This page describes concepts related to Cloud VPN. For definitions of termsused in the Cloud VPN documentation, seeKeyterms.

Cloud VPN securely extends yourpeer network to yourVirtual Private Cloud (VPC) network through anIPsecVPN connection. The VPNconnection encrypts traffic traveling between the networks, with one VPN gatewayhandling encryption and the other handling decryption. This process protectsyour data during transmission. You can also connect two VPCnetworks together by connecting two Cloud VPN instances. You cannot useCloud VPN to route traffic to the public internet; it is designed forsecure communication between private networks.

Choose a hybrid networking solution

To determine whether to use Cloud VPN, Dedicated Interconnect,Partner Interconnect, or Cloud Router as your hybrid networkingconnection to Google Cloud, seeChoosing a Network Connectivityproduct.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how Cloud VPN performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try Cloud VPN free

To enhance the security of your Dedicated Interconnect orPartner Interconnect connection, useHA VPN over Cloud Interconnect.This solution establishes encrypted HA VPN tunnels over yourVLAN attachments.

Types of Cloud VPN

Google Cloud offers two types of Cloud VPN gateways:

• HA VPN
• Classic VPN

The following table compares HA VPN features withClassic VPN features.

Note: The tunnel API resource and tunnel configuration remain the same for both Classic VPN and HA VPN.

Feature	HA VPN	Classic VPN
SLA	Provides 99.99% SLA for most topologies, with a few exceptions. For more information, seeHA VPN topologies.	Provides a 99.9% SLA.
Creation of external IP addresses and forwarding rules	External IP addresses created from a pool; no forwarding rules required.	External IP addresses and forwarding rules must be created.
Supported routing options	Only dynamic routing (BGP).	Only static (policy-based, route-based) routing.
Two tunnels from one Cloud VPN gateway to the same peer gateway	Supported	Not supported
Connect a Cloud VPN gateway to Compute Engine VMs with external IP addresses.	Supported and recommended topology. For more information, seeHA VPN topologies.	Supported.
API resources	Known as thevpn-gateway resource.	Known as thetarget-vpn-gateway resource.
IPv6 traffic	Supports dual stack (IPv4 and IPv6) and IPv6-only configuration	Not supported

For information about how to move from Classic VPN toHA VPN, seeMove from Classic VPN to HA VPN.

HA VPN

HA VPN is a high-availability (HA) Cloud VPN solution that lets yousecurely connect your on-premises network to your VPC network through anIPsec VPN connection. Based on the topology and configuration,HA VPN can provide an SLA of 99.99% or 99.9% serviceavailability.

When you create an HA VPN gateway, Google Cloud automatically choosestwo external IP addresses, one for each of its interfaces. Each IP address isautomatically chosen from a unique address pool to support high availability. Each of theHA VPN gateway interfaces supports multiple tunnels. You can also createmultiple HA VPN gateways. When you delete the HA VPNgateway, Google Cloud releases the IP addresses for reuse. You can configure anHA VPN gateway with only one active interface and one external IP address;however,this configuration does not provide an availability SLA.

One option for using HA VPN is to use HA VPN over Cloud Interconnect. With HA VPN over Cloud Interconnect, you get the security of IPsec encryption from Cloud VPN alongside the increased capacity of Cloud Interconnect. In addition, because you are using Cloud Interconnect, your network traffic never traverses the public internet. If you use Partner Interconnect, you must add IPsec encryption to your Cloud Interconnect traffic to meet data security and compliance requirements when connecting to third-party providers. HA VPN uses anexternal VPN gateway resource in Google Cloud to provide information to Google Cloud about yourpeer VPN gateway or gateways.

Note: When you deploy HA VPN over Cloud Interconnect, you have the option of assigning regional internal IP addresses to HA VPN gateway interfaces. You can only use these internal IP addresses for HA VPN gateways that are associated with VLAN attachments. In all other HA VPN gateways, internal IP address assignment is not supported.

In the API documentation and ingcloud commands, HA VPNgateways are referred to asVPN gateways rather thantarget VPN gateways.You don't need to create anyforwarding rules for HA VPN gateways.

HA VPN can provide an availability SLA of 99.99% or 99.9%depending on the topologies or configuration scenarios. For more informationabout HA VPN topologies and supported SLAs, seeHA VPN topologies.

While setting up HA VPN, consider the followingguidelines:

• When you connect an HA VPN gateway to anotherHA VPN gateway, the gateways must use identical IPstack types. For example, if you create an HA VPNgateway with the stack type ofIPV4_IPV6, the otherHA VPN gateway must also be set toIPV4_IPV6.

• Configure two VPN tunnels from the perspective of the Cloud VPNgateway:

  • If you havetwo peer VPN gateway devices, each of the tunnels fromeach interface on the Cloud VPN gateway must be connected toits own peer gateway.
  • If you havea single peer VPN gateway device with two interfaces, eachof the tunnels from each interface on the Cloud VPN gateway must beconnected to its own interface on the peer gateway.
  • If you havea single peer VPN gateway device with a single interface,both of the tunnels from each interface on the Cloud VPN gatewaymust be connected to the same interface on the peer gateway.

• A peer VPN device must be configured with adequate redundancy. The devicevendor specifies the details of an adequately redundant configuration, whichmight include multiple hardware instances. For details, see the vendordocumentation for the peer VPN device.

  If two peer devices are required, each peer device must be connected to adifferent HA VPN gateway interface. If the peer sideis another cloud provider like AWS, VPN connections must be configured withadequate redundancy on the AWS side as well.

• Make sure that your Cloud Router advertises the sameprefixes on all links, possibly with different priorities.

• Your peer VPN gateway device must support dynamic Border Gateway Protocol(BGP) routing.

  The following diagram shows the HA VPN concept,showing a topology that includes the two interfaces of anHA VPN gateway connected to two peer VPN gateways.For more detailed HA VPN topologies (configurationscenarios), seeHA VPNtopologies.

  

Classic VPN

In contrast to HA VPN, Classic VPNgateways have a single interface, a single external IP address, and supporttunnels that use static routing (policy based or route based).

Classic VPN gateways provide an SLA of 99.9% serviceavailability.

Classic VPN gateways don't support IPv6.

For supported Classic VPN topologies, see theClassic VPN topologiespage.

Classic VPNs are referred to astarget VPN gateways in the APIdocumentation and in the Google Cloud CLI.

Specifications

Cloud VPN has the following specifications:

• Each Cloud VPN gateway is a regional resource. When you create aCloud VPN gateway, you can select a specificGoogle Cloud region for its location.You cannot choose a zone, only a region.

• Cloud VPN only supports site-to-site IPsec VPN connectivity,subject to the requirements listed in this section. It does not supportclient-to-gateway scenarios. In other words, Cloud VPN doesn'tsupport use cases where client computers need to "dial in" to a VPN by usingclient VPN software.

  Cloud VPN only supports IPsec. Other VPN technologies (such as SSLVPN) are not supported.

• Cloud VPN can be used with VPC networks andlegacy networks. For VPC networks, we recommendcustom mode VPC networks sothat you have full control over the ranges of IP addresses used by thesubnets in the network.

  • Classic VPN and HA VPN gatewaysuse external (internet routable) IPv4 addresses. Only ESP, UDP 500, andUDP 4500 traffic is permitted to these addresses. This applies toCloud VPN addresses configured by you forClassic VPN or to automatically assigned IP addressesfor HA VPN.

  • If IP address ranges for on-premises subnets overlap with IP addressesused by subnets in your VPC network, to determine howrouting conflicts are resolved, seeOrder ofroutes.

• The following Cloud VPN traffic remains within theGoogle Cloud network:

  • Between two HA VPN gateways
  • Between two Classic VPN gateways
  • Between a Classic VPN or HA VPNgateway and the external IP address of a Compute Engine VM acting as aVPN gateway

• Cloud VPN can be used withPrivate Google Access for on-premiseshosts. For more information, seePrivate access options forservices.

• Each Cloud VPN gateway must be connected to anotherCloud VPN gateway or a peer VPN gateway.

• The peer VPN gateway must have a static external (internet routable) IPv4address. You need this IP address to configure Cloud VPN.

  Note: You cannot useRFC 5737orRFC 5735 addressesfor the peer IP address as they are reserved.
  • If your peer VPN gateway is behind a firewall rule, you must configurethe firewall rule to pass ESP (IPsec) protocol and IKE (UDP 500 and UDP4500) traffic to it. If the firewall rule provides network addresstranslation (NAT), seeUDP encapsulation and NAT-T.

• Cloud VPN requires that the peer VPN gateway be configured tosupport prefragmentation. Packets must be fragmentedbefore beingencapsulated.

• Cloud VPN uses replay detection with a window of 4096 packets. Youcannot turn this off.

• Cloud VPN supportsgeneric routing encapsulation (GRE)traffic. Support for GRE lets you terminate GRE traffic on a VM from theinternet (external IP address) and Cloud VPN orCloud Interconnect (internal IP address). The decapsulated trafficcan then be forwarded to a reachable destination. GRE lets you use servicessuch as Secure Access Service Edge (SASE) andSD-WAN. You must create afirewallrule to allow GRE traffic.

  Note: GRE support for VPN has been tested only with GRE version 0.Additionally, support for GRE traffic does not includesupport from Google Cloud fortroubleshooting your overlay networks.

• HA VPN tunnels support the exchange of IPv6 traffic,but Classic VPN tunnels don't.

Network bandwidth

Each Cloud VPN tunnel supports up to 250,000 packets per second for thesum of ingress and egress traffic. Depending on average packet size in thetunnel, 250,000 packets per second is equivalent to between 1 Gbps and3 Gbps of bandwidth.

The metrics related to this limit areSent bytes andReceived bytes, whichare described inView logs and metrics.Consider that the unit for the metrics isbytes, while the 3-Gbps limit referstobits per second. When converted to bytes, the limit is 375 megabytes persecond (MBps). When measuring usage against the limit, use the sum ofSentbytes andReceived bytes compared to the converted limit of 375 MBps.

For information about how to create alerting policies, seeDefine alerts forVPN tunnelbandwidth.

Factors that affect bandwidth

The bandwidth is influenced by a number of factors, including thefollowing:

• The network connection between the Cloud VPN gateway and your peergateway:

  • Network bandwidth between the two gateways. If you have establishedaDirect Peering relationshipwith Google, throughput is higher than if your VPN traffic is sent overthe public internet.

  • Round-trip time(RTT) and packetloss. Elevated RTT or packet loss rates greatly reduce TCPperformance.

• Capabilities of your peer VPN gateway. For more information, see yourdevice's documentation.

• Packet size.Cloud VPN uses theIPsec protocol in tunnel mode, encapsulating and encrypting entire IPpackets in Encapsulating Security Payload (ESP), and then storing the ESPdata in a second, outer IP packet. Consequently, there is both agatewayMTU for the IPsec encapsulated packets and apayload MTU for packetsbefore and after IPsec encapsulation. For details, seeMTUconsiderations.

• Packet rate. For ingress and egress, the recommended maximum packet ratefor each Cloud VPN tunnel is 250,000 packets per second (pps). Ifyou need to send packets at a higher rate, you must create more VPN tunnels.

When measuring TCP bandwidth of a VPN tunnel, you should measure more than onesimultaneous TCP stream. If you are using theiperftool, use the-P parameter to specify thenumber of simultaneous streams.

IPv6 support

Cloud VPN supports IPv6 in HA VPN, but not inClassic VPN.

To support IPv6 traffic in HA VPN tunnels, do thefollowing:

• Use theIPV6_ONLYorIPV4_IPV6 stack type when creating aHA VPN gateway and tunnels that connectIPv6-enabled VPC networks with other IPv6-enabled networks.These networks can be on-premises networks,multicloud networks, or other VPC networks.

• Includedual-stack subnets or IPv6-only subnetsin your IPv6-enabled VPC networks. Additionally,assigninternal IPv6 ranges to the subnets.

The following table summarizes the external IP addresses allowed for each stacktype of the HA VPN gateway.

Stack type	Supported gateway external IP addresses
IPV4_ONLY	IPv4
IPV4_IPV6	IPv4, IPv6
IPV6_ONLY	IPv6

Organization policy constraints for IPv6

You can disable the creation of all IPv6 hybrid resources in your project bysetting the followingorganizationpolicyto true:

• constraints/compute.disableHybridCloudIpv6

For HA VPN, this organization policy constraint prevents thecreation of any dual-stack HA VPN gateways and IPv6-onlyHA VPN gateways in the project. This policy also preventsthe creation of IPv6 BGP sessions and dual-stackDedicated Interconnect VLAN attachments.

Stack types and BGP sessions

HA VPN gateways support different stack types. The stacktype of an HA VPN gateway determines what version of IPtraffic is allowed in your HA VPN tunnels.

When you create the HA VPN tunnels for a dual-stackHA VPN gateway, you can create either an IPv6 BGP sessionfor IPv6 route exchange, or an IPv4 BGP session thatexchanges IPv6 routes byusing multiprotocol BGP(MP-BGP).

The following table summarizes the types of BGP sessions supported for eachstack type.

Stack type	Supported BGP sessions	Gateway external IP addresses
Single stack (IPv4 only)	IPv4 BGP, no MP-BGP	IPv4
Single stack (IPv6 only)	IPv6 BGP, no MP-BGP	IPv6
Dual stack (IPv4 and IPv6)	IPv4 BGP, with or without MP-BGP IPv6 BGP, with or without MP-BGP Both IPv4 BGP and IPv6 BGP, no MP-BGP	IPv4 and IPv6

Note:After you create an HA VPN gateway, you cannot modify its stack type.If you need a different stack type for an existing HA VPN gateway, you must delete and recreate the gateway.

To support IPv6 traffic, HA VPN gateways must use either theIPv4 and IPv6 (dual-stack) orIPv6 (single-stack) configuration. To temporarily disable IPv6 traffic without deleting your gateway, disable IPv6 route exchange in the IPv4 BGP session or disable the IPv6 session that you established for the HA VPN tunnels.

For more information about BGP sessions, seeEstablish BGPsessions in theCloud Router documentation.

Single-stack IPv4-only gateways

By default, an HA VPN gateway is assigned the IPv4-onlystack type and is automatically assigned two external IPv4 addresses.

An IPv4-only HA VPN gateway can support only IPv4 traffic.

Use the following procedures to create IPv4-only HA VPNgateways and IPv4 BGP sessions.

• For an HA VPN to peer VPN gateway configuration, seeCreate an HA VPNgateway andCreateBGP sessions - IPv4 BGPsessions.
• For an HA VPN to HA VPN gatewayconfiguration, seeCreate the HA VPN gateways andCreate BGPsessions - IPv4 BGPsessions.

Single-stack IPv6-only gateways

An IPv6-only HA VPN gateway supports only IPv6 traffic.By default, an IPv6-only HA VPN gateway is assignedtwo external IPv6 addresses.

Use the following procedures to create IPv6-only HA VPNgateways and IPv6 BGP sessions.

• For an HA VPN to peer VPN gateway configuration, seeCreate an HA VPNgateway andCreateBGP sessions - IPv6 BGPsessions.
• For an HA VPN to HA VPN gatewayconfiguration, seeCreate the HA VPN gateways andCreate BGPsessions - IPv6 BGPsessions.

Dual-stack IPv4 and IPv6 gateways

An HA VPN gateway that is configured with the dual-stack(IPv4 and IPv6) stack type can support both IPv4 and IPv6 traffic.

For a dual-stack HA VPN gateway, you can configure yourCloud Router with an IPv4 BGP session, an IPv6 BGP session, or both. Ifyou configure only one BGP session, you can enable MP-BGP to allow that sessionto exchange both IPv4 and IPv6 routes. If you create an IPv4 BGP session and anIPv6 BGP session, you can't enable MP-BGP on either session.

To exchange IPv6 routes on an IPv4 BGP session using MP-BGP, you must configurethat session with IPv6 next hop addresses. Similarly, to exchange IPv4 routes onan IPv6 BGP session using MP-BGP, you must configure that session with IPv4 nexthop addresses. You can configure these next hop addresses either manually orautomatically.

If you manually configure the next hop addresses, you must select them from theGoogle-owned IPv6 Global Unicast Address (GUA) range2600:2d00:0:2::/63,or from the IPv4 link-local address range169.254.0.0./16. These IPaddress ranges are pre-allocated by Google. The next hop IP addresses you selectmust be unique across all Cloud Routers within your VPCnetwork.

If you select automatic configuration, Google Cloud selects the next hopIP addresses for you.

Use the following procedures to create dual-stack HA VPNgateways and all supported BGP sessions.

• IPv4 BGP sessions, with or without MP-BGP
  • For an HA VPN gateway to peer VPN gatewayconfiguration, seeCreate an HA VPN gateway andCreate BGPsessions - IPv4 BGPsessions.
  • For an HA VPN gateway toHA VPN gateway configuration, seeCreate theHA VPNgateways andCreate BGP sessions - IPv4 BGPsessions.
• IPv6 BGP sessions, with or without MP-BGP
  • For an HA VPN gateway to peer VPN gatewayconfiguration, seeCreate an HA VPN gateway andCreate BGPsessions - IPv6 BGPsessions.
  • For an HA VPN gateway toHA VPN gateway configuration, seeCreate theHA VPNgateways andCreate BGP sessions - IPv6 BGPsessions.
• Both IPv4 and IPv6 BGP sessions
  • For an HA VPN gateway to peer VPN gatewayconfiguration, seeCreate an HA VPN gateway andCreate BGPsessions - Both IPv4 BGP and IPv6 BGPsessions.
  • For an HA VPN gateway toHA VPN gateway configuration, seeCreate theHA VPNgateways andCreate BGP sessions - Both IPv4 and IPv6 BGPsessions.

IPsec and IKE support

Cloud VPN supportsIKEv1 andIKEv2 by using an IKE pre-shared key (shared secret) and IKE ciphers.Cloud VPN only supports a pre-shared key for authentication. When youcreate the Cloud VPN tunnel, specify a pre-shared key. When you createthe tunnel at the peer gateway, specify this same pre-shared key. Forinformation about creating a strong pre-shared key, seeGenerate a strongpre-shared key.

Cloud VPN supportsESP in tunnelmode with authentication, but does not supportAH orESP in transportmode.

You must use IKEv2 to enable IPv6 traffic in HA VPN.

Cloud VPN does not perform policy-related filtering on incomingauthentication packets. Outgoing packets are filtered based on the IP rangeconfigured on the Cloud VPN gateway.

Configure ciphers in Cloud VPN tunnel

With Cloud VPN, you can configure ciphers thathelp you tailor your VPN connections to meet complianceand security needs.

You can configure cipher options when you create Cloud VPN tunnels.However, once configured, you cannot modify the selected cipher options later;you must delete and re-create the tunnel. Cipher selection is available onlywith IKEv2, not IKEv1.

You can configure ciphers for both IKE SA negotiation (phase 1) andIPsec SA negotiation (phase 2). If you don't configure a cipher optionfor a phase, Cloud VPN uses the default cipher for that option.

You must configure ciphers from the supported list of ciphers thatmeet the following criteria:

• If you specifyAEAD ciphersfor encryption, you cannot specify separate ciphers for integrity becauseCloud VPN uses the same encryption ciphers for handling integrity.

• If you specifynon-AEAD ciphersfor encryption, then you can also specify ciphers for integrity. If you don'tspecify integrity ciphers, Cloud VPN uses the default cipher optionsfor integrity.

• If you specify a mix of both AEAD and non-AEAD ciphers for encryption, youmust list the AEAD ciphers before non-AEAD ciphers.Cloud VPN uses the same encryption ciphers for handling integrity forAEAD ciphers.

  For non-AEAD ciphers, you can specify the integrity ciphers.If you don't specify integrity ciphers, Cloud VPN uses the defaultcipher options for integrity.

To learn more about the supported ciphers, default cipher order, andconfiguration parameters supported by Cloud VPN, seeSupported IKEciphers.

Use the following procedures to configure cipher optionsfor the variousCloud VPN gateways:

• To configure cipher options for Classic VPN using static routing, seeCreate a gateway and tunnel.

• To configure cipher options for HA VPN to a peerVPN gateway, seeCreate VPN tunnels.

IKE and dead peer detection

Cloud VPN supports dead peer detection (DPD), per theDPDProtocolsection ofRFC3706.

To verify that the peer is alive, Cloud VPN might send DPD packets atany time, per RFC 3706. If the DPD requests aren't returned after severalretries, Cloud VPN recognizes that the VPN tunnel is unhealthy. Theunhealthy VPN tunnel in turn causes removal of the routes using this tunnel as anext-hop (BGP routes or static routes) triggering a failover of VM traffic toother VPN tunnels that are healthy.

The DPD interval isn't configurable in Cloud VPN.

UDP encapsulation and NAT-T

For information about how to configure your peer device to support NAT-Traversal(NAT-T) with Cloud VPN, seeUDPencapsulation in the Advancedoverview.

Cloud VPN as a data transfer network

Before you use Cloud VPN, carefully reviewSection 2 of the GeneralService Terms for Google Cloud.

UsingNetwork Connectivity Center,you can use HA VPN tunnels to connect on-premises networkstogether, passing traffic between them as a data transfer network. You connectthe networks by attaching a pair of tunnels to a NCCspoke for each on-premises location. You then connect each spoke to aNCC hub.

For more information about NCC, see theNCCoverview.

Bring your own IP (BYOIP) support

For information about using BYOIP addresses with Cloud VPN, seeSupport forBYOIP addresses.

Restricting peer IP addresses through a Cloud VPN tunnel

If you're anOrganization Policy Administrator(roles/orgpolicy.policyAdmin),you can create a policy constraint that restricts the IP addresses that userscan specify for peer VPN gateways.

The restriction applies to all Cloud VPN tunnels—bothClassic VPN and HA VPN—in a specificproject, folder, or organization.

For steps describing how to restrict IP addresses, seeRestrict IP addressesfor peer VPN gateways.

Visualizing and monitoring Cloud VPN connections

Network Topology is a visualization tool that shows the topology ofyour VPC networks, hybrid connectivity to and from youron-premises networks, and the associated metrics. You can view yourCloud VPN gateways and VPN tunnels as entities in theNetwork Topology view.

A base entity is the lowest level of a particular hierarchy and represents aresource that can directly communicate with other resources over a network.Network Topology aggregates base entities into hierarchical entitiesthat you can expand or collapse. When you first view aNetwork Topology graph, it aggregates all the base entities intotheir top-level hierarchy.

For example, Network Topology aggregates VPN tunnels into their VPNgateway connection. You can view the hierarchy by expanding or collapsing theVPN gateway icons.

For more information, see theNetwork Topologyoverview.

Maintenance and availability

Cloud VPN undergoes periodic maintenance during whichCloud VPN tunnels remain online, and network traffic is unaffected.In rare scenarios, tunnels might briefly go offline, which can cause a momentarydrop in network traffic. After the maintenance is complete, Cloud VPN tunnelsare automatically re-established. These incidents areinvestigated to implement corrective actions and improve future maintenanceprocedures.

Maintenance for Cloud VPN is a normal operational task that can happenat any time without prior notice. Maintenance periods are designed tobe short enough that theCloud VPN SLA isn'timpacted.

HA VPN is the recommended method of configuringhigh-availability VPNs. For configuration options, see theHA VPN topologies page.If you are using Classic VPN for redundancy and high-throughputoptions, see theClassic VPN topologiespage.

Best practices

To build your Cloud VPN effectively, use thesebest practices.

What's next

• To use high-availability and high-throughput scenarios or multiple subnetscenarios, seeAdvanced configurations.

• To help you solve common issues that you might encounter when usingCloud VPN, seeTroubleshooting.

• Learn more about therecommended topologies for HA VPN.