go to the VPC networks and click on External IP addresses. On top of the page click on a reserve static address button and fill the required field.
Name — google-cloud-router-external
Region — us-west1
click a reserve button.
Name — equinix-data-center-router-external
Region — us-east1
click a reserve button.
Let’s take note of these public IP addresses because we are going to use them soon.
equinix-data-center-router-external | 35.243.213.42 |
google-cloud-router-external | 35.227.150.249 |
Now we can create a vpn connection. Go to the Networking —–> Hybrid Connectivity—->VPN and create a VPN connection. Hit a Classic VPN and continue.
Name — vpn-1-cloud
Network — google-cloud-vpc
Region — us-west1
Ip address — google-cloud-router-external (35.227.150.249)
Tunnels
name — vpn-1-tunnel-1-cloud
Remote peer IP address — 35.243.213.42
IKE pre-shared key — cloudvpn@
Routin options Dynamic BGP
Cloud Router — google-cloud-router
Click on a pencil icon right next to the BGP session.
Name — bgp-cloud-to-on-prem
Peer ASN — 65002
Let’s do the same configurations on-prem side.
Name — vpn-1-equinix-on-prem
Network — equinix-data-center
Region — us-east1
Ip address — equinix-data-center-router-external (35.243.213.42)
Tunnels
name — vpn-1-tunnel-1-on-prem
Remote peer IP address — 35.227.150.249
IKE pre-shared key — cloudvpn@
Routing options Dynamic BGP
Cloud Router — equinix-data-center-router
Click on a pencil icon right next to the BGP session.
Name — bgp-on-prem-to-cloud
Peer ASN — 65001
After we completed each side’s configuration, the BGP session and tunnel comes up.
In addition, from the vpc routes, if you check a dynamic section, web and app subnets are being exchanged and web and app can ping their internal ip addresses. Furthermore, if you create an additional vm instance on each side or one side, that new subnet automatically will be advertised via the BGP.
I hope this documentation will be helpful for you and thanks for reading.
Author- Kamil Rasulov CCIE#53983
Comment (1)
Anonymus
Awesome post! Keep up the great work! 🙂