Google's external connectivity solutions enable you to connect yournon-Google Cloud networks to Google in the following ways:

• ToGoogle Cloud, which lets you accessyourVirtual Private Cloud (VPC) networks and Compute Enginevirtual machine (VM) instances from your on-premises networks or from anothercloud provider.

• Toconnect your on-premises network sites togetherthrough Cross-Site Interconnect or a Network Connectivity Center hub located inGoogle Cloud.

• ToGoogle Workspace and supported Google APIs, which lets you accessonly these products and services.

• ToCDN providers, which lets you choose supported contentdelivery providers that establish Direct Peering links with Google's edgenetwork. Choosing a provider lets you send traffic from yourVPC networks to that provider.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free

Connecting to Google Cloud

When connecting to Google Cloud, you can choose among the followingGoogle Cloud networking products.

If you need to access only Google Workspace or supported Google APIs,seeConnecting to Google Workspace and Google APIs.

Product	Description
Cloud VPN and Cloud Interconnect	Provide network connectivity with Google Cloud between your on-premises network and Google Cloud, or from Google Cloud to another cloud provider. If you need a lower cost solution, have lower bandwidth needs, or you are experimenting with migrating your workloads to Google Cloud, you can choose Cloud VPN. For more information, see theCloud VPN overview If you need an enterprise-grade connection to Google Cloud that has higher throughput, you can choose Dedicated Interconnect or Partner Interconnect. If you need to connect to another cloud service provider, choose Cross-Cloud Interconnect. We recommend using Cloud Interconnect instead of Direct Peering, Carrier Peering, and Verified Peering Provider, which you would only use in certain circumstances. For a quick summary, you can compare the features of Direct Peering with Cloud Interconnect,Carrier Peering with Cloud Interconnect, andVerified Peering Provider with Cloud Interconnect.
Cloud Router	Uses the Border Gateway Protocol (BGP) to provide dynamic routing. Used with other Google Cloud connectivity solutions, such as Cloud Interconnect and Cloud VPN gateways.

For pricing, quotas, service level agreement (SLA), and release note informationfor all Network Connectivity products, see theNetwork Connectivity resources page.

For high-level architectural guides and tutorials that describe networkingscenarios for Google Cloud, see theTechnical guides for networking.

Cloud VPN

Google Cloud offers two types of Cloud VPN gateways:HA VPN and Classic VPN.

Warning: Certain Classic VPN dynamic routing functionality is deprecated. For more information, see Classic VPN dynamic routing partial deprecation.

For information about moving to HA VPN, seeMoving to HA VPN from Classic VPN.

HA VPN

HA VPN is a high-availability (HA) Cloud VPN solution that lets yousecurely connect your on-premises network to your VPC network through anIPsec VPN connection. Based on the topology and configuration,HA VPN can provide an SLA of 99.99% or 99.9% serviceavailability.

When you create an HA VPN gateway, Google Cloud automatically choosestwo external IP addresses, one for each of its interfaces. Each IP address isautomatically chosen from a unique address pool to support high availability. Each of theHA VPN gateway interfaces supports multiple tunnels. You can also createmultiple HA VPN gateways. When you delete the HA VPNgateway, Google Cloud releases the IP addresses for reuse. You can configure anHA VPN gateway with only one active interface and one external IP address;however,this configuration does not provide an availability SLA.

One option for using HA VPN is to use HA VPN over Cloud Interconnect. With HA VPN over Cloud Interconnect, you get the security of IPsec encryption from Cloud VPN alongside the increased capacity of Cloud Interconnect. In addition, because you are using Cloud Interconnect, your network traffic never traverses the public internet. If you use Partner Interconnect, you must add IPsec encryption to your Cloud Interconnect traffic to meet data security and compliance requirements when connecting to third-party providers. HA VPN uses anexternal VPN gateway resource in Google Cloud to provide information to Google Cloud about yourpeer VPN gateway or gateways.

Note: When you deploy HA VPN over Cloud Interconnect, you have the option of assigning regional internal IP addresses to HA VPN gateway interfaces. You can only use these internal IP addresses for HA VPN gateways that are associated with VLAN attachments. In all other HA VPN gateways, internal IP address assignment is not supported.

In the API documentation and ingcloud commands, HA VPNgateways are referred to asVPN gateways rather thantarget VPN gateways.You don't need to create anyforwarding rules for HA VPN gateways.

For more information, see the following resources:

• For requirements, seeHA VPN requirements.

• For Cloud VPN specifications, seeSpecifications.

• For sample topologies, seeCloud VPN topologies.

• For information about high-availability, high-throughput scenarios, ormultiple subnet scenarios, seeAdvanced configurations.

• For routing scenarios, seeActive/active and active/passive routing options for HA VPN.

• For more information about Classic VPN andHA VPN, see theCloud VPN overview.

Cloud Interconnect

Cloud Interconnect offers three options for connecting toGoogle Cloud: Dedicated Interconnect, Partner Interconnect, and Cross-Cloud Interconnect.

Dedicated Interconnect and Partner Interconnect

Network Connectivity provides two options for extending youron-premises network to your VPC networks in Google Cloud.You can create a dedicated connection (Dedicated Interconnect)or use aservice provider(Partner Interconnect) to connectto VPC networks.

When choosing between Dedicated Interconnect andPartner Interconnect, consider your connection requirements,such as the connection location and capacity.

If you can't physically meet Google's network in acolocationfacilityto reach your VPC networks, you can usePartner Interconnect to connect to service providersthat connect directly to Google:

• If you have high bandwidth needs, Dedicated Interconnect can bea cost-effective solution.
• If you require a lower bandwidth solution, Dedicated Interconnectand Partner Interconnect provide capacity optionsstarting at 50 Mbps.
• Cloud Interconnect provides access to all Google Cloud productsand services from your on-premises network except Google Workspace.
• Cloud Interconnect also allows access to supported APIs and servicesby usingPrivate Google Accessfrom on-premises hosts.

Compare Dedicated Interconnect and Partner Interconnect

The following table highlights the key differences betweenDedicated Interconnect and Partner Interconnect.

	Dedicated Interconnect	Partner Interconnect
Features	A direct connection to Google. Traffic flows directly between networks, not through the public internet. 10-Gbps or 100-Gbps circuits with flexible VLAN attachment capacities from 50 Mbps to 50 Gbps.	More points of connectivity through one of our supported service providers. Traffic flows between networks through a service provider, not through the public internet. Flexible capacities from 50 Mbps to 50 Gbps.
Service providers		Connect to supported service providers, who provide more points of connectivity compared to the colocation facilities available for Dedicated Interconnect. Work with a supported service provider. If your service provider isn't supported, or if you don't want to pass traffic through a service provider, consider Cloud VPN or Dedicated Interconnect. Compared to Dedicated Interconnect, you don't need to install and maintain routing equipment in a colocation facility.
Supported bandwidth	Scale to meet the most demanding data needs. Connection capacity is delivered over one or more 10-Gbps or 100-Gbps Ethernet circuits, with a maximum of 8 x 10-Gbps (80 Gbps) circuits, or 2 x 100-Gbps (200 Gbps) circuits for each Dedicated Interconnect connection. If your traffic doesn't require a 10-Gbps or 100-Gbps circuit, consider Cloud VPN or Partner Interconnect.	Pay only for the capacity you need, with options of 50 Mbps to 50 Gbps for each VLAN attachment. Increases in the number of VLAN attachments or increasing the capacity of an existing VLAN attachment depends on your service provider's available capacity.
Setup	Requires routing equipment in a colocation facility that supports the regions that you want to connect to.	Use any supported service provider to connect to Google.
Routing configuration	You configure BGP on your on-premises routers and Cloud Routers.	For Layer 2 connections, you configure BGP on your on-premises routers and Cloud Routers. For Layer 3 connections, the configuration of your Cloud Routers is fully automated. The configuration of your on-premises routers depends on the provider that you choose. For instructions, see their documentation.
Encryption	DeployHA VPN over Cloud Interconnect to encrypt the traffic between your network and Google's network. HA VPN over Cloud Interconnect is supported for Dedicated Interconnect.	DeployHA VPN over Cloud Interconnect to encrypt the traffic between your network and Google's network. HA VPN over Cloud Interconnect is supported for Partner Interconnect.
SLA	Google offers an end-to-end SLA for the connectivity between your VPC network and on-premises network forGoogle-defined topologies.	Google provides an SLA for the connection between Google and the service provider. Your service provider might provide an end-to-end SLA, based on theGoogle-defined topologies. For more information, contact your service provider.
Pricing	For details, see Dedicated Interconnect pricing.	Google bills you based on your VLAN attachment's capacity and egress traffic. Charges also apply to egress traffic from your VPC network to your on-premises network. In addition, your service provider might charge you to carry data across their network. For details, seePartner Interconnect pricing.

For more information, see the following resources:

• Cloud Interconnect overview
• Dedicated Interconnect overview
• Partner Interconnect overview
• Topology for production-level applications overview
• Topology for non-critical applications overview

Cross-Cloud Interconnect

If you need to connect your Google Cloud VPC network toyour network that's hosted by another cloud service provider, useCross-Cloud Interconnect. When you buyCross-Cloud Interconnect, Google provisions a dedicated physicalconnection between Google Cloud and your other cloud service provider.To satisfy the Cloud Interconnect SLA, you purchase twoconnections—a primary connection and a redundant connection—toreach another cloud.

For example, you can use a pair of Cross-Cloud Interconnectconnections to reach any of the following providers:

• Amazon Web Services
• Microsoft Azure
• Oracle Cloud Infrastructure
• Alibaba Cloud

If you want to connect to more than one cloud provider, use a different pair ofCross-Cloud Interconnect connections for each provider.

For more information, see theCross-Cloud Interconnect overview.

Cloud Router

Cloud Router is a distributed and fully managed offering that providesBorder Gateway Protocol(BGP) speaker andresponder functionality and management of Cloud NAT gateways.Cloud Router works with Cloud Interconnect,Cloud VPN, and Router appliances to createdynamicroutes in VPC networks based onBGP-received and custom-learned routes.

For more information, see theCloud Routeroverview.

Connecting your sites by using Google Cloud

Use Google Cloud to connect your sites to each other throughCross-Site Interconnect or a NCC hub.

Cross-Site Interconnect (Preview)

You can use Cross-Site Interconnect to establish reliable,high-bandwidth Layer 2 connectivity between your on-premises network sites.

After connecting your on-premises routers to Cross-Site Interconnect ports,you can configure Layer 2 connections (virtual Ethernet circuits) between yourdevices by creating a cross-site network that contains one or more wire groups.Cross-site network traffic isn't visible to or accessible by VPCnetworks in Google Cloud.

You can configure wire groups in cross-site networks with either a single-wire,redundant, or box-and-cross topology depending on your availability needs.

For more information, see theCross-Site Interconnect overview.

Network Connectivity Center

NCC supports connecting different enterprise sites outside ofGoogle Cloud by using Google's network as a wide area network (WAN).On-premises networks can consist of on-premises data centers and branch orremote offices.

NCC is a hub-and-spoke model for network connectivity managementin Google Cloud. The hub resource reduces operational complexitythrough a simple, centralized connectivity management model. The hub is pairedwith Google's network to deliver reliable connectivity on demand.

For definitions ofhub andspoke, seeHubs and spokes.

On-premises networks connect to a NCC hub by usingspokesthat have supported Google Cloud resources attached to them.

The following diagram shows a NCC hub and itsspokes. For example, a spoke can contain a VLANattachment to an on-premises branch office in regionus-east1. Another spokecan contain an attachment that connects to a Google Cloud regionnear another branch office in Europe. After the two branch offices areconfigured, they can send traffic over the hub to each other. Traffic betweenthe offices enters and exits Google's network close to each office.This traffic uses a private connection through Cloud VPN orCloud Interconnect.

• For a list of supported Google Cloud resources that you can attach tospokes, seeSpoke resource types.
• For general information about NCC, see theNCC overview.

Router appliance

Router appliance is an alternative way of enabling connectivity betweensites outside of Google Cloud through a NCC hub.You peer your Router appliance with Cloud Router to provide thisconnectivity.

You can install an image from your vendor of choice onto one or more VMs thatact as Router appliance instances, or you can choose a supported vendorfrom Google Cloud Marketplace.

You associate your Router appliance instance with a NCCRouter appliance spoke, which you attach to a NCC hub.

Cloud Router uses interfaces configured with private IP addresses toestablish BGP peering with Router appliance instances. In that way, youestablish routes among all locations.

For more information, see theRouter appliance overview.

Connecting to Google Workspace and Google APIs

If you need access to only Google Workspace or supported Google APIs,you have the following options:

• You can useDirect Peering to directly connect (peer) withGoogle Cloud at a Google edge location.
• You can useCarrier Peering to peer with Google by connectingthrough a support provider, which in turn peers with Google.

Verified Peering Provider

Verified Peering Provider lets you reach all publicly available Google Cloud resources through an internet service provider, without the need to directly peer with Google. Verified Peering Provider is a simple alternative to Direct Peering. Verified Peering Providers manage all aspects of the Direct Peering arrangements with Google.

The Verified Peering Provider program identifies a group of internet serviceproviders (ISPs) that have demonstrated diverse and reliable connectivityto Google. ISPs in the Verified Peering Provider program areawarded a Verified Peering Provider badge in one of two tiers, silver or gold, basedsolely on technical criteria related to their connectivity depth with Google.

Verified Peering Providers must adhere to guidelines that minimize latency changes toour customers during network outages, such as redundant and physically diverseconnectivity to Google's network.

Providers must also have up-to-date operational contacts to help ensure quicktroubleshooting when network issues arise. Google periodically validatesenrolled providers against the program requirements to help ensure our customerscontinue to have a high-quality experience.

Considerations

Google recommends connecting through a Verified Peering Provider to reach publiclyavailable Google Cloud resources.

Verified Peering Providers offer a variety of internet services designed forenterprises, ranging from business-class internet access to high-bandwidth IPaddress transit. Google customers can choose a provider that best suits theirneeds. When viewing the list of Verified Peering Providers, you can see where eachVerified Peering Provider connects to Google, and understand in what markets theyoffer services.

When you use a Verified Peering Provider, you don't need to meet Google's Direct Peeringrequirements and can work directly with a provider to obtain internet services.

Features

Verified Peering Providers offer the following features:

• Simplified connectivity
  • No need to meet Google's peering requirements
  • Leave the complexities of peering arrangements to the Verified Peering Providers
  • Spend less time deploying and managing the technical complexities of the Direct Peering arrangement
  • Acquire IP address transit or dedicated internet access from a Verified Peering Provider and let the Verified Peering Provider handle the peering with Google
• High availability
  • Google badge verifies redundant connectivity to Google
  • Gold badge indicates metro redundancy; silver indicates points of presence (PoPs) redundancy
  • For redundant connectivity details, seeGoogle Edge Network
• Enterprise grade connectivity
  • Connect to Google through internet products designed for enterprises
  • Access Google with or without the need for border gateway protocol (BGP) or an autonomous system number (ASN)
  • Work directly with internet service provider (ISP) customer services teams and operational escalations
• Dedicated private Google connectivity
  • All Google connectivity is through private dedicated fiber optics
  • Leverage the same Google fibers that carry all Google services
• Access all Google services
  • Access to Google Cloud services includes Google Workspace, Cloud APIss, Cloud VPN, public IP addresses, Network Service Tiers, and more
  • Any Google service that is reachable over the internet can be used with a Verified Peering Provider

Compare Verified Peering Provider and Cloud Interconnect

The following table describes the differences between Verified Peering Provider andCloud Interconnect.

Verified Peering Provider	Cloud Interconnect
Does not require Google Cloud.	Requires Google Cloud.
No need to meet Google's Direct Peering requirements.	Doesnot provide access to Google Workspace, but provides access to all other Google Cloud products and services from your on-premises network. Also allows access to supported APIs and services by usingPrivate Google Access from on-premises hosts.
Connects to Google's edge network through a Verified Peering Provider.	Provides direct access to VPC network resources that have only internal IP addresses.
Has no setup or maintenance costs.	Has maintenance costs; seepricing.
Verified Peering Providers are required to have diverse and redundant connectivity to Google.	Connects to Google's edge network.
Verified Peering Providers are required to have updated outage contacts on file, and dual IPv4 or IPv6 connectivity.	Uses Google Cloud resources, such as Cloud Interconnect connections, VLAN attachments, and Cloud Routers.
View where each Verified Peering Provider has connectivity to Google.	To change the destination IP address ranges for your on-premises network, adjust the routes that your routers share with Cloud Routers in your project.
Verified Peering Providers exclusively connect to Google over private network interconnections (PNI). Routes to your on-premises network don't appear in any VPC network of your Google Cloud project.	Routes to your on-premises network are learned by Cloud Routers in your project and applied ascustom dynamic routes in your VPC network.
Does not provide direct access to VPC network resources that have only internal IP addresses.	Google offers an end-to-end SLA for the connectivity between your VPC network and on-premises network forGoogle-defined topologies.

For more information, see theVerified Peering Provider overview.

Direct Peering

Direct Peering enables you to establish a directpeering connection between your business network and Google's edge network and exchange high-throughput cloud traffic.

This capability is available at any of more than 100 locations in 33 countriesaround the world. For more information about Google's edge locations, seeGoogle's peering site.

When established, Direct Peering provides a direct path from your on-premisesnetwork to Google services, including Google Cloud products thatcan be exposed through one or more public IP addresses. Traffic from Google'snetwork to your on-premises network also takes that direct path, includingtraffic from VPC networks in your projects.

Direct Peering exists outside of Google Cloud. Unless you need to access Google Workspace applications, the recommended methods of access to Google Cloud areDedicated Interconnect orPartner Interconnect.

Compare Direct Peering and Cloud Interconnect

The following table describes the differences between Direct Peering andCloud Interconnect.

Direct Peering	Cloud Interconnect
Can be used by Google Cloud—for example, to access VMs through Cloud VPN—but does not require it.	Requires Google Cloud.
Provides direct access from your on-premises network to Google Workspace and Google APIs for the full suite of Google Cloud products.	Doesnot provide access to Google Workspace, but provides access to all other Google Cloud products and services from your on-premises network. Also allows access to supported APIs and services by usingPrivate Google Access from on-premises hosts.
Doesnot provide direct access to VPC network resources that have only internal IP addresses.	Provides direct access to VPC network resources that have only internal IP addresses.
Has no setup or maintenance costs.	Has maintenance costs; seepricing.
Connects to Google's edge network.	Connects to Google's edge network.
Does not use any Google Cloud resources; configuration is opaque to Google Cloud projects.	Uses Google Cloud resources, such as Interconnect connections, VLAN attachments, and Cloud Routers.
To change the destination IP address ranges for your on-premises network, contact Google.	To change the destination IP address ranges for your on-premises network, adjust the routes that your routers share with Cloud Routers in your project.
Routes to your on-premises network don't appear in any VPC network of your Google Cloud project.	Routes to your on-premises network are learned by Cloud Routers in your project and applied ascustom dynamic routes in your VPC network.
Google does not offer a service level agreement (SLA) with Direct Peering.	Google offers an end-to-end SLA for the connectivity between your VPC network and on-premises network forGoogle-defined topologies.

For more information, see theDirect Peering overview.

Carrier Peering

Carrier Peering enables you to access Google applications, such as Google Workspace, byusing aservice providerto obtain enterprise-grade network services that connect your infrastructure to Google.

When connecting to Google through a service provider, you can get connections with higheravailability and lower latency, using one or more links. Work with your service provider to get theconnection that you need.

When to use Carrier Peering

The following example describes a common use case for Carrier Peering.

To access Google Workspace applications from an on-premises network, an organization mightneed a perimeter network to reach Google's network. The perimeter networkenables organizations to expose an isolated subnetwork to the public internet instead of theirentire network. Instead of setting up and maintaining a perimeter network, the organization can workwith a service provider so that their traffic travels on a dedicated link from their systems toGoogle. With the dedicated link, the organization gets a higher availability and lower latencyconnection to Google's network.

Unless you need to access Google Workspace applications as described in the preceding usecase,Partner Interconnect is the recommended way to connect to Google through a serviceprovider. To choose a product, see theConsiderations section and thetable that comparesCarrier Peering with Cloud Interconnect.

Considerations

Review the following considerations to decide if Carrier Peering meets your needs:

• Carrier Peering exists outside of Google Cloud. Instead of Carrier Peering, the recommended methods of access to Google Cloud arePartner Interconnect, which uses a service provider, or Dedicated Interconnect, which provides a direct connection to Google.
• If used with Google Cloud, Carrier Peering doesn't produce any custom routes in a VPC network. Traffic sent from resources in a VPC network leaves by way of a route whose next hop is either adefault internet gateway (a default route, for example) or a Cloud VPN tunnel.
• To send traffic through Carrier Peering by using a route whose next hop is aCloud VPN tunnel, the IP address of your on-premises network's VPN gateway must be in your configured destination range.

Compare Carrier Peering and Cloud Interconnect

The following table describes the differences between Carrier Peering andCloud Interconnect.

Carrier Peering	Cloud Interconnect
Can be used by Google Cloud, but does not require it.	Requires Google Cloud.
Gives you direct access from your on-premises network through a service provider's network to Google Workspace and to Google Cloud products that can be exposed through one or more public IP addresses.	Doesnot give you access to Google Workspace, but gives you access to all other Google Cloud products from your on-premises network. Also allows access to supported APIs and products by usingPrivate Google Access from on-premises hosts.
Has service provider costs.	Has maintenance costs; seepricing.
Connects to Google's edge network through a service provider.	Connects to Google's edge network.
Does not use any Google Cloud resources; configuration is opaque to Google Cloud projects.	Uses Google Cloud resources, such as Interconnect connections, VLAN attachments, and Cloud Routers.
To change the destination IP address ranges for your on-premises network, contact Google.	To change the destination IP address ranges for your on-premises network, adjust the routes that your routers share with Cloud Routers in your project.
Routes to your on-premises network don't appear in any VPC network of your Google Cloud project.	Routes to your on-premises network are learned by Cloud Routers in your project and applied ascustom dynamic routes in your VPC network.
Google does not offer a service level agreement (SLA) with Carrier Peering. If you are interested in an SLA, we recommend consulting with your network service provider to determine whether that provider might offer an SLA.	Google offers an end-to-end SLA for the connectivity between your VPC network and on-premises network forGoogle-defined topologies.

For more information, see theCarrier Peering overview.

Connecting to CDN providers

CDN Interconnect

CDN Interconnect enables select third-party Content Delivery Network (CDN) providersto establish direct peering links with Google's edge network at various locations, which enables youto direct your traffic from your Virtual Private Cloud (VPC) networks to a provider's network.

CDN Interconnect enables you to optimize your CDN population costs and usedirect connectivity to select CDN providers from Google Cloud.

Your network traffic egressing from Google Cloud through one of these links benefits fromthe direct connectivity to supported CDN providers and is billed automatically with reducedpricing.

Setting up CDN Interconnect

If your CDN provider is already part of the program, you don't have to do anything. Traffic fromsupported Google Cloud locations to your CDN provider automatically takes advantage of thedirect connection and reduced pricing.

Work with your supported CDN provider to learn what locations are supported and how to correctly configure your deployment to use intra-region egress routes. CDN Interconnect does not require any configuration or integration with Cloud Load Balancing.

If your CDN provider is not part of the program, contact your CDN provider and ask them to work with Google to get connected.

Typical use cases for CDN Interconnect

• High-volume egress traffic. If you're populating your CDN with large data files from Google Cloud, you can use the CDN Interconnect links between Google Cloud and selected providers to automatically optimize this traffic and save money.

• Frequent content updates. Cloud workloads that frequently update data stored in CDN locations benefit from using CDN Interconnect because the direct link to the CDN provider reduces latency for these CDN destinations.

  For example, if you have frequently updated data served by the CDN originally hosted on Google Cloud, you might consider using CDN Interconnect.

For information about pricing and service providers, see theCDN Interconnect overview.

What's next

• Network Connectivity key terms