Create HA VPN gateways to connect VPC networks

This page describes how to connect two Virtual Private Cloud (VPC) networksin Google Cloud by using two HA VPN gateways.You can connect two VPC networks together as long as theprimary and secondary subnet IPv4 or IPv6 address ranges in each network don'toverlap.

For more information about Cloud VPN, see the following resources:

For diagrams of this topology, seeHA VPN between Google Cloud networks.
To automate this setup, see theTerraform example for anHA VPN gateway.
For best practices to consider before setting up Cloud VPN, seeBest practices.
For more information about Cloud VPN, see theCloud VPN overview.
For definitions of terms used on this page, seeKey terms.

Requirements

To receive a 99.99% SLA, make sure that you meet the followingrequirements when creating this configuration:

Place one HA VPN gateway in eachVPC network.
Place both HA VPN gateways in the sameGoogle Cloud region.
Configure a tunnel on each interface of each gateway.
Match the gateway interfaces as follows:
- The tunnel oninterface 0 of the first gateway must connect tointerface 0 on the second gateway.
- The tunnel oninterface 1 of the first gateway must connect tointerface 1 on the second gateway.

Although it is possible to connect two VPC networks together byusing a single tunnel between HA VPN gateways or by usingClassic VPN gateways, this type of configuration is not considered tohave high availability and does not meet the HA SLA of 99.99% availability.

Caution: If one or both of the VPN gateways are Classic VPNgateways, your configuration does not meet the 99.99% SLA.

Cloud Router recommendations

When configuring a new HA VPN gateway, you can create a new Cloud Router, or you can use an existing Cloud Router with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection because of the attachment's specific ASN requirements.

Manage permissions

HA VPN gateways might not always belong to you or yourGoogle Cloud organization. When you create an HA VPNgateway or connect to a gateway owned by someone else, consider theserequirements:

If you own the project where you create an HA VPNgateway, configure the recommended permissions on it.
If you want to connect to an HA VPN gateway thatresides in a Google Cloud organization or project that you don't own,request thecompute.vpnGateways.use permission from the owner.

Before you begin

Review information about howdynamicrouting worksin Google Cloud.

Make sure that your peer VPN gateway supports Border Gateway Protocol (BGP).

Set up the following items in Google Cloud to make it easier to configureCloud VPN:

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

If you are using the Google Cloud CLI, set your project ID with the following command. Thegcloud instructions on this page assume that you have set your project ID before issuing commands.
```
    gcloud config set projectPROJECT_ID
```

You can also view a project ID that has already been set by running the following command:
```
    gcloud config list --format='text(core.project)'
```

Create custom VPC networks and subnets

The procedures in this document use two different VPCnetworks. Each VPC network has at least twosubnets, which arelocated in different regions.

Before you create your HA VPN gateways and yourHA VPN tunnels,create two VPC networks.

Each VPC network must have at least one subnet in theregion where you create the HA VPN gateway.

To create a custom mode VPC network (recommended), seeCreate a custom mode VPC network.
To create a subnet, seeWorking with subnets.

To enable IPv6 traffic in your HA VPN tunnels, you mustenable the allocation of IPv6 internal addresses when you create theVPC networks. In addition, configure the subnets to useIPv6 internal addresses.

You must also configure IPv6 on the VMs in the subnet.

To create a custom mode VPC network that has at leastone dual-stack subnet or one IPv6-only subnetwith internal IPv6 addresses, seeCreate and manage VPC networks.
To create a dual-stack subnet with IPv6 enabled, seeAdd a dual-stack subnet.
To create an IPv6-only subnet, seeAdd an IPv6-only subnet.
To enable IPv6 in an existing IPv4-only subnet, seeChange an IPv4-only subnet to dual-stack.
To create VMs with IPv6 enabled, seeConfiguring IPv6 for instances and instance templates.

The VPC subnets must be configured to use internal IPv6addresses. When you use the gcloud CLI, you configure the subnetswith the--ipv6-access-type=INTERNAL flag. Cloud Router does notdynamically advertise routes for subnets that are configured to use externalIPv6 addresses (--ipv6-access-type=EXTERNAL).

For information about using internal IPv6 address ranges in yourVPC networks and subnets, seeInternal IPv6 specifications.

The examples in this document also useVPC global dynamicrouting mode, which behaves in thefollowing way:

All instances of Cloud Router apply theto on-premises routesthat they learn to all subnets of the VPC network.
Routes to all subnets in the VPC network are shared withon-premises routers.

Create two fully configured HA VPN gateways that connect to each other

Note: It can help to have two Google Cloud console or terminal sessions openwhen configuring two HA VPN gateways that connect to eachother.

Follow the instructions in this section to create an HA VPNgateway, a peer VPN gateway resource, tunnels, and BGP sessions.

Permissions required for this task

To perform this task, you must have been granted the following permissionsor the following IAM roles.

Permissions

compute.vpnGateways.get
compute.vpnGateways.list
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
compute.externalVpnGateways.create
compute.externalVpnGateways.delete
compute.externalVpnGateways.get
compute.externalVpnGateways.list
compute.externalVpnGateways.use
compute.externalVpnGateways.setLabels

Roles

roles/compute.networkAdmin

Create the HA VPN gateways

Note:After you create an HA VPN gateway, you cannot modify its stack type.If you need a different stack type for an existing HA VPN gateway, you must delete and recreate the gateway.

To support IPv6 traffic, HA VPN gateways must use either theIPv4 and IPv6 (dual-stack) orIPv6 (single-stack) configuration. To temporarily disable IPv6 traffic without deleting your gateway, disable IPv6 route exchange in the IPv4 BGP session or disable the IPv6 session that you established for the HA VPN tunnels.

Console

TheVPN setup wizard includes all required configuration stepsfor creating an HA VPN gateway, a peer VPN gatewayresource, tunnels, and BGP sessions.

To create the first HA VPN gateway, follow these steps:

In the Google Cloud console, go to theVPN page.
Go to VPN
If you are creating a gateway for the first time, clickCreate VPN connection.
Select theVPN setup wizard.
If you have an existing HA VPN gateway, select theoption button for that gateway.
ClickContinue.
Specify aVPN gateway name.
UnderVPC network, select an existing network or thedefault network.
Select aRegion.
Select a stack type for the gateway, eitherIPv4 (single stack) orIPv4 and IPv6 (dual stack).
ClickCreate and continue.
The console page refreshes and displays your gateway information.Two external IPv4 addresses are automatically allocated for each of yourgateway interfaces. For future configuration steps, makenote of the details of your gateway configuration.

To create the second HA VPN gateway, repeat thepreceding steps in a new browser tab. Make sure you specify the sameHA VPN tunnel stack type as the firstHA VPN gateway.

gcloud

Depending on the workloads you plan to support with your tunnels, you canchoose the stack type as follows while creating the gateways:

To support only IPv4 workloads, create anHA VPN gateway with theIPV4_ONLY stack type.
To support both IPv4 and IPv6 workloads, create anHA VPN gateway with theIPV4_IPV6 stack type.
To support only IPv6 workloads, create anHA VPN gateway with theIPV6_ONLY stack type.

To create two HA VPN gateways, complete the followingcommand sequence:

Create an HA VPN gateway in each network inREGION.
When each gateway is created, two external IPv4 addresses are automaticallyallocated, one for each gateway interface. Take note of these IP addressesto use later on in the configuration steps.
In the following commands, replace the following:
- GW_NAME_1 andGW_NAME_2: the nameof each gateway
- NETWORK: the name of your Google Cloud network
- REGION: theGoogle Cloudregion where you need to create thegateway and tunnel
- IP_STACK: Optional: the IP stack to use. SpecifyIPV4_ONLY,IPV4_IPV6, orIPV6_ONLY.If you don't specify this flag, the stack type defaults toIPV4_IPV6.
Create the first gateway
For a gateway with IPv4 interfaces:
```
gcloud compute vpn-gateways createGW_NAME_1 \   --network=NETWORK_1 \   --region=REGION \   --stack-type=IP_STACK
```
The gateway that you create is similar to the following exampleoutput. An external IPv4 address has been automatically assigned to eachgateway interface:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a].NAME          INTERFACE0     INTERFACE1     NETWORK     REGIONha-vpn-gw-a   203.0.113.16   203.0.113.23   network-a   us-central1
```
Create the second gateway
```
gcloud compute vpn-gateways createGW_NAME_2 \   --network=NETWORK_2 \   --region=REGION \   --stack-type=IP_STACK
```
If you specified a stack type for the first gateway, usethe same stack type for the second gateway.
The gateway that you create is similar to the following exampleoutput:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-east1/vpnGateways/ha-vpn-gw-b].NAME          INTERFACE0     INTERFACE1     NETWORK     REGIONha-vpn-gw-b   203.0.114.18   203.0.114.25   network-b   us-east1
```
For a gateway with IPv6 interfaces:
```
gcloud compute vpn-gateways createGW_NAME_1 \   --network=NETWORK_1 \   --region=REGION \   --gateway-ip-version=IPV6 \   --stack-type=IP_STACK
```
An external IPv6 address is automatically assigned to eachgateway interface.

API

To create BGP sessions, follow these steps:

To create the full configuration for an HA VPN gateway,use the API commands in the following sections. All field values used inthese sections are example values.

For a gateway with IPv4 interfaces:

Create the first HA VPN gateway by making aPOST requestto thevpnGateways.insertmethod.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways{ "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a", "stackType": "IPV4_IPV6"}

ThestackType field is optional. The only valid values areIPV4_IPV6orIPV4_ONLY.If you don't specify astackType, the default isIPV4_ONLY.

Repeat the command to create the second HA VPN gateway,and specify the appropriateproject,name,network, andregion.
If you specifiedstackType for the first gateway,use the same stack type for the second gateway, eitherIPV4_ONLY orIPV4_IPV6.

For a gateway with IPv6 interfaces:

Create the first HA VPN gateway by making aPOSTrequest to thevpnGateways.insert method.
```
POST https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/vpnGateways{ "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/beta/projects/PROJECT_ID/global/networks/network-a", "gatewayIpVersion": "IPV6", "stackType": "IPV6_ONLY"}
```
When you allocate external IPv6 addresses to the HA VPNgateway, you must specifyIPV6 as thegatewayIpVersion value. ThestackType field is optional.
- If you don't specifystackType, the default value isIPV4_IPV6.
- The only validstackType values for a gateway with agatewayIpVersion ofIPV6 areIPV4_IPV6 orIPV6_ONLY.
Repeat the command to create the second HA VPN gateway,and specify the appropriateproject,name,network, andregion.
When you allocate external IPv6 addresses to the HA VPNgateway, you must specifyIPV6 as thegatewayIpVersion value. ThestackType field is optional.
If you specifiedstackType for the first gateway, use the samestack type for the second gateway, eitherIPV6_ONLY orIPV4_IPV6.

Specify the peer VPN gateway resource

In this setup, the peer VPN gateway resource is the secondHA VPN, which is the endpoint of the new VPN tunnelconnections.

If you are connecting two VPC networks, the second VPCnetwork can exist in the same Google Cloud projector in a separate Google Cloud project.

Console

To specify the peer HA VPN gateway resource, follow these steps:

On theCreate a VPN page, in thePeer VPN gateway section, selectGoogle Cloud VPN gateway.
ForProject, select the Google Cloud project that containsthe new gateway.
ForVPN gateway name, select the second HA VPNthat you created inCreate the HA VPN gateways.
Continue to create VPN tunnels.

gcloud

You created the peer VPN gateway resource when youcreated the second HA VPN gateway inCreate the HA VPN gateways.

You specify this HA VPN gateway as the peer VPNgateway resource when you create the HA VPN tunnels.

API

You created the peer VPN gateway resource when youcreated the second HA VPN gateway inCreate the HA VPN gateways.

You specify this HA VPN gateway as the peer VPN gatewayresource when you create the HA VPN tunnels.

Create Cloud Routers

Console

UnderCloud Router, if you haven't already, create aCloud Router specifying the following options.You can use an existing Cloud Router if the routerdoes not already manage a BGP session for a VLAN attachmentassociated with a Partner Interconnect connection.

To create a new Cloud Router, specify the following:
- AName
- An optionalDescription
- AGoogle ASN for the new router
You can use any private ASN(64512 through65534,4200000000 through4294967294)that you are not using elsewhere in your network. The Google ASN isused for all BGP sessions on the same Cloud Router, and youcannot change the ASN later.
To create the new router, clickCreate.

gcloud

The following instructions assume that you haven't already createdCloud Routers to use for managing BGP sessions for yourHA VPN tunnels. You can use an existingCloud Router in each VPCnetwork unless those routers already manage a BGP session for a VLANattachment associated with a Partner Interconnect connection.

To create two Cloud Routers, complete the followingcommand sequence:

Create a Cloud Router in each network inREGION.
In the following commands, replace the following:
- PEER_ASN_1 andPEER_ASN_2: any private ASN(64512 through65534,4200000000 through4294967294)that you are not already using. This example uses ASN65001 for bothinterfaces ofROUTER_NAME_1 and ASN65002 forboth interfaces ofROUTER_NAME_2.
- Replace all other options with the values that you used previously.
Create the first router
```
gcloud compute routers createROUTER_NAME_1 \   --region=REGION \   --network=NETWORK_1 \   --asn=PEER_ASN_1
```
The router that you create is similar to the following exampleoutput:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].NAME       REGION        NETWORKrouter-a   us-central1   network-a
```
Create the second router
```
gcloud compute routers createROUTER_NAME_2 \   --region=REGION \   --network=NETWORK_2 \   --asn=PEER_ASN_2
```
The router that you create is similar to the following exampleoutput:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].NAME       REGION        NETWORKrouter-b   us-central1   network-b
```

API

If you already created a Cloud Router in each of theVPC networks where each of yourHA VPN gateways reside, you can use thoseCloud Routers instead of creating new ones. However, if aCloud Router manages a BGP session for a VLAN attachmentassociated with a Partner Interconnect connection, thencreate a new Cloud Router.

To create a Cloud Router, make aPOST request to therouters.insertmethod.

 POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers   {     "name": "router-a",     "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a"   }

Create VPN tunnels

Important: To create a VPN configuration that meets the requirementsfor 99.99% availability, configure tunnels as described throughoutthis section. The VPN tunnels that you create are not available untilthe corresponding partner tunnels have been created on theother HA VPN gateway.

Console

To create VPN tunnels, follow these steps:

UnderHigh availability, select either a pair of tunnels or onetunnel to the other HA VPN gateway:
- If you selectCreate a pair of VPN tunnels (recommended),configure the two tunnel dialogs that appear at the bottom of theCreate VPN page.
- If you selectCreate a single VPN tunnel, you configure your singletunnel on the rest of theCreate VPN page. However, to get a 99.99%SLA to the other HA VPN gateway, you must createa second tunnel. You can add a second tunnel lateras described at the end of this procedure.
Caution: If you configure only a single tunnel,you don't receive a 99.99% SLA for this configuration.
Complete the following steps either on the same page or in eachtunnel's dialog at the bottom of the page.
If you are configuring one tunnel, underAssociated Cloud VPN gateway interface, select theHA VPN interface and IP address combination for thisgateway to associate it with the gateway interface on the otherHA VPN gateway. For two-tunnel configurations,this option and theAssociated peer VPN gateway interface option areboth unavailable because the correct interface combinations areconfigured for you.
When you have configured all tunnels, clickCreate and continue.

gcloud

To create two VPN tunnels on each HA VPN gateway,complete the following command sequence.

The tunnel that you create frominterface 0 ofGW_NAME_1 must connect to the external IP addressassociated withinterface 0 ofGW_NAME_2 inNETWORK_2.
The tunnel frominterface 1 ofGW_NAME_1 mustconnect to the external IP address associated withinterface 1 ofGW_NAME_2.
When you create VPN tunnels onGW_NAME_1 inNETWORK_1, specify the information forGW_NAME_2 inNETWORK_2.Google automatically connects the tunnel frominterface 0 ofGW_NAME_1 tointerface 0 ofGW_NAME_2, andinterface 1 ofGW_NAME_1 tointerface 1 ofGW_NAME_2.
You also have the option to configure cipher algorithms when creatingCloud VPN tunnels. For more information, see Create Cloud VPN tunnels.
Create two tunnels onGW_NAME_1
- Create two VPN tunnels, one on each interface, ofGW_NAME_1 inNETWORK_1.
  In the following commands, replace the following:
  - TUNNEL_NAME_GW1_IF0 andTUNNEL_NAME_GW1_IF1: a name for each tunneloriginating fromGW_NAME_1; naming the tunnelsby including the gateway interface name can help identify thetunnels later
  - GW_NAME_2: the value of--peer-gcp-gateway
  - REGION: the region whereGW_NAME_1 is located
  - Optional: The--vpn-gateway-region is the region of theHA VPN gateway to operate on. Its valueshould be the same as--region. If not specified, this option isautomatically set. This option overrides the default regionproperty value for this command invocation.
  - IKE_VERS:2 for IKEv2; because both tunnelsconnect to another HA VPN gateway, Googlerecommends using IKEv2. To allow IPv6 traffic, you must use IKEv2.
  - SHARED_SECRET: your pre-shared key (sharedsecret), which must be the same pre-shared key that you use forthe corresponding tunnel created fromGW_NAME_2 oninterface 0 andinterface 1;for recommendations, seeGenerate a strong pre-shared key
  - INT_NUM_0: the number0 for the firstinterface onGW_NAME_1
  - INT_NUM_1: the number1 for the secondinterface onGW_NAME_1
  - If thepeer-gcp-gateway is in a different project from the VPNtunnel and local VPN gateway, to specify the project, use the--peer-gcp-gateway option as a full URI or as a relative name.The following sample option is a relative name:
```
--peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b
```
  Create the first tunnel onGW_NAME_1INT_NUM_0
```
gcloud compute vpn-tunnels createTUNNEL_NAME_GW1_IF0 \    --peer-gcp-gateway=GW_NAME_2 \    --region=REGION \    --ike-version=IKE_VERS \    --shared-secret=SHARED_SECRET \    --router=ROUTER_NAME_1 \    --vpn-gateway=GW_NAME_1 \    --interface=INT_NUM_0
```
  Create the second tunnel onGW_NAME_1INT_NUM_1
```
gcloud compute vpn-tunnels createTUNNEL_NAME_GW1_IF1 \    --peer-gcp-gateway=GW_NAME_2 \    --region=REGION \    --ike-version=IKE_VERS \    --shared-secret=SHARED_SECRET \    --router=ROUTER_NAME_1 \    --vpn-gateway=GW_NAME_1 \    --interface=INT_NUM_1
```
  The command output looks similar to the following example:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0].NAME                 REGION        VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESStunnel-a-to-b-if-0   us-central1   ha-vpn-gw-a   0          ha-vpn-gw-bCreated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1].NAME                 REGION        VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESStunnel-a-to-b-if-1   us-central1   ha-vpn-gw-a   1          ha-vpn-gw-b
```
Create two tunnels onGW_NAME_2
- Create two VPN tunnels, one on each interface, ofGW_NAME_2 inNETWORK_2.
  - The tunnel that you create frominterface 0 ofGW_NAME_2 must connectto the external IP address associated withinterface 0 ofGW_NAME_1 inNETWORK_1.
  - The tunnel frominterface 1 ofGW_NAME_2must connect to the external IP address associated withinterface 1 ofGW_NAME_1.
  In the following commands, replace the following:
  - REGION: the region whereGW_NAME_2 is located
  - Optional: The--vpn-gateway-region is the region of theVPN gateway to operate on. Its value should be the same as--region. If not specified, this option is automatically set.This option overrides the default region property valuefor this command invocation.
  - TUNNEL_NAME_GW2_IF0 andTUNNEL_NAME_GW2_IF1: a name for each tunneloriginating fromGW_NAME_2; naming the tunnelsby including the gateway interface name can helpidentify the tunnels later
  - GW_NAME_1: the value of--peer-gcp-gateway
  - IKE_VERS:2 for IKEv2; because these tunnelsconnect to the two tunnels created in the previous step, they mustuse the same IKE version (Google recommends using IKEv2). To allowIPv6 traffic, you must use IKEv2.
  - SHARED_SECRET: your pre-shared key (sharedsecret), which must correspond with the pre-shared key for thepartner tunnel that you created on each interface ofGW_NAME_1; for recommendations, seeGenerate a strong pre-shared key
  - GW_NAME_2: the name of the second gatewaythat you configured in the gateway configuration step
  - INT_NUM_0: the number0 for the firstinterface onGW_NAME_2
  - INT_NUM_1: the number1 for the secondinterface onGW_NAME_2
  - If thepeer-gcp-gateway is in a different project than the VPNtunnel and local VPN gateway, to specify the project, use the--peer-gcp-gateway option as a full URI or as a relative name.The following sample option is a relative name:
```
--peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b
```
  - The--peer-gcp-gateway-region, which is the region of thepeer-side HA VPN gateway to which the VPNtunnel is connected, must be in the same region as the VPN tunnel.If not specified, the region is automatically set.
  Create the first tunnel onGW_NAME_2INT_NUM_0
```
gcloud compute vpn-tunnels createTUNNEL_NAME_GW2_IF0 \    --peer-gcp-gateway=GW_NAME_1 \    --region=REGION \    --ike-version=IKE_VERS \    --shared-secret=SHARED_SECRET \    --router=ROUTER_NAME_2 \    --vpn-gateway=GW_NAME_2 \    --interface=INT_NUM_0
```
  Create the second tunnel onGW_NAME_2INT_NUM_1
```
gcloud compute vpn-tunnels createTUNNEL_NAME_GW2_IF1 \    --peer-gcp-gateway=GW_NAME_1 \    --region=REGION \    --ike-version=IKE_VERS \    --shared-secret=SHARED_SECRET \    --router=ROUTER_NAME_2 \    --vpn-gateway=GW_NAME_2 \    --interface=INT_NUM_1
```
  The command output looks similar to the following example:
```
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0].NAME                 REGION       VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESStunnel-b-to-a-if-0   us-central1  ha-vpn-gw-b   0          ha-vpn-gw-aCreated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1].NAME                 REGION       VPN_GATEWAY   VPN_INTERFACE  PEER_ADDRESStunnel-b-to-a-if-1   us-central1  ha-vpn-gw-b   1          ha-vpn-gw-a
```
After this step, wait a few minutes, and thencheck the status ofeach VPN tunnel.
A VPN tunnel's state changes toEstablished only when thecorresponding partner tunnel is also available and properly configured.A valid IKE and Child Security Association (SA) must also be negotiatedbetween them.
For example,tunnel-a-to-b-if-0 onha-vpn-gw-a can only beestablished iftunnel-b-to-a-if-0 onha-vpn-gw-b is configuredand available.

API

To create two VPN tunnels, one for each interface on anHA VPN gateway, make aPOST request to thevpnTunnels.insertmethod.

Important: To get a 99.99% uptime SLA, you must create a tunnel on eachinterface of your HA VPN gateway.

To create the first tunnel, run the following command:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels{ "name": "ha-vpn-gw-a-tunnel-0", "ikeVersion": 2, "peerGcpGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-b", "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a", "sharedSecret": "SECRET_1", "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a", "vpnGatewayInterface": 0}

If you plan to enable IPv6 in the BGP session associated with this tunnel,you must specify2 for theikeVersion.

To create the second tunnel, repeat the preceding command, but change thefollowing parameters:
- name: for example,ha-vpn-gw-a-tunnel-1
- sharedSecret orsharedSecretHash (if needed)
- vpnGatewayInterface: change to the value of the otherHA VPN gateway interface—in this example,change this value to1

Next, create two tunnels for your second HA VPNgateway that connect to your first HA VPN gateway.

To create the first tunnel on the second HA VPN gateway, run the following command:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels{ "name": "ha-vpn-gw-b-tunnel-0", "ikeVersion": 2, "peerGcpGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a", "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-b", "sharedSecret":SECRET_1, "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-b", "vpnGatewayInterface": 0}

Use the samesharedSecret that you specified for the first tunnel on the first gateway (ha-vpn-gw-a-tunnel-0).

If you plan to enable IPv6 in the BGP session associated with this tunnel,you must specify2 for theikeVersion.

To create the second tunnel on the second HA VPN gateway, repeat the preceding command, but change the following parameters:

name: for exampleha-vpn-gw-b-tunnel-1
sharedSecret orsharedSecretHash: specify thesharedSecret orsharedSecretHash that you used when creating the second tunnel on the first gateway
vpnGatewayInterface: change to the value of the other HA VPN gateway interface—in this example, change this value to1

Create BGP sessions

For each HA VPN tunnel, you can create anIPv4 BGP session, an IPv6 BGP session, or both.

To view specific instructions, select the type of BGP sessionthat is appropriate for your HA VPN gatewayand VPC network traffic needs.

BGP session type	HA VPN gateway	VPC network	MP-BGP allowed?
IPv4 BGP sessions	IPv4 only or dual stack	IPv4 only or dual stack	yes
IPv6 BGP sessions	dual stack	dual stack	yes
Both IPv4 and IPv6 BGP sessions	dual stack	dual stack	no

To use multiprotocol BGP (MP-BGP) in the BGP sessions of yourHA VPN tunnels, you must use dual-stack HA VPNgateways.

You must also use a dual-stack HA VPN gateway to set up bothIPv4 and IPv6 BGP sessions in the same HA VPN tunnel.However, you can't enable dual-stack route exchange (MP-BGP) in the individualIPv4 and IPv6 BGP sessions.

IPv4 BGP sessions

Console

To create BGP sessions, follow these steps:

ClickConfigure BGP session.
On theCreate BGP session page, complete the following steps:
1. ForBGP session type, selectIPv4 BGP session.
2. ForName, enter a name for the BGP session.
3. ForPeer ASN, enter the peer ASN configured for the peer VPNgateway.
4. Optional: ForAdvertised route priority (MED), enter the priority ofroutes advertised to this BGP peer.
5. Optional: To enable IPv6 route exchange, click theEnable IPv6traffic toggle.
ForAllocate BGP IPv4 address, selectAutomatically orManually.If you selectManually, do the following:
1. ForCloud Router BGP IPv4 address, enter theCloud Router BGP IPv4 address.
2. ForBGP peer IPv4 address, enter the IPv4 address of the BGPpeer. The IPv4 address must meet the following requirements:
  If you selectAutomatically, Google Cloud automatically selectsthe IPv4 addresses for your BGP session.
3. Optional: If you enabled IPv6 route exchange in the previous step, forAllocate BGP IPv6 next hop, selectAutomatically orManually. If you selectManually, do the following:
  1. ForCloud Router BGP IPv6 next hop, enter an IPv6 address in the2600:2d00:0:2::/63 address range. This IP address is the next hop addressfor IPv6 routes that are advertised by the Cloud Router.
  2. ForPeer BGP IPv6 next hop, enter an IPv6 address in the2600:2d00:0:2::/63 address range. This IP address is the next hop addressfor IPv6 routes learned by the Cloud Router from the BGP peer.
  3. Optional: Expand theAdvanced options section.
  4. To enableBGP peer, selectEnabled. If enabled, the peerconnection is established with routing information. For moreinformation, see Establish BGPsessions.
  5. To enableMD5 authentication, selectEnabled. If enabled,MD5 authentication is used to authenticate BGP sessions For moreinformation, seeUse MD5authentication.You can alternatively choose to enable MD5 authentication later.
  6. To add outbound routes to the BGP session, forPriority of all custom learned routes, enter a learnedroute priority. For more information, seeLearnedroutes.
ClickSave and continue.
Repeat the previous steps for the rest of the tunnels configured on thegateway. For each tunnel, use a different Cloud Router BGP IPaddress and BGP Peer IP address.
ClickSave BGP configuration.

gcloud

To create BGP sessions, follow these steps:

In this section, you configure Cloud Routerinterfaces and BGP peers; the following table provides an overview of theseinterfaces and peers. It shows the relationship between the IPv4 addressrange and the peer IPv4 addresses that you specify for each interface.

For example, the first interface ofrouter-1 has an IPv4 address of169.254.0.1, which meansrouter-1 is the first host in IPv4 subnet169.254.0.0/30. The other Cloud Router,router-2, is theBGP peer ofrouter-1. The first interface ofrouter-2 is assigned169.254.0.2, which is the second host in the IPv4 subnet169.254.0.0/30.Therefore, the peer IPv4 BGP address ofrouter-1 is169.254.0.2and the peer IPv4 BGP address ofrouter-2 is169.254.0.1.

This table also shows an example IPv6 next hop address configuration.

Important: The BGP IPv4 address range for each BGP session mustbe unique among all Cloud Routers in all regions of aVPC network.

Router	Interface name	IPv4 address range	Peer IPv4 address	Peer ASN	IPv6 next hop address	Peer IPv6 next hop address
router-1	if-tunnel-a-to-b-if-0	169.254.0.1/30	169.254.0.2	65002	2600:2d00:0:2::1	2600:2d00:0:2::2
router-2	if-tunnel-b-to-a-if-0	169.254.0.2/30	169.254.0.1	65001	2600:2d00:0:2::2	2600:2d00:0:2::1
router-1	if-tunnel-a-to-b-if-1	169.254.1.1/30	169.254.1.2	65002	2600:2d00:0:2:1::1	2600:2d00:0:2:1::2
router-2	if-tunnel-b-to-a-if-1	169.254.1.2/30	169.254.1.1	65001	2600:2d00:0:2:1::2	2600:2d00:0:2:1::1

To create Cloud Router interfaces and BGP peers, complete thefollowing command sequence.

Create an interface and BGP peer onROUTER_NAME_1 for the tunnelTUNNEL_NAME_GW1_IF0.
This interface connectsTUNNEL_NAME_GW1_IF0 oninterface 0 ofGW_1 tointerface 0 ofGW_2.
In the following commands, replace the following:
- ROUTER_1_INTERFACE_NAME_0: a name for theCloud Router interface; using a name related toTUNNEL_NAME_GW1_IF0 is helpful
- IP_VERSION: specifyIPV4 or leaveunspecified. If unspecified, the default isIPV4.
- IP_ADDRESS_1: a BGP IPv4 addressfrom the169.254.0.0/16 IPv4 address range that's not already in use;this example uses169.254.0.1. If you omit thisflag and don't manually assign a BGP IPv4 address, Google Cloudautomatically assigns an address for you.
- MASK_LENGTH: specify30 because theCloud Router must use a unique/30 CIDRfrom the same169.254.0.0/16 IPv4 address range.
- PEER_NAME_GW1_IF0: a name describing the BGP peer;using a name related toTUNNEL_NAME_GW1_IF0 ishelpful
- PEER_IP_ADDRESS_1: a BGP IPv4 address fromthe169.254.0.0/16 that's not already inuse; this example uses169.254.0.2. If you didnot specifically assign a BGP IPv4 address,IP_ADDRESS_1 previously, omit this option as well andGoogle Cloud automatically assigns a matching BGP peer IPv4 addressfor you.If you manually specifiedIP_ADDRESS_1,you must also manually configurethis option.
- PEER_ASN_2: the ASN number used for allinterfaces on the other Cloud RouterROUTER_NAME_2; this example uses ASN number65002
- Optional: If you are creating IPv4 BGP sessions with MP-BGP,specify--enable-ipv6 when you run theadd-bgp-peercommand to enable IPv6 route exchange.You also have the option to configure IPv6 next hop addresses automaticallyor manually.To configure next hop addresses manually, replace both of the following:
  - IPV6_NEXTHOP_ADDRESS_1: the next hop address for IPv6 routes that are advertised by Cloud Router.
  - PEER_IPV6_NEXTHOP_ADDRESS_1: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer.
    The next-hop address must be in the2600:2d00:0:2::/63 IPv6 address range.
  If you don't specify the IPv6 next hop addresses, then Google Cloudautomatically assigns unused addresses from the2600:2d00:0:2::/63 IPv6 address range.
- AUTHENTICATION_KEY: the secret key to usefor MD5 authentication onPEER_NAME_GW1_IF0; formore information about this optional feature, seeUse MD5 authentication.
Create a Cloud Router interface forTUNNEL_NAME_GW1_IF0
To create an interface with an IPv4 address on Cloud Router,run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \    --interface-name=ROUTER_1_INTERFACE_NAME_0 \    --ip-address=IP_ADDRESS_1 \    --mask-length=MASK_LENGTH \    --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \    --region=REGION
```
Create a BGP peer forTUNNEL_NAME_GW1_IF0
The following example command creates an IPv6-enabled BGP peer withmanually specified IPv4 BGP addresses and IPv6 next hop addresses:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \    --peer-name=PEER_NAME_GW1_IF0 \    --interface=ROUTER_1_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_1 \    --peer-asn=PEER_ASN_2 \    --region=REGION \    --enable-ipv6 \    --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS_1 \    --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS_1
```
The following command creates an IPv4 BGP peer without IPv6 enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \    --peer-name=PEER_NAME_GW1_IF0 \    --interface=ROUTER_1_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_1 \    --peer-asn=PEER_ASN_2 \    --region=REGION
```
Optional: To use MD5 authentication, use the--md5-authentication-keyflag to provide your secret key:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \    --peer-name=PEER_NAME_GW1_IF0 \    --interface=ROUTER_1_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_1 \    --peer-asn=PEER_ASN_2 \    --region=REGION \    --md5-authentication-key=AUTHENTICATION_KEY
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```
Create an interface and a BGP peer onROUTER_NAME_1for the tunnelTUNNEL_NAME_GW1_IF1.
This interface is used to connectTUNNEL_NAME_GW1_IF1 oninterface 1 ofGW_1 tointerface 1 ofGW_2.
In the following commands, replace the following:
- ROUTER_1_INTERFACE_NAME_1: a Cloud Routerinterface name; using a name related toTUNNEL_NAME_GW1_IF1 is helpful
- IP_VERSION: specifyIPV4 or leave unspecified
- IP_ADDRESS_2: optional: a BGP IPv4 address from the169.254.0.0/16 that's not already in use;this example uses169.254.1.1. If you omitthis flag and don't manually assign a BGP IPv4 address,Google Cloud automatically assigns an address for you
- MASK_LENGTH: specify30 because theCloud Router must use a unique/30 CIDRfrom the same169.254.0.0/16 IPv4 address range.
- PEER_NAME_GW1_IF1: a name describing the BGP peer;using a name related toTUNNEL_NAME_GW1_IF1 ishelpful
- PEER_IP_ADDRESS_2: a BGP IPv4 address from the169.254.0.0/16 IPv4 address range that's not already in use;this example uses169.254.1.2. If you did notspecifically assign a BGP IPv4 address,IP_ADDRESS_2,omit this option and Google Cloud automatically assigns amatching BGP peer IPv4 address for you.If you manually specifiedIP_ADDRESS_2, you mustalso manually configure this option.
- PEER_ASN_2: the ASN number used for all interfaceson the other Cloud RouterROUTER_NAME_2;this example uses ASN number65002
- Optional: If you are configuring an IPv4 BGP session with MP-BGP,specify--enable-ipv6 in theadd-bgp-peer command to enable IPv6route exchange. You also have the option to configure IPv6 next hopaddresses manually.To configure next hop addresses, replace both of the following:
  - IPV6_NEXTHOP_ADDRESS_2: the next hop addressfor IPv6 routes that areadvertised by Cloud Router;the address must be in the2600:2d00:0:2::/63 IPv6 address range
  - PEER_IPV6_NEXTHOP_ADDRESS_2: the next hopaddress for IPv6 routes learned by the Cloud Routerfrom the BGP peer; the address must be in the2600:2d00:0:2::/63 IPv6 address range
  If you don't specify the IPv6 next hop addresses, Google Cloudautomatically assigns unused addresses from the2600:2d00:0:2::/63 IPv6 address range.
- AUTHENTICATION_KEY_2: the secret key to usefor MD5 authentication onPEER_NAME_GW1_IF1; formore information about this optional feature, seeUse MD5 authentication
Create a Cloud Router interface forTUNNEL_NAME_GW1_IF1
To create an interface with an IPv4 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1 \  --ip-address=IP_ADDRESS_2 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION
```
Create a BGP peer forTUNNEL_NAME_GW1_IF1
The following example command creates an IPv6-enabled BGP peer withmanually specified IPv4 BGP addresses and IPv6 next hop addresses:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1  \  --peer-name=PEER_NAME_GW1_IF1 \  --interface=ROUTER_1_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_2 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --enable-ipv6 \  --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS_1 \  --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS_1
```
The following command creates an IPv4 BGP peer that does not have IPv6route exchange enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \    --peer-name=PEER_NAME_GW1_IF1 \    --interface=ROUTER_1_INTERFACE_NAME_1 \    --peer-ip-address=PEER_IP_ADDRESS_2 \    --peer-asn=PEER_ASN_2 \    --region=REGION
```
Optional: To use MD5 authentication, use the--md5-authentication-keyflag to provide your secret key:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1 \  --interface=ROUTER_1_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_2 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY_2
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```

Verify the settings forROUTER_NAME_1:

gcloud compute routers describeROUTER_NAME_1 \    --region=REGION

The command output looks similar to the following example:

bgp:  advertisemode: DEFAULT  asn: 65001  keepaliveInterval: 20bgpPeers:— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv6: true  interfaceName: if-tunnel-a-to-b-if-0  ipAddress: 169.254.0.1  ipv6NexthopAddress: 2600:2d00:0:2:0:0:0:1  name: bgp-peer-tunnel-a-to-b-if-0  peerAsn: 65002  peerIpAddress: 169.254.0.2  peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:0:2— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv6: true  interfaceName: if-tunnel-a-to-b-if-1  ipAddress: 169.254.1.1  ipv6NexthopAddress: 2600:2d00:0:2:0:0:1:1  name: bgp-peer-tunnel-a-to-b-if-1  peerAsn: 65002  peerIpAddress: 169.254.1.2  peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:1:2creationTimestamp: '2021-10-19T14:31:52.639-07:00'id: '4047683710114914215'interfaces:— ipRange: 169.254.0.1/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0  name: if-tunnel-a-to-b-if-0— ipRange: 169.254.1.1/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1  name: if-tunnel-a-to-b-if-1kind: compute#routername: router-anetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-aregion: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a

Create an interface and a BGP peer onROUTER_NAME_2for the tunnelTUNNEL_NAME_GW2_IF0.
This interface connectsTUNNEL_NAME_GW2_IF0 oninterface 0 ofGW_2 tointerface 0 ofGW_1.
In the following commands, replace the following:
- ROUTER_2_INTERFACE_NAME_0: a Cloud Routerinterface name; using a name related toTUNNEL_NAME_GW2_IF0 is helpful
- IP_VERSION: specifyIPV4 or leaveunspecified. If unspecified, the default isIPV4.
- IP_ADDRESS_3: if you manually configuredPEER_IP_ADDRESS_1 forTUNNEL_NAME_GW1_IF0, then specify that value forIP_ADDRESS_3.If Google Cloud automatically assigned this peer IPv4 address,then you must find out which address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command.In the output for the BGP peerPEER_NAME_GW1_IF0,use the value that appears in thepeerIpAddress field.This example uses169.254.0.2.
- MASK_LENGTH: specify30 because the Cloud Router must use a unique/30 CIDRfrom the same169.254.0.0/16 IPv4 address range.
- PEER_NAME_GW2_IF0: a name describing the BGP peer;using a name related toTUNNEL_NAME_GW2_IF0is helpful
- PEER_IP_ADDRESS_3: the BGP IPv4address used previously when you configured the first gateway andinterface.Run thegcloud compute routers describeROUTER_NAME_1 command,and use the value that appears in theipAddress field for the BGP peerPEER_NAME_GW1_IF0 that you created forTUNNEL_NAME_GW1_IF0.This example uses169.254.0.1.
- PEER_ASN_1: the ASN number usedfor allinterfaces onROUTER_NAME_1 and that was setpreviously; this example uses ASN number65001
- Optional: If you are creating VPN tunnelswith IPv4 BGP sessions and MP-BGP,specify--enable-ipv6in theadd-bgp-peer command to enable IPv6 traffic.You must configure the IPv6 next hop addresses to match the interfaceand BGP peer configured for the first gateway.To configure next hop addresses, replace both of the following:
  - IPV6_NEXTHOP_ADDRESS_3: the next hop addressfor IPv6 routes that you specified previously inPEER_IPV6_NEXTHOP_ADDRESS_1. If you automaticallyassigned IPv6 next hop addresseswhen you created the interface and BGP peer forTUNNEL_NAME_GW1_IF0onROUTER_NAME_1,then you must find out what IPv6 next hop address has been allocated by Google Cloud.Rungcloud compute routers describeROUTER_NAME_1 andcheck the output for the BPG peerPEER_NAME_GW1_IF0 thatyou set up forTUNNEL_NAME_GW1_IF0. Use the valuethat appears in thepeerIpv6NextHopAddress field.This example uses2600:2d00:0:2:0:0:0:2.
  - PEER_IPV6_NEXTHOP_ADDRESS_3: the next hop addressfor IPv6 routes learned by the Cloud Router from the BGP peer.Use the value that you specified previously inIPV6_NEXTHOP_ADDRESS_1.If you automatically assigned IPv6 next hop addresses,run thegcloud compute routers describeROUTER_NAME_1 commandand check the output for the BPG peer you set up forTUNNEL_NAME_GW1_IF0.Use the value that appears in theIpv6NextHopAddress field.This example uses2600:2d00:0:2:0:0:0:1.
- AUTHENTICATION_KEY: the secret keyto usefor MD5 authentication onPEER_NAME_GW2_IF0
Create a Cloud Router interface forTUNNEL_NAME_GW2_IF0
To create an interface with an IPv4 address, run thefollowing command:
```
gcloud compute routers add-interfaceROUTER_NAME_2 \    --interface-name=ROUTER_2_INTERFACE_NAME_0 \    --ip-address=IP_ADDRESS_3 \    --mask-length=MASK_LENGTH \    --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \    --region=REGION
```
Create a BGP peer forTUNNEL_NAME_GW2_IF0
The following example command creates a BGP peer with IPv6 route exchangeenabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF0 \    --interface=ROUTER_2_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_3 \    --peer-asn=PEER_ASN_1 \    --region=REGION \    --enable-ipv6 \    --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS \    --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS
```
The following command creates an IPv4 BGP peer without IPv6 routeexchange enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF0 \    --interface=ROUTER_2_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_3 \    --peer-asn=PEER_ASN_1 \    --region=REGION
```
Alternatively, if you configuredROUTER_NAME_1 touse MD5 authentication forPEER_NAME_GW1_IF0,configureROUTER_NAME_2 to use MD5 authentication,as follows:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF0 \  --interface=ROUTER_2_INTERFACE_NAME_0 \  --peer-ip-address=PEER_IP_ADDRESS_3 \  --peer-asn=PEER_ASN_1 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
```
Create an interface with an IPv4 address and a BGP peer onROUTER_NAME_2for the tunnelTUNNEL_NAME_GW2_IF1.
This interface connectsTUNNEL_NAME_GW2_IF1 oninterface 1 ofGW_2 tointerface 1 ofGW_1.
In the following commands, replace the following:
- ROUTER_2_INTERFACE_NAME_1: a Cloud Routerinterface name; using a name related toTUNNEL_NAME_GW2_IF1 is helpful
- IP_VERSION: specifyIPV4 or leaveunspecified. If unspecified, the default isIPV4.
- IP_ADDRESS_4: if you manually assigned a BGP IPv4address forPEER_IP_ADDRESS_2 forTUNNEL_NAME_GW1_IF1, then specify that value forIP_ADDRESS_4.If Google Cloud automatically assigned the IPv4 address, then youmust find out which address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command.In the output for the BGP peerPEER_NAME_GW1_IF1,use the value that appears in thepeerIpAddress field. This example uses169.254.1.2.
- MASK_LENGTH: for an interface with an IPv4 address, specify30 because the Cloud Router must use a unique/30 CIDRfrom the same169.254.0.0/16 IPv4 address range. For an interface with anIPv6 address, specify a mask length of126 or lower.
- PEER_NAME_GW2_IF1: a name describing the BGP peer; usinga name related toTUNNEL_NAME_GW2_IF1 is helpful
- PEER_IP_ADDRESS_4: the IP address you specified asIP_ADDRESS_2when you configured the first gateway and interface.Run thegcloud compute routers describeROUTER_NAME_1 command,and use the value that appears in theipAddress field for the BGP peeryou created forTUNNEL_NAME_GW1_IF1.This example uses169.254.1.1.
- PEER_ASN_1: the ASN number used for all interfaces onROUTER_NAME_1 and that was set previously; thisexample uses ASN number65001
- Optional: If you are configuring an IPv4 BGP session with MP-BGP,specify--enable-ipv6 in theadd-bgp-peercommand to enable IPv6 route exchange.You also have the option to configure IPv6 next hop addresses manually.To configure next hop addresses, replace both of the following:
  - IPV6_NEXTHOP_ADDRESS_4: the next hop addressfor IPv6 routes that you specified previously inPEER_IPV6_NEXTHOP_ADDRESS_2. If you automaticallyassigned IPv6 next hop addresseswhen you created the interface and BGP peer forTUNNEL_NAME_GW1_IF1onROUTER_NAME_1,then you must find out what IPv6 next hop address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command andcheck the output for the BPG peerPEER_NAME_GW1_IF1that you set up forTUNNEL_NAME_GW1_IF1.Use the valuethat appears in thepeerIpv6NextHopAddress field.
  - PEER_IPV6_NEXTHOP_ADDRESS_3: the next hop addressfor IPv6 routes learned by the Cloud Router from the BGP peer.Use the value that you specified previously inIPV6_NEXTHOP_ADDRESS_2. If you automaticallyassigned IPv6 next hop addresses, run thegcloud compute routers describeROUTER_NAME_1 commandand check the output for the BPG peerPEER_NAME_GW1_IF1that you set up forTUNNEL_NAME_GW1_IF1.Use the value that appears in theIpv6NextHopAddress field.This example uses2600:2d00:0:2:0:0:1:1.
- AUTHENTICATION_KEY_2: the secret key to usefor MD5 authentication onPEER_NAME_GW2_IF1
Create a Cloud Router interface forTUNNEL_NAME_GW2_IF1
```
gcloud compute routers add-interfaceROUTER_NAME_2 \  --interface-name=ROUTER_2_INTERFACE_NAME_1 \  --ip-address=IP_ADDRESS_4 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \  --region=REGION
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
```
Create a BGP peer forTUNNEL_NAME_GW2_IF1
The following example command creates a BGP peer with IPv6 routeexchange enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF1 \  --interface=ROUTER_2_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_4 \  --peer-asn=PEER_ASN_1 \  --region=REGION \  --enable-ipv6 \  --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS \  --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS
```
The following command creates a BGP peer without IPv6 route exchange enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF1 \    --interface=ROUTER_2_INTERFACE_NAME_1 \    --peer-ip-address=PEER_IP_ADDRESS_4 \    --peer-asn=PEER_ASN_1 \    --region=REGION
```
Alternatively, if you configuredROUTER_NAME_1 touse MD5 authentication forPEER_NAME_GW1_IF1,configureROUTER_NAME_2 to use MD5 authentication, asfollows:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF1 \  --interface=ROUTER_2_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_4 \  --peer-asn=PEER_ASN_1 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY_2
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
```

Verify the settings forROUTER_NAME_2:

gcloud compute routers describeROUTER_NAME_2  \  --region=REGION

The command output looks similar to the following example:

bgp:  advertiseMode: DEFAULT  asn: 65002bgpPeers:— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv6: true  interfaceName: if-tunnel-b-to-a-if-0  ipAddress: 169.254.0.2  ipv6NexthopAddress: 2600:2d00:0:2:0:0:0:2  name: bgp-peer-tunnel-b-to-a-if-0  peerAsn: 65001  peerIpAddress: 169.254.0.1  peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:0:1— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv6: true  interfaceName: if-tunnel-b-to-a-if-1  ipAddress: 169.254.1.2  ipv6NexthopAddress: 2600:2d00:0:2:0:0:1:2  name: bgp-peer-tunnel-b-to-a-if-1  peerAsn: 65001  peerIpAddress: 169.254.1.1  peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:1:1creationTimestamp: '2021-10-19T14:31:52.639-07:00'id: '4047683710114914215'interfaces:— ipRange: 169.254.0.1/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0  name: if-tunnel-b-to-a-if-0  — ipRange: 169.254.1.1/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1  name: if-tunnel-b-to-a-if-1kind: compute#routername: router-bnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-bregion: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b

API

To create a Cloud Router interface, make one of the followingrequests:
- PATCH: Use therouters.patch method
- UPDATE: Use therouters.update method
ThePATCH request updates only the parameters that you include,whereas theUPDATE request updates all the parameters ofa Cloud Router.
You must create a Cloud Router interface for each VPN tunnel onthe HA VPN gateway.
Note: For information about setting advertised routes, seeSetting the base advertised route priority.
The BGP IPv4 address ranges that you specify must be unique among allCloud Routers in all regions of a VPC network.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"interfaces": [  {    "name": "if-tunnel-a-to-on-prem-if-0",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipRange": "169.254.0.1/30"  }]}
```

To add a BGP peer configuration to the interface, make one of thefollowing requests:

PATCH: Use therouters.patch method
UPDATE: Use therouters.update method

Repeat this command for the other VPN tunnel, changing all optionsexceptnameandpeerAsn.

To create a full BGP session configuration for an HA VPNgateway, use the following API command:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"bgpPeers": [  {    "name": "bgp-peer-tunnel-a-to-on-prem-if-0",    "interfaceName": "if-tunnel-a-to-on-prem-if-0",    "ipAddress": "169.254.0.1",    "peerIpAddress": "169.254.0.2",    "peerAsn": 65002,    "advertiseMode": "DEFAULT"  }]}

To create the full BGP session configuration for an HA VPNgateway with IPv6 enabled,use the following API command:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"bgpPeers": [  {    "name": "bgp-peer-tunnel-a-to-on-prem-if-0",    "interfaceName": "if-tunnel-a-to-on-prem-if-0",    "ipAddress": "169.254.0.1",    "peerIpAddress": "169.254.0.2",    "peerAsn": 65002,    "advertiseMode": "DEFAULT"    "enableIpv6": true    "ipv6NexthopAddress: "2600:2d00:0:2:0:0:0:1"    "peerIpv6NexthopAddress: "2600:2d00:0:2:0:0:0:2"  }]}

If you want to configure the session to use MD5 authentication, yourrequest must include an authentication key, which means that it mustprovide both the key and a name for the key. It must also reference thekey by name when creating the BGP peering session. For example:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"md5AuthenticationKeys": [  {  "name": "bgppeer-1-key",  "key": "secret_key_value"  }],}{"bgpPeers": [  {  "interfaceName": "if-tunnel-a-to-on-prem-if-0",  "ipAddress": "169.254.0.1",  "name": "bgp-peer-tunnel-a-to-on-prem-if-0",  "peerAsn": 65002,  "peerIpAddress": "169.254.0.2",  "advertiseMode": "DEFAULT",  "md5AuthenticationKeyName": "bgppeer-1-key"  }],}

IPv6 BGP sessions

Console

To create BGP sessions, follow these steps:

ClickConfigure BGP session.
On theCreate BGP session page, complete the following steps:
1. ForBGP session type, selectIPv6 BGP session.
2. ForName, enter a name for the BGP session.
3. ForPeer ASN, enter the peer ASN configured for the peer VPNgateway.
4. Optional: ForAdvertised route priority (MED), enter the priority ofroutes advertised to this BGP peer.
5. Optional: To enable IPv4 route exchange, click theEnable IPv4traffic toggle.
6. ForAllocate BGP IPv6 address, selectAutomatically orManually. If you selectManually, do the following:
  1. ForCloud Router BGP IPv6 address, enter theCloud Router BGP IPv6 address.
  2. ForBGP peer IPv6 address, enter the IPv6 address of the BGPpeer. The IPv6 address must meet the following requirements:
    - Each address must be unique local addresses (ULA) from thefdff:1::/64 address range with a mask length of/64. Forexample,fdff:1::1.
    - Each address must be unique among all Cloud Routers inall regions of a VPC network.
  If you selectAutomatically, Google Cloud automatically selectsthe IPv6 addresses for your BGP session.
7. Optional: If you enabled IPv4 route exchange in the previous step, forAllocate BGP IPv4 next hop, selectAutomatically orManually. If you selectManually, do the following:
  1. In theCloud Router BGP IPv4 next hop field, enter an IPv4 address inthe169.254.0.0/16 address range. This IP address is the next hop addressfor IPv4 routes that are advertised by the Cloud Router.
  2. In thePeer BGP IPv4 next hop field, enter an IP address in the169.254.0.0/16 address range. This IP address is the next hop address forIPv4 routes learned by the Cloud Router from the BGP peer.
  3. Optional: Expand theAdvanced options section.
  4. To enableBGP peer, selectEnabled. If enabled, the peerconnection is established with routing information. For moreinformation, seeEstablish BGPsessions.
  5. To addMD5 authentication, selectEnabled. If enabled, youcan use MD5 authentication to authenticate BGP sessions betweenCloud Router and its peers. For more information, seeUseMD5authentication.You can alternatively choose to enable MD5 authentication later.
  6. To add outbound routes to the BGP session, forPriority of all custom learned routes, enter a learnedroute priority. For more information, seeLearnedroutes.
ClickSave and continue.
Repeat the previous steps for the rest of the tunnels configured on thegateway. For each tunnel, use a different Cloud Router BGP IPaddress and BGP peer IP address.
ClickSave BGP configuration.

gcloud

To create BGP sessions, follow these steps:

In this section, you configure IPv6 Cloud Router interfaces and BGPpeers; the following table provides an overview of theseinterfaces and peers. It shows the relationship between the IPv6 BGP ranges andpeer IP addresses that you specify for each interface.

For example, the first interface ofrouter-1 has an IPv6 address offdff:1::1, which meansrouter-1 is the first host in IPv6 subnetfdff:1::/126. The other Cloud Router,router-2, is theBGP peer ofrouter-1. The first interface ofrouter-2 is assignedfdff:1::2, which is the second host in the IPv6 subnetfdff:1::/126.Therefore, the BGP peer IPv6 address ofrouter-1 isfdff:1::2and the address ofrouter-2 isfdff:1::2.

Important: The BGP IPv6 address range for each BGP session mustbe unique among all Cloud Routers in all regions of aVPC network.

Router	Interface name	IPv6 address range	Peer IPv6 address	Peer ASN	IPv4 next-hop address	Peer IPv4 next-hop address
router-1	if-tunnel-a-to-b-if-0	fdff:1::/64	fdff:1::2	65002	169.254.12.1	169.254.12.2
router-2	if-tunnel-b-to-a-if-0	fdff:1::/64	fdff:1::1	65001	169.254.12.2	169.254.12.1
router-1	if-tunnel-a-to-b-if-1	fdff:1::/64	fdff:1::2	65002	169.254.13.1	169.254.13.2
router-2	if-tunnel-b-to-a-if-1	fdff:1::/64	fdff:1::1	65001	169.254.13.2	169.254.13.1

To create Cloud Router interfaces and BGP peers, complete the following command sequence.

Create an interface and BGP peer onROUTER_NAME_1for the tunnelTUNNEL_NAME_GW1_IF0.
This interface connectsTUNNEL_NAME_GW1_IF0 oninterface 0 ofGW_1 tointerface 0 ofGW_2.
In the following commands, replace the following:
- ROUTER_1_INTERFACE_NAME_0: a name for theCloud Router interface; using a name related toTUNNEL_NAME_GW1_IF0 is helpful
- IP_VERSION:IPV6; this parameter is only required ifyou want Google Cloud to assign the IPv6 address automaticallyfor this interface. If you are manually assigning anIPv6 address to this interface, you can omit this flag.
- IP_ADDRESS_1: a BGP IPv6 addressfrom thefdff:1::/64 IPv6 address range that's not already in use;this example usesfdff:1::1. If you omit thisflag and don't manually assign an IPv6 address, Google Cloudautomatically assigns an address for you.
- MASK_LENGTH: specify a mask length of126.
- PEER_NAME_GW1_IF0: a name describing the BGP peer;using a name related toTUNNEL_NAME_GW1_IF0 ishelpful
- PEER_IP_ADDRESS_1: a BGP IPv6 address from thefdff:1::/64 IPv6 address range that's not already in use;this example usesfdff:1::2. If you didnot previously assign a specific BGP IPv6 address,IP_ADDRESS_1,omit this option as well andGoogle Cloud automatically assigns a matching BGP peer IPv6address for you. If you manually specifiedIP_ADDRESS_1,you must also manually configure this option.
- PEER_ASN_2: the ASN number used for allinterfaces on the other Cloud RouterROUTER_NAME_2; this example uses ASN number65002
- Optional: To enable IPv4 route exchange in IPv6 BGP sessions withMP-BGP, specify--enable-ipv4 when you run thegcloud compute routers add-bgp-peer command. You also have theoption to configure IPv4 next hop addresses automatically or manually.
  To configure IPv4 next hop addresses manually, replace both of the following:
  - IPV4_NEXTHOP_ADDRESS_1: the next hop addressfor IPv4 routes that areadvertised by Cloud Router;the address must be in the link-local IPv4 address range169.254.0.0/16.for IPv4 routes learned by the Cloud Router from the BGP peer;the address must be in the link-local addressrange169.254.0.0/16.
  If you don't specify IPv4 next hop addresses, thenGoogle Cloudautomatically assigns unused addresses from the169.254.0.0/16 IPv4 address range for you.
- AUTHENTICATION_KEY: the secret key to usefor MD5 authentication onPEER_NAME_GW1_IF0; formore information about this optional feature, seeUse MD5 authentication.
Optional: Assign a BGP identifier range
When you add the first interface to a Cloud Routerwith an IPv6 address, a BGP identifier range is automaticallyassigned to the Cloud Router. If you prefer to defineyour own BGP identifier range for a Cloud Router,you can create your own range. You can also modify this rangelater.
For more information, seeConfigure the BGP identifier range for a Cloud Router.
Automatic
Create an interface forTUNNEL_NAME_GW1_IF0
To create an interface with an automatically assignedIPv6 address, run the following command.
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_0 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \  --region=REGION \  --ip-version=IPV6
```
Create a BGP peer forTUNNEL_NAME_GW1_IF0
To create an IPv6 BGP peer with IPv4 route exchange enabled andautomatically assigned IPv4 next-hop addresses,run the following command.
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0 \  --interface=ROUTER_1_INTERFACE_NAME_0 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --enable-ipv4 \
```
The following command creates a BGP peer without IPv4 enabledand an automatically assigned IPv6 address:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \--peer-name=PEER_NAME_GW1_IF0 \--interface=ROUTER_1_INTERFACE_NAME_0 \--peer-asn=PEER_ASN_2 \--region=REGION
```
Optional: To use MD5 authentication, use the--md5-authentication-keyflag to provide your secret key:
```
  gcloud compute routers add-bgp-peerROUTER_NAME_1
    --peer-name=PEER_NAME_GW1_IF0
    --interface=ROUTER_1_INTERFACE_NAME_0
    --peer-asn=PEER_ASN_2
    --region=REGION
    --md5-authentication-key=AUTHENTICATION_KEY
```
The command output looks similar to the following example:
```
  Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```
Manual
Create an interface forTUNNEL_NAME_GW1_IF0
To create an interface with a manually specified IPv6 address,run the following command.
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_0 \  --ip-address=IP_ADDRESS_1 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \  --region=REGION \
```
Create a BGP peer forTUNNEL_NAME_GW1_IF0
To create a BGP peer with IPv4 route exchange enabled andmanually specified IPv4 next-hop addresses,run the following command.
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0 \  --interface=ROUTER_1_INTERFACE_NAME_0 \  --peer-ip-address=PEER_IP_ADDRESS_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --enable-ipv4 \  --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS_1 \  --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS_1
```
The following command creates a BGP peer without IPv4 route exchangeenabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \--peer-name=PEER_NAME_GW1_IF0 \--interface=ROUTER_1_INTERFACE_NAME_0 \--peer-ip-address=PEER_IP_ADDRESS_1 \--peer-asn=PEER_ASN_2 \--region=REGION
```
Optional: To use MD5 authentication, use the--md5-authentication-keyflag to provide your secret key:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0 \  --interface=ROUTER_1_INTERFACE_NAME_0 \  --peer-ip-address=PEER_IP_ADDRESS_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```
Create an interface and BGP peer onROUTER_NAME_1for the tunnelTUNNEL_NAME_GW1_IF1.
This interface connectsTUNNEL_NAME_GW1_IF1 oninterface 1 ofGW_1 tointerface 1 ofGW_2.
In the following commands, replace the following:
- ROUTER_1_INTERFACE_NAME_1: a Cloud Routerinterface name; using a name related toTUNNEL_NAME_GW1_IF1 is helpful
- IP_VERSION:IPV6
- IP_ADDRESS_2: a BGP IPv6 address from thefdff:1::/64 IPv6 address range that's not already in use;this example usesfdff:1::1:1. If you omitthis flag and don't manually assign a BGP IPv6 address,Google Cloud automatically assigns an address for you.
- MASK_LENGTH: specify a mask length of64
- PEER_NAME_GW1_IF1: a name describing the BGP peer;using a name related toTUNNEL_NAME_GW1_IF1 ishelpful
- PEER_IP_ADDRESS_2: a BGP IPv6 address from thefdff:1::/64 IPv6 address range that's not already in use;this example usesfdff:1::1:2. If you did notspecifically assign an IPv6 address,IP_ADDRESS_2,omit this option, and Google Cloud automatically assigns amatching BGP peer IPv6 address for you.If you manually specifiedIP_ADDRESS_2, you mustalso manually configure this option.
- PEER_ASN_2: the ASN number used for all interfaceson the other Cloud RouterROUTER_NAME_2;this example uses ASN number65002
- Optional: To enable IPv4 route exchange in IPv6 BGP sessions withMP-BGP, specify--enable-ipv4 when you run thegcloud compute routers add-bgp-peer command. You also have theoption to configure IPv4 next hop addresses automatically or manually.
  To configure IPv4 next hop addresses manually, replace both of thefollowing:
  - IPV4_NEXTHOP_ADDRESS_2: the next hop addressfor IPv4 routes that areadvertised by Cloud Router;the address must be in the link-local IPv4 address range169.254.0.0/16.
  - PEER_IPV4_NEXTHOP_ADDRESS_2: the next hop addressfor IPv4 routes learned by the Cloud Router from the BGP peer;the address must be in the link-local IPv4 address range169.254.0.0/16.
- AUTHENTICATION_KEY_2: the secret key to usefor MD5 authentication onPEER_NAME_GW1_IF1; formore information about this optional feature, seeUse MD5 authentication
Automatic
Create a Cloud Router interface forTUNNEL_NAME_GW1_IF1
To create an interface with an automatically assignedIPv6 address, run the following command.
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION \  --ip-version=IPV6
```
Create a BGP peer forTUNNEL_NAME_GW1_IF1
To create an IPv6 BGP peer with IPv4 route exchange enabled andautomatically assigned IPv4 next-hop addresses,run the following command.
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1 \  --interface=ROUTER_1_INTERFACE_NAME_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --enable-ipv4 \
```
The following command creates a BGP peer without IPv4 enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1 \  --interface=ROUTER_1_INTERFACE_NAME_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION
```
Optional: To use MD5 authentication, use the--md5-authentication-keyflag to provide your secret key:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1 \  --interface=ROUTER_1_INTERFACE_NAME_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY_2
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```
Manual
Create a Cloud Router interface forTUNNEL_NAME_GW1_IF1
To create an interface with a manually specified IPv6 address,run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1 \  --ip-address=IP_ADDRESS_2 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION \
```
Create a BGP peer forTUNNEL_NAME_GW1_IF1
To create an IPv6 BGP peer with IPv4 route exchange enabled,run the following command:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \--peer-name=PEER_NAME_GW1_IF1 \--interface=ROUTER_1_INTERFACE_NAME_1 \--peer-ip-address=PEER_IP_ADDRESS_2 \--peer-asn=PEER_ASN_2 \--region=REGION \--enable-ipv4 \--ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS_2 \--peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS_2
```
The following command creates a BGP peer without IPv4 enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \--peer-name=PEER_NAME_GW1_IF1 \--interface=ROUTER_1_INTERFACE_NAME_1 \--peer-ip-address=PEER_IP_ADDRESS_2 \--peer-asn=PEER_ASN_2 \--region=REGION
```
Optional: To use MD5 authentication, use the--md5-authentication-keyflag to provide your secret key:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1 \  --interface=ROUTER_1_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_2 \  --peer-asn=PEER_ASN_2 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY_2
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
```

Verify the settings forROUTER_NAME_1:

gcloud compute routers describeROUTER_NAME_1 \    --region=REGION

The command output looks similar to the following example:

bgp:  advertisemode: DEFAULT  asn: 65001  keepaliveInterval: 20bgpPeers:— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv4: true  interfaceName: if-tunnel-a-to-b-if-0  ipAddress: fdff:1::1  ipv4NexthopAddress: 169.254.12.2  name: bgp-peer-tunnel-a-to-b-if-0  peerAsn: 65002  peerIpAddress: fdff:1::2  peerIpv4NexthopAddress: 169.254.12.1— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv4: true  interfaceName: if-tunnel-a-to-b-if-1  ipAddress: fdff:1:1:2::1  ipv4NexthopAddress: 169.254.13.2  name: bgp-peer-tunnel-a-to-b-if-1  peerAsn: 65002  peerIpAddress: fdff:1::2  peerIpv4NexthopAddress: 169.254.13.1creationTimestamp: '2021-10-19T14:31:52.639-07:00'id: '4047683710114914215'interfaces:— ipRange:  fdff:1::1/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0  name: if-tunnel-a-to-b-if-0— ipRange:  fdff:1::1/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1  name: if-tunnel-a-to-b-if-1kind: compute#routername: router-anetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-aregion: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a

Create an interface and BGP peer onROUTER_NAME_2for the tunnelTUNNEL_NAME_GW2_IF0.
This interface connectsTUNNEL_NAME_GW2_IF0 oninterface 0 ofGW_2 tointerface 0 ofGW_1.
In the following commands, replace the following:
- ROUTER_2_INTERFACE_NAME_0: a Cloud Routerinterface name; using a name related toTUNNEL_NAME_GW2_IF0 is helpful
- IP_VERSION:IPV6; this parameter is only required ifyou want Google Cloud to assign the IPv6 address automaticallyfor this interface. If you are manually assigning anIPv6 address to this interface, you can omit this flag.
- IP_ADDRESS_3: if you manually assigned a BGP IPv6address forPEER_IP_ADDRESS_1 forTUNNEL_NAME_GW1_IF0, then specify that value forIP_ADDRESS_3.If Google Cloud automatically assigned this peer IPv6 address,then you must find out which address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command.In the output for the BGP peerPEER_NAME_GW1_IF0,use the value that appears in thepeerIpAddress field.This example usesfdff:1::2.
- MASK_LENGTH: specify a mask length of126 orsmaller.
- PEER_NAME_GW2_IF0: a name describing the BGP peer;using a name related toTUNNEL_NAME_GW2_IF0 is helpful
- PEER_IP_ADDRESS_3: the BGP IPv6address used previously when you configured the first gateway andinterface.Run thegcloud compute routers describeROUTER_NAME_1command, and use the value that appears in theipAddress field forthe BGP peer you created forfdff:1::1.
- PEER_ASN_1: the ASN number usedfor allinterfaces onROUTER_NAME_1 and that was setpreviously; this example uses ASN number65001
- Optional: If you are creating IPv6 BGPsessions and MP-BGP, specify--enable-ipv4 when yourun thegcloud compute routers add-bgp-peer command to enable IPv4 traffic.You must configure the IPv4 next hop addresses to match theinterface and IPv4-enabled BGP peer configured for the firstgateway.
  To configure next hop addresses, replace both of the following:
  - IPV4_NEXTHOP_ADDRESS_3: the next hop addressfor IPv4 routes specified previously inPEER_IPV4_NEXTHOP_ADDRESS_1;if you automatically assigned IPv4 next hop addresseswhen you created the interface and BGP peer forTUNNEL_NAME_GW1_IF0onROUTER_NAME_1,then you must find out what address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command, andcheck the output for the BPG peer you set up forTUNNEL_NAME_GW1_IF0.Use the value that appears in thepeerIpv4NextHopAddress field.This example uses169.254.13.1.
  - PEER_IPV4_NEXTHOP_ADDRESS_2: the next hop addressfor IPv4 routes learned by the Cloud Router from the BGP peer;the address must be in the IPv4 link-local range169.254.0.0/16.This example uses169.254.13.2.
- AUTHENTICATION_KEY: the secret keyto usefor MD5 authentication onPEER_NAME_GW2_IF0
Optional: Assign a BGP identifier range
When you add the first interface to a Cloud Router withan IPv6 address, a BGP identifier range is automatically assigned to theCloud Router. If you prefer to define your own BGP identifierrange for a Cloud Router, you can create your own range.You can also modify this range later.
For more information, seeConfigure the BGP identifier range for a Cloud Router.
Create a Cloud Router interface forTUNNEL_NAME_GW2_IF0
To create an interface with an IPv6 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \    --interface-name=ROUTER_2_INTERFACE_NAME_0 \    --ip-address=IP_ADDRESS_3 \    --mask-length=MASK_LENGTH \    --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \    --region=REGION \    --ip-version=IPV6
```
Create a BGP peer forTUNNEL_NAME_GW2_IF0
The following example command creates an IPv4-enabled BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF0 \    --interface=ROUTER_2_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_3 \    --peer-asn=PEER_ASN_1 \    --region=REGION \    --enable-ipv4 \    --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS \    --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS
```
The following command creates a BGP peer without IPv4 enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF0 \    --interface=ROUTER_2_INTERFACE_NAME_0 \    --peer-ip-address=PEER_IP_ADDRESS_3 \    --peer-asn=PEER_ASN_1 \    --region=REGION
```
Alternatively, if you configuredROUTER_NAME_1 touse MD5 authentication forPEER_NAME_GW1_IF0,configureROUTER_NAME_2 to use MD5 authentication,as follows:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF0 \  --interface=ROUTER_2_INTERFACE_NAME_0 \  --peer-ip-address=PEER_IP_ADDRESS_3 \  --peer-asn=PEER_ASN_1 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY
```
The command output looks similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
```
Create an interface and BGP peer onROUTER_NAME_2for the tunnelTUNNEL_NAME_GW2_IF1.
This interface connectsTUNNEL_NAME_GW2_IF1 oninterface 1 ofGW_2 tointerface 1 ofGW_1.
In the following commands, replace the following:
- ROUTER_2_INTERFACE_NAME_1: a Cloud Routerinterface name; using a name related toTUNNEL_NAME_GW2_IF1 is helpful
- IP_ADDRESS_4: if you manually assigned a BGP IPv6address forPEER_IP_ADDRESS_2 forTUNNEL_NAME_GW1_IF1, then specify that value forIP_ADDRESS_4.If Google Cloud automatically assigned the peerBGP IPv6 address when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF1onROUTER_NAME_1,then you must find out which address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command.In the output for the BGP peer, use the value that appears in thepeerIpAddress field.This example usesfdff:1::1:2.
- MASK_LENGTH: specify a mask length of126.
- PEER_NAME_GW2_IF1: a name describing the BGP peer; usinga name related toTUNNEL_NAME_GW2_IF1 is helpful
- PEER_IP_ADDRESS_4: if you manually assigned a BGP IPaddress forIP_ADDRESS_2 forTUNNEL_NAME_GW1_IF1, then specify that value forPEER_IP_ADDRESS_4. If Google Cloudautomatically assigned the BGP IPv6 address for you, then you must findout which address has been allocated by Google Cloud.Rungcloud compute routers describeROUTER_NAME_1,and use the value that appears in theipAddress field for the BGPpeer you created. This example usesfdff:1::1:1.
- PEER_ASN_1: the ASN number used for all interfaces onROUTER_NAME_1 and that was set previously; thisexample uses ASN number65001
- Optional: If you are creating IPv6 BGPsessions and MP-BGP, specify--enable-ipv4 when yourun thegcloud compute routers add-bgp-peer command to enable IPv4 traffic.You must configure the IPv4 next hop addresses to match theinterface and IPv4-enabled BGP peer configured for the firstgateway.
  To configure next hop addresses, replace both of the following:
  - IPV4_NEXTHOP_ADDRESS_4: the next hop addressfor IPv4 routes specified previously inPEER_IPV4_NEXTHOP_ADDRESS_3;if you automatically assigned IPv4 next hop addresseswhen you created the interface and BGP peer forTUNNEL_NAME_GW1_IF0onROUTER_NAME_1,then you must find out what address has been allocated by Google Cloud.Run thegcloud compute routers describeROUTER_NAME_1 command andcheck the output for the BPG peer you set up forTUNNEL_NAME_GW1_IF0. Use the value that appears inthepeerIpv4NextHopAddress field. This example uses169.254.13.1.
  - PEER_IPV4_NEXTHOP_ADDRESS_4: the next hop addressfor IPv4 routes learned by the Cloud Router from the BGP peer;the address must be in the link-local IPv4 address range169.254.0.0/16.This example uses169.254.13.2.
- AUTHENTICATION_KEY_2: the secret key to usefor MD5 authentication onPEER_NAME_GW2_IF1
Create a Cloud Router interface forTUNNEL_NAME_GW2_IF1
```
gcloud compute routers add-interfaceROUTER_NAME_2 \  --interface-name=ROUTER_2_INTERFACE_NAME_1 \  --ip-address=IP_ADDRESS_4 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \  --region=REGION \
```
The command output is similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
```
Create a BGP peer forTUNNEL_NAME_GW2_IF1
The following example command creates an IPv6 BGP peer with IPv4 routeexchange enabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF1 \  --interface=ROUTER_2_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_4 \  --peer-asn=PEER_ASN_1 \  --region=REGION \  --enable-ipv4 \  --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS \  --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS
```
The following command creates an IPv6 BGP peer without IPv4 route exchangeenabled:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF1 \    --interface=ROUTER_2_INTERFACE_NAME_1 \    --peer-ip-address=PEER_IP_ADDRESS_4 \    --peer-asn=PEER_ASN_1 \    --region=REGION
```
Alternatively, if you configuredROUTER_NAME_1 touse MD5 authentication forPEER_NAME_GW1_IF1,configureROUTER_NAME_2 to use MD5 authentication, asfollows:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF1 \  --interface=ROUTER_2_INTERFACE_NAME_1 \  --peer-ip-address=PEER_IP_ADDRESS_4 \  --peer-asn=PEER_ASN_1 \  --region=REGION \  --md5-authentication-key=AUTHENTICATION_KEY_2
```
The command output is similar to the following example:
```
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
```

Verify the settings forROUTER_NAME_2:

gcloud compute routers describeROUTER_NAME_2  \  --region=REGION

The command output is similar to the following example:

bgp:  advertiseMode: DEFAULT  asn: 65002bgpPeers:— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv4: true  interfaceName: if-tunnel-b-to-a-if-0  ipAddress: fdff:1::2  ipv4NexthopAddress: 169.254.12.2  name: bgp-peer-tunnel-b-to-a-if-0  peerAsn: 65001  peerIpAddress: fdff:1::1  peerIpv4NexthopAddress: 169.254.12.1— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  enableIpv4: true  interfaceName: if-tunnel-b-to-a-if-1  ipAddress: fdff:1::1  ipv4NexthopAddress: 169.254.13.2  name: bgp-peer-tunnel-b-to-a-if-1  peerAsn: 65001  peerIpAddress: fdff:1::2  peerIpv4NexthopAddress: 169.254.13.2creationTimestamp: '2021-10-19T14:31:52.639-07:00'id: '4047683710114914215'interfaces:— ipRange: fdff:1::2/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0  name: if-tunnel-b-to-a-if-0  — ipRange: fdff:1::1:2/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1  name: if-tunnel-b-to-a-if-1kind: compute#routername: router-bnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-bregion: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b

API

To create a Cloud Router interface with an IPv6 address,make either aPATCH orUPDATE request to therouters.patch method ortherouters.update method.PATCH updates only the parameters that you include.UPDATEupdates all parameters for Cloud Router. Create an interfacefor each VPN tunnel on the HA VPN gateway.
The following example creates an interface with a manuallyconfigured IPv6 BGP address.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"interfaces": [  {    "name": "if-tunnel-a-to-b-if-0",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipRange": "fdff:1::1/126"    }  ]}
```
Each BGP IPv6 address range for each BGP sessionmust be unique among all Cloud Routers in all regions of aVPC network.
As another example, the following command creates an interfacewith an automatically assigned IPv6 address.
```
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"interfaces": [  {    "name": "if-tunnel-a-to-b-if-0",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipVersion": "IPV6"    }  ]}
```
Repeat this step for each VPN tunnel on the HA VPNgateway.

Add a BGP peer to Cloud Router for each interface.

To create a BGP peer, make either aPATCH orUPDATE request by using therouters.patch methodor therouters.update method.Repeat this command for the other interfaces, changing thefield values as needed.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"bgpPeers": [  {    "name": "bgp-peer-tunnel-a-to-b-if-0",    "interfaceName": "if-tunnel-a-to-b-if-0",    "ipAddress": "fdff:1::2",    "peerIpAddress": "fdff:1::1",    "peerAsn": 65002,    "advertiseMode": "DEFAULT"  }]}

To create an IPv6 BGP session with MP-BGP and IPv4 next-hop addressesconfigured, use the following API command:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"bgpPeers": [  {    "name": "bgp-peer-tunnel-a-to-b-if-0",    "interfaceName": "if-tunnel-a-to-b-if-0",    "ipAddress": "fdff:1::2",    "peerIpAddress": "fdff:1::1",    "peerAsn": 65002,    "advertiseMode": "DEFAULT",    "enableIpv4": true,    "ipv4NexthopAddress: "169.254.12.2",    "peerIpv4NexthopAddress: "169.254.12.1"  }]}

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"md5AuthenticationKeys": [  {  "name": "bgppeer-1-key",  "key": "secret_key_value"  }],}{"bgpPeers": [  {  "interfaceName": "if-tunnel-a-to-b-if-0",  "ipAddress": "fdff:1::2",  "name": "bgp-peer-tunnel-a-to-b-if-0",  "peerAsn": 65002,  "peerIpAddress": "fdff:1::1",  "advertiseMode": "DEFAULT",  "md5AuthenticationKeyName": "bgppeer-1-key"  }],}

Both IPv4 and IPv6 BGP sessions

Console

To create both IPv4 and IPv6 BGP sessions, follow these steps:

ClickConfigure BGP session.
On theCreate BGP session page, complete the following steps:
1. ForBGP session type, selectBoth.
IPv4 BGP session
1. ForName, enter a name for the BGP session.
2. ForPeer ASN, enter the peer ASN configured for the peer VPNgateway.
3. ForAllocate BGP IPv4 address, selectAutomatically orManually. If you selectManually, do the following:
4. ForCloud Router BGP IPv4 address, enter the Cloud RouterBGP IPv4 address.
5. ForBGP peer IPv4 address, enter the IPv4 address of the BGP peer.The IPv4 address must meet the following requirements:
  - Each IPv4 address must belong to the same/30 subnet that fits within the169.254.0.0/16 address range.
  - Each IPv4 address is the first or second host of the/30 subnet. The firstand the last IP addresses of the subnet are reserved for network andbroadcast addresses.
  - Each IPv4 address range for a BGP session must be unique among allCloud Routers in all regions of a VPC network.
  If you selectAutomatically, Google Cloud automatically selectsthe IPv4 addresses for your BGP session.
  If you select automatic IPv6 address allotment, Google Cloudautomatically selects the IPv6 addresses for your BGP session.
6. Optional: Expand theAdvanced options section.
7. To enableBGP peer, selectEnabled. If enabled, the peerconnection is established with routing information. For moreinformation, seeEstablish BGPsessions.
8. To addMD5 authentication, selectEnabled. If enabled, you canuse MD5 authentication to authenticate BGP sessions betweenCloud Router and its peers. For more information, seeUse MD5authentication.You can alternatively choose to enable MD5 authentication later.
9. To add outbound routes to the BGP session, forPriority of all custom learned routes, enter a learnedroute priority. For more information, seeLearnedroutes.
10. ClickSave and continue.
IPv6 BGP session
1. ForName, enter a name for the BGP session.
2. ForPeer ASN, enter the peer ASN configured for the peer VPNgateway.
3. Optional: ForAdvertised route priority (MED), enter the priority ofroutes advertised to this BGP peer.
4. ForAllocate BGP IPv6 address, selectAutomatically orManually. If you selectManually, do the following:
5. ForCloud Router BGP IPv6 address, enter the Cloud RouterBGP IPv6 address.
6. ForBGP peer IPv6 address, enter the IPv6 address of the BGP peer.The IPv4 address must meet the following requirements:
  - Each address must be unique local addresses (ULA) from thefdff:1::/64address range with a mask length of/64. For example,fdff:1::1.
  - Each address must be unique among all Cloud Routers in all regionsof a VPC network.
  If you selectAutomatically, Google Cloud automatically selectsthe IPv6 addresses for your BGP session.
7. Optional: Expand theAdvanced options section.
8. To enableBGP peer, selectEnabled. If enabled, the peerconnection is established with routing information. For moreinformation, seeEstablish BGPsessions.
9. To enableMD5 authentication, selectEnabled. If enabled, MD5authentication is used to authenticate BGP sessions betweenCloud Router and its peers. For more information, seeUse MD5authentication.You can alternatively choose to enable MD5 authentication later.
10. To add outbound routes to the BGP session, forPriority of all custom learned routes, enter a learnedroute priority. For more information, seeLearnedroutes.
11. ClickSave and continue.
Repeat the previous steps for the rest of the tunnels configured on thegateway. For each tunnel, use a different Cloud Router BGP IPaddress and BGP peer IP address.
ClickSave BGP configuration.

gcloud

In this section, you configure two interfaces and BGPpeers for each HA VPN tunnel.The following table provides an overview of theseinterfaces and peers. It shows the relationship between theIP address ranges and peer IP addresses that you specifyfor each interface.

For example, the first interface ofrouter-1is assigned an IPv4 address of169.254.0.1. The second interfaceofrouter-1 is assigned an IPv6 address offdff:1::1.The other Cloud Router,router-2, is theBGP peer ofrouter-1. The first interface ofrouter-2 is assigned169.254.0.2, which is the second host in the IPv4 subnet169.254.0.0/30.The second interface ofrouter-2 is assignedfdff:1::2, whichis the second host in the IPv6 subnetfdff:1::/126.Therefore, the peer IPv4 BGP address ofrouter-1 is169.254.0.2and its peer BGP peer IPv6 address isfdff:1::2.The peer IPv4 BGP address ofrouter-2 is169.254.0.1 and itspeer BGP peer IPv6 address isfdff:1::1.

Important: The BGP IPv4 and IPv6 address ranges for each BGP session mustbe unique among all Cloud Routers in all regions of aVPC network.

Router	Interface name	BGP IP address	Peer IP address	Peer ASN
router-1	if-tunnel-a-to-b-if-0_ipv4	169.254.0.1/30	169.254.0.2	65002
router-1	if-tunnel-a-to-b-if-0_ipv6	fdff:1::1/126	fdff:1::2	65002
router-1	if-tunnel-a-to-b-if-1_ipv4	169.254.1.1/30	169.254.1.2	65002
router-1	if-tunnel-a-to-b-if-1_ipv6	fdff:1::1:1/126	fdff:1::1:2	65002
router-2	if-tunnel-b-to-a-if-0_ipv4	169.254.0.2/30	169.254.0.1	65001
router-2	if-tunnel-b-to-a-if-0_ipv6	fdff:1::2/126	fdff:1::1	65001
router-2	if-tunnel-b-to-a-if-1_ipv4	169.254.1.2/30	169.254.1.1	65001
router-2	if-tunnel-b-to-a-if-1_ipv6	fdff:1::1:2/126	fdff:1::1:1	65001

To create Cloud Router interfaces and BGP peers, complete the following command sequence.

Create both interfaces and BGP peers onROUTER_NAME_1 for the tunnelTUNNEL_NAME_GW1_IF0.
The two interfaces connectTUNNEL_NAME_GW1_IF0 oninterface 0 ofGW_1 tointerface 0 ofGW_2.
In the commands, replace the following:
- ROUTER_1_INTERFACE_NAME_0_ipv4 andROUTER_1_INTERFACE_NAME_0_ipv6:names for the Cloud Router interfaces; using namesrelated toTUNNEL_NAME_GW1_IF0 is helpful
- IP_VERSION: IPv6 version of theinterface, eitherIPV6 orIPV4. This parameter is only requiredif you want Google Cloud to assign the IPv6 address automaticallyfor an interface. If you are manually assigning anIPv6 address to this interface, you can omit this flag.
- IPV4_ADDRESS_1 andIPV6_ADDRESS_1:a BGP IP address from the169.254.0.0/16 orfdff:1::/64 addressrange that's not already in use; this example uses169.254.0.1 andfdff:1::1. If you omit this flag and don't manually assign aBGP IP address, Google Cloud automatically assigns an addressfor you.
- MASK_LENGTH: when you specify a BGP IPv6 addressfor an interface, specify30 because theCloud Router must use a unique/30 CIDRfrom the same169.254.0.0/16 IPv4 address range.When specifying an IPv6 address for an interface,specify a mask length of126.
- PEER_NAME_GW1_IF0_ipv4 andPEER_NAME_GW1_IF0_ipv6: names describing the IPv4and IPv6 BGP peers;using names related toTUNNEL_NAME_GW1_IF0 ishelpful
- PEER_IPV4_ADDRESS_1 andPEER_IPV6_ADDRESS_1: a BGP address fromthe169.254.0.0/16 orfdff:1::/64 IPv6 address range that's notalready in use; this example uses169.254.0.2 andfdff:1::2. If you didnot previously assign specific BGP addresses forIPV4_ADDRESS_1 andIPV6_ADDRESS_1,omit these options as well andGoogle Cloud automatically assigns a matching BGP peer IPaddresses for you.If you manually specifiedIPV4_ADDRESS_1 andIPV6_ADDRESS_1, you must also manually configurethese options.
- PEER_ASN_2: the ASN number used for allinterfaces onROUTER_NAME_2;this example uses ASN number65002
Optional: Assign a BGP identifier range
When you add the first interface with an IPv6 address to aCloud Router, a BGP identifier range is automaticallyassigned to the Cloud Router. If you prefer to defineyour own BGP identifier range for a Cloud Router,you can create your own range. You can also modify this range later.
For more information, seeConfigure the BGP identifier range for a Cloud Router.
Automatic
Create Cloud Router interfaces forTUNNEL_NAME_GW1_IF0
To create an interface with an automatically configured BGPIPv4 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv4 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \  --region=REGION \  --ip-version=IPV4
```
To create an interface with an automatically configured BGPIPv6 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv6 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \  --region=REGION \  --ip-version=IPV6
```
Create BGP peers forTUNNEL_NAME_GW1_IF0
The following example command creates the IPv4 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0_ipv4 \  --interface=ROUTER_1_INTERFACE_NAME_0_ipv4 \  --peer-asn=PEER_ASN_2 \  --region=REGION \
```
The following example command creates the IPv6 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0_ipv6 \  --interface=ROUTER_1_INTERFACE_NAME_0_ipv6 \  --peer-asn=PEER_ASN_2 \  --region=REGION
```
By creating two interfaces and BGP peers, you run two parallelIPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Manual
Create Cloud Router interfaces forTUNNEL_NAME_GW1_IF0
To create an interface with a manually configured BGPIPv4 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv4 \  --ip-address=IPV4_ADDRESS_1 \  --mask-length=30 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \  --region=REGION
```
To create an interface with a manually configured BGPIPv6 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv6 \  --ip-address=IPV6_ADDRESS_1 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \  --region=REGION \
```
Create BGP peers forTUNNEL_NAME_GW1_IF0
The following example command creates the IPv4 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0_ipv4 \  --interface=ROUTER_1_INTERFACE_NAME_0_ipv4 \  --peer-ip-address=PEER_IPV4_ADDRESS_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION \
```
The following command creates the IPv6 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF0_ipv6 \  --interface=ROUTER_1_INTERFACE_NAME_0_ipv6 \  --peer-ip-address=PEER_IPV6_ADDRESS_1 \  --peer-asn=PEER_ASN_2 \  --region=REGION
```
By creating two interfaces and BGP peers, you run two parallelIPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Create both interfaces and BGP peers onROUTER_NAME_1 for the tunnelTUNNEL_NAME_GW1_IF1.
The two interfaces connectTUNNEL_NAME_GW1_IF1 oninterface 1 ofGW_1 tointerface 1 ofGW_2.
In the following commands, replace the following:
- ROUTER_1_INTERFACE_NAME_1_ipv4 andROUTER_1_INTERFACE_NAME_1_ipv6:names for the Cloud Router interfaces; using namesrelated toTUNNEL_NAME_GW1_IF1 is helpful
- IP_VERSION: the version of theinterface, eitherIPV6 orIPV4. If unspecified, the default isIPV4. This parameter is only required if you want Google Cloudto assign an IPv6 address automaticallyto an interface. If you are manually assigning anIPv4 or IPv6 address to this interface, you can omit this flag.
- IPV4_ADDRESS_2 orIPV6_ADDRESS_2: a BGP IPv4 or IPv6 address from the169.254.0.0/16 orfdff:1::/64 IPv6 address range that's not already in use;this example uses169.254.1.1 and orfdff:1::1:1. If you omitthis flag and don't manually assign a BGP IPv4 or IPv6 address,Google Cloud automatically assigns an address for you.
- MASK_LENGTH: when you specify an IPv4 addressfor an interface, specify30 because theCloud Router must use a unique/30 CIDRfrom the same169.254.0.0/16 IPv4 address range.When you specify an IPv6 address for an interface,specify a mask length of64.
- PEER_NAME_GW1_IF1_ipv4 andPEER_NAME_GW1_IF0_ipv6: names describing the IPv4and IPv6 BGP peers;using names related toTUNNEL_NAME_GW1_IF1 ishelpful
- PEER_IPV4_ADDRESS_2 orPEER_IPV6_ADDRESS_2: a BGP IPv4 or IPv6 address fromthe169.254.0.0/16 orfdff:1::/64 IPv6 address range that's not already in use;this example uses169.254.1.2 andfdff:1::1:2. If you did notspecifically assign an IPv4 or IPv6 address,IPV4_ADDRESS_2orIPV6_ADDRESS_2,omit this option and Google Cloud automatically assigns amatching BGP peer IPv4 or IPv6 address for you.If you manually specifiedIPV4_ADDRESS_2 orIPV6_ADDRESS_2, you mustalso manually configure this option.
- PEER_ASN_2: the ASN number used for all interfaceson the other Cloud RouterROUTER_NAME_2;this example uses ASN number65002
- AUTHENTICATION_KEY_2: the secret key to usefor MD5 authentication onPEER_NAME_GW1_IF1; formore information about this optional feature, seeUse MD5 authentication
Automatic
Create Cloud Router interfaces forTUNNEL_NAME_GW1_IF1
To create an interface with an automatically configuredIPv4 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv4 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION \  --ip-version=IPV4
```
To create an interface with an automatically configuredIPv6 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv6 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION \  --ip-version=IPV6
```
Create BGP peers forTUNNEL_NAME_GW1_IF1
The following example command creates an IPv4 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1_ipv4 \  --interface=ROUTER_1_INTERFACE_NAME_1_ipv4 \  --peer-ip-address=PEER_IPV4_ADDRESS_2 \  --peer-asn=PEER_ASN_2 \  --region=REGION
```
The following example command creates an IPv6 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1_ipv6 \  --interface=ROUTER_1_INTERFACE_NAME_1_ipv6 \  --peer-ip-address=PEER_IPV6_ADDRESS_2 \  --peer-asn=PEER_ASN_2 \  --region=REGION
```
By creating two interfaces and BGP peers, you run two parallelIPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Manual
Create Cloud Router interfaces forTUNNEL_NAME_GW1_IF1
To create an interface with a manually configuredIPv4 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv4 \  --ip-address=IPV4_ADDRESS_2 \  --mask-length=30 \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION
```
To create an interface with a manually configured IPv6 address,run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \  --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv6 \  --ip-address=IPV6_ADDRESS_2 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \  --region=REGION
```
Create BGP peers forTUNNEL_NAME_GW1_IF1
The following example command creates an IPv4 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \  --peer-name=PEER_NAME_GW1_IF1_ipv4 \  --interface=ROUTER_1_INTERFACE_NAME_1_ipv4 \  --peer-ip-address=PEER_IPV4_ADDRESS_2 \  --peer-asn=PEER_ASN_2 \  --region=REGION
```
The following example command creates an IPv6 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_1 \    --peer-name=PEER_NAME_GW1_IF1_ipv6 \    --interface=ROUTER_1_INTERFACE_NAME_1_ipv6 \    --peer-ip-address=PEER_IPV6_ADDRESS_2 \    --peer-asn=PEER_ASN_2 \    --region=REGION
```
By creating two interfaces and BGP peers, you run two parallelIPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.

Verify the settings forROUTER_NAME_1:

gcloud compute routers describeROUTER_NAME_1 \    --region=REGION

The command output is similar to the following example:

bgp:  advertisemode: DEFAULT  asn: 65001  keepaliveInterval: 20bgpPeers:— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-a-to-b-if-0_ipv4  ipAddress: 169.254.0.1  name: bgp-peer-tunnel-a-to-b-if-0_ipv4  peerAsn: 65002  peerIpAddress: 169.254.0.2— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-a-to-b-if-1_ipv4  ipAddress: 169.254.1.1  name: bgp-peer-tunnel-a-to-b-if-1_ipv4  peerAsn: 65002  peerIpAddress: 169.254.1.2— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-a-to-b-if-0_ipv6  ipAddress: fdff:1::1  name: bgp-peer-tunnel-a-to-b-if-0_ipv6  peerAsn: 65002  peerIpAddress: fdff:1::2— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-a-to-b-if-1_ipv6  ipAddress: fdff:1::1  name: bgp-peer-tunnel-a-to-b-if-1_ipv6  peerAsn: 65002  peerIpAddress: fdff:1::2creationTimestamp: '2021-10-19T14:31:52.639-07:00'id: '4047683710114914215'interfaces:— ipRange: 169.254.0.1/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0  name: if-tunnel-a-to-b-if-0— ipRange: 169.254.1.1/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0  name: if-tunnel-a-to-b-if-0— ipRange: fdff:1::1/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1  name: if-tunnel-a-to-b-if-1— ipRange: fdff:1::1:1/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1  name: if-tunnel-a-to-b-if-1kind: compute#routername: router-anetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-aregion: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a

Create both interfaces and BGP peers onROUTER_NAME_2for the tunnelTUNNEL_NAME_GW2_IF0.
The two interfaces connectTUNNEL_NAME_GW2_IF0 oninterface 0 ofGW_2 tointerface 0 ofGW_1.
You must configure the interface and BGP peering addresses on thisCloud Router manually because thecorresponding addresses have already been configured on the otherCloud Router,ROUTER_NAME_1.
In the commands, replace the following:
- ROUTER_2_INTERFACE_NAME_0_ipv4 andROUTER_2_INTERFACE_NAME_0<_ipv6: Cloud Routerinterface names; using names related toTUNNEL_NAME_GW2_IF0 is helpful
- IPV4_ADDRESS_3 andIPV6_ADDRESS_3:the BGP IPv4 and IPv6 addresses used previouslyfor this gateway and interface. If you automatically assigned the peerIPv4 and IPv6 addresses when you created the interfaces and BGP peersforTUNNEL_NAME_GW1_IF0onROUTER_NAME_1, then you must specify the allocated addresses asIPV4_ADDRESS_3andIPV6_ADDRESS_3.To find out which addresses have been allocated by Google Cloud,run thegcloud compute routers describeROUTER_NAME_1 command.In the output for the BGP peers, use the values that appear in thepeerIpAddress field.This example uses169.254.0.2 andfdff:1::2.
- MASK_LENGTH: for an interface with an IPv4 address,specify30 because the Cloud Router must use a unique/30CIDR from the same169.254.0.0/16 IPv4 address range. For an interface with anIPv6 address, specify a mask length of64.
- PEER_NAME_GW2_IF0_ipv4 andPEER_NAME_GW2_IF0_ipv6: a name describing the BGPpeer; using a name related toTUNNEL_NAME_GW2_IF0is helpful
- PEER_IPV4_ADDRESS_3 andPEER_IPV6_ADDRESS_3: the BGP IPv4 or IPv6addresses used previously when you configured the first gateway andinterface. Rungcloud compute routers describeROUTER_NAME_1,and use the values that appear in theipAddress field for theBGP peers you created forTUNNEL_NAME_GW1_IF0.This example uses169.254.0.1 andfdff:1::1.
- PEER_ASN_1: the ASN number used for allinterfaces onROUTER_NAME_1 and that was setpreviously; this example uses ASN number65001
Create Cloud Router interfaces forTUNNEL_NAME_GW2_IF0
To create an interface and manually configure its IPv4address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_2 \    --interface-name=ROUTER_2_INTERFACE_NAME_0 \    --ip-address=IPV4_ADDRESS_3 \    --mask-length=MASK_LENGTH \    --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \    --region=REGION
```
To create an interface and manually configure itsIPv6 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_1 \    --interface-name=ROUTER_2_INTERFACE_NAME_0 \    --ip-address=IPV6_ADDRESS_3 \    --mask-length=MASK_LENGTH \    --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \    --region=REGION \
```
Create BGP peers forTUNNEL_NAME_GW2_IF0
The following example command creates the IPv4 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \    --peer-name=PEER_NAME_GW2_IF0_ipv4 \    --interface=ROUTER_2_INTERFACE_NAME_0_ipv4 \    --peer-ip-address=PEER_IPV4_ADDRESS_3 \    --peer-asn=PEER_ASN_1 \    --region=REGION
```
The following example command creates the IPv6 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \  --peer-name=PEER_NAME_GW2_IF0_ipv6 \  --interface=ROUTER_2_INTERFACE_NAME_0_ipv6 \  --peer-ip-address=PEER_IPV6_ADDRESS_3 \  --peer-asn=PEER_ASN_1 \  --region=REGION
```
By creating two interfaces and BGP peers, you run two parallelIPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Create both interfaces and BGP peers onROUTER_NAME_2for the tunnelTUNNEL_NAME_GW2_IF1.
The two interfaces connectTUNNEL_NAME_GW2_IF0 oninterface 0 ofGW_2 tointerface 0 ofGW_1.
You must configure the interface and BGP peering addresses on thisCloud Router manually because thecorresponding addresses have already been configured on the otherCloud Router,ROUTER_NAME_1.
The two interfaces connectTUNNEL_NAME_GW2_IF1 oninterface 1 ofGW_2 tointerface 1 ofGW_1.
In the following commands, replace the following:
- ROUTER_2_INTERFACE_NAME_1_ipv4 andROUTER_2_INTERFACE_NAME_1_ipv6: names for theCloud Router interfaces; using names related toTUNNEL_NAME_GW2_IF1 is helpful
- IPV4_ADDRESS_4 andIPV6_ADDRESS_4: the BGP IPv4 and IPv6 addressesused previously for this gateway and interface. If you automaticallyassigned the peer BGP IP address when you created the interfaceand BGP peer forTUNNEL_NAME_GW1_IF1onROUTER_NAME_1,then you must manually specify these allocated addresses asIPV4_ADDRESS_4 andIPV6_ADDRESS_4.To find out which addresses have been allocated by Google Cloud,run thegcloud compute routers describeROUTER_NAME_1 command.In the output for the BGP peer, use the values that appear inthepeerIpAddress field. This example uses169.254.1.2 andfdff:1::1:2.
- MASK_LENGTH: for an interface with an IPv4 address,specify30 because the Cloud Router must use a unique/30 CIDR from the same169.254.0.0/16 IPv4 address range. For an interfacewith an IPv6 address, specify a mask length of64.
- PEER_NAME_GW2_IF1_ipv4 andPEER_NAME_GW2_IF1_ipv6: a name describing the BGPpeer; using a name related toTUNNEL_NAME_GW2_IF1is helpful
- PEER_IPV4_ADDRESS_4 andPEER_IPV6_ADDRESS_4: the IP address you specified asIPV4_ADDRESS_2 andIPV6_ADDRESS_2 andwhen you configured the first gateway and interface.Rungcloud compute routers describeROUTER_NAME_1,and use the values that appear in theipAddress field for the BGP peeryou created forTUNNEL_NAME_GW2_IF1.This example uses169.254.1.1 andfdff:1::1:1.
- PEER_ASN_1: the ASN number used for all interfaces onROUTER_NAME_1 and that was set previously; thisexample uses ASN number65001
Create Cloud Router interfaces forTUNNEL_NAME_GW2_IF1
To create an interface and manually configure itsIPv4 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_2 \  --interface-name=ROUTER_2_INTERFACE_NAME_1 \  --ip-address=IPV4_ADDRESS_4 \  --mask-length=MASK_LENGTH \  --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \  --region=REGION
```
To create an interface and manually configure itsIPv6 address, run the following command:
```
gcloud compute routers add-interfaceROUTER_NAME_2 \    --interface-name=ROUTER_2_INTERFACE_NAME_1 \    --ip-address=IPV6_ADDRESS_4 \    --mask-length=MASK_LENGTH \    --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \    --region=REGION
```
Create BGP peers forTUNNEL_NAME_GW2_IF1
The following example command creates the IPv4 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2  \  --peer-name=PEER_NAME_GW2_IF1_ipv4 \  --interface=ROUTER_2_INTERFACE_NAME_1_ipv4 \  --peer-ip-address=PEER_IPV4_ADDRESS_4 \  --peer-asn=PEER_ASN_1 \  --region=REGION
```
The following example command creates the IPv6 BGP peer:
```
gcloud compute routers add-bgp-peerROUTER_NAME_2 \  --peer-name=PEER_NAME_GW2_IF1_ipv6 \  --interface=ROUTER_2_INTERFACE_NAME_1_ipv6 \  --peer-ip-address=PEER_IPV6_ADDRESS_4 \  --peer-asn=PEER_ASN_1 \  --region=REGION
```

Verify the settings forROUTER_NAME_2:

gcloud compute routers describeROUTER_NAME_2  \  --region=REGION

The command output looks similar to the following example:

bgp:  advertisemode: DEFAULT  asn: 65002  keepaliveInterval: 20bgpPeers:— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-b-to-a-if-0_ipv4  ipAddress: 169.254.0.2  name: bgp-peer-tunnel-b-to-a-if-0_ipv4  peerAsn: 65002  peerIpAddress: 169.254.0.1— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-b-to-a-if-1_ipv4  ipAddress: 169.254.1.2  name: bgp-peer-tunnel-b-to-a-if-1_ipv4  peerAsn: 65001  peerIpAddress: 169.254.1.1— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-b-to-a-if-0_ipv6  ipAddress: fdff:1::2  name: bgp-peer-tunnel-b-to-a-if-0_ipv6  peerAsn: 65001  peerIpAddress: fdff:1::1— bfd:      minReceiveInterval: 1000      minTransmitInterval: 1000      mode: DISABLED      multiplier: 5      sessionInitializationMode: DISABLED  enable: 'TRUE'  interfaceName: if-tunnel-b-to-a-if-1_ipv6  ipAddress: fdff:1::2  name: bgp-peer-tunnel-b-to-a-if-1_ipv6  peerAsn: 65001  peerIpAddress: fdff:1::1creationTimestamp: '2021-10-19T14:31:52.639-07:00'id: '4047683710114914215'interfaces:— ipRange: 169.254.0.2/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0  name: if-tunnel-b-to-a-if-0— ipRange: 169.254.1.2/30  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0  name: if-tunnel-b-to-a-if-0— ipRange: fdff:1::2/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1  name: if-tunnel-b-to-a-if-1— ipRange: fdff:1::1:2/126  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1  name: if-tunnel-b-to-a-if-1kind: compute#routername: router-bnetwork: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-bregion: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b

API

To create multiple Cloud Router interfaces, make either aPATCH orUPDATE request by using therouters.patch methodor therouters.update method.PATCH updates only the parameters that you include.UPDATE updatesall parameters for Cloud Router.

The BGP address ranges that you specify must be unique among allCloud Routers in all regions of a VPC network.

Repeat this step and command for each VPN tunnel defined on eachHA VPN gateway. For an HA VPNgateway to HA VPN deployment, this meansfour HA VPN tunnel configurations.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"interfaces": [  {    "name": "if-tunnel-a-to-b-if-0_ipv4",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipRange": "169.254.0.1/30"    },    {    "name": "if-tunnel-a-to-b-if-0_ipv6",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipRange": "fdff:1::1/126"    }  ]}

The following example adds an interface with an IPv4 address andan interface with an IPv6 address to the samelinkedVpnTunnel.The command automatically assigns IPv4 and IPv6 addresses tothe interfaces:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"interfaces": [  {    "name": "if-tunnel-a-to-b-if-0_ipv4",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipVersion": "IPV4"    },    {    "name": "if-tunnel-a-to-b-if-0_ipv6",    "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0",    "ipVersion": "IPV6"    }]}

To add BGP peers to the Cloud Router for each VPN tunnel, makeeither aPATCH orUPDATE request by using therouters.patch methodor therouters.update method.Repeat this command for each VPN tunnel, changing all optionsas needed.

For example:

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME{"bgpPeers": [{  "interfaceName": "if-tunnel-a-to-b-if-0_ipv4",  "ipAddress": "169.254.0.1",  "name": "bgp-peer-tunnel-a-to-b-if-0_ipv4",  "peerAsn": 65002,  "peerIpAddress": "169.254.0.2",  "advertiseMode": "DEFAULT"  },  {  "interfaceName": "if-tunnel-a-to-b-if-0_ipv6",  "ipAddress": fdff:1::1",  "name": "bgp-peer-tunnel-a-to-b-if-0_ipv6",  "peerAsn": 65002,  "peerIpAddress": "fdff:1::2",  "advertiseMode": "DEFAULT"  }]}

Verify the configuration

Console

To verify the configuration, follow these steps.

In the Google Cloud console, go to theCloud VPN tunnels page.
Go to Cloud VPN tunnels
View the VPN tunnel status and the BGP session status.
If your configuration is correct, the VPN tunnel status isEstablishedand the BGP session status isBGP established.
For more information about theVPN tunnel status and theBGP session states, seeInterpret tunnel status messages andBGP session states.

gcloud

To verify the HA VPN tunnel configuration, seeCheck HA VPN tunnels.
To verify the Cloud Router configuration, seeView router details.

API

To verify the Cloud Router configuration, make aGET requestby using therouters.getRouterStatusmethod, and use an empty request body:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers

To learn about how to troubleshoot your Cloud VPN connection, seeTroubleshooting.

Create an additional tunnel on a single-tunnel gateway

Console

To receive a 99.99% uptime SLA, configure a tunnel on eachHA VPN interface on each side of anHA VPN-to-HA VPN gatewayconfiguration.

If you configured one tunnel on an HA VPN gateway toanother HA VPN gateway but want to receive a 99.99%uptime SLA, you must configure a second tunnel.

To configure a second tunnel, follow the steps atAdd a tunnel from an HA VPN gateway to another HA VPN gateway.

Set the base advertised route priority (optional)

The BGP sessions that you create let each Cloud Router advertiseroutes to peer networks. The advertisements useunmodified base priorities.

Use the configuration documented inCreate two fully configured HA VPN gateways that connect to each otherforactive-active routing configurations where theadvertised route priorities of the two tunnels on both sides match. Omitting theadvertised route priority (--advertised-route-priority) results in the sameadvertised route priorities to both BGP peers.

Foractive-passive routing configurations, you can control the advertisedroute priority of theto Google Cloud routes that Cloud Routershares with your peer VPN gateway by setting the advertised route priority(--advertised-route-priority) when adding or updating a BGP peer. To createan active-passive configuration, set a higher advertised routepriority for one BGP session and its corresponding VPN tunnel than for the otherBGP session and VPN tunnel.

For more information about the base advertised route priority, seeAdvertised priority.

You can also refine the routes that are advertised by usingAdvertised routes:

Add the--advertisement-mode=CUSTOM flag (gcloud) or theadvertiseMode: custom flag (API).
Specify IP address ranges with the--set-advertisement-ranges flag(gcloud) or theadvertisedIpRanges flag (API).

Complete the configuration

Before you can use a new Cloud VPN gateway and its associated VPNtunnels, complete the following steps:

Configure firewall rulesin Google Cloud for your VPC networks.
Check the status of your VPN tunnels.This step includes checking the high-availability configuration ofyour HA VPN gateway.

What's next

To control which IP addresses are allowed for peer VPN gateways, seeRestrict IP addresses for peer VPN gateways.
To use high-availability and high-throughput scenarios or multiplesubnet scenarios, seeAdvanced configurations.
To help you solve common issues that you might encounter when usingCloud VPN, seeTroubleshooting.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.

Movatterモバイル変換

Create HA VPN gateways to connect VPC networks Stay organized with collections Save and categorize content based on your preferences.

Requirements

Cloud Router recommendations

Manage permissions

Before you begin

Create custom VPC networks and subnets

Create two fully configured HA VPN gateways that connect to each other

Permissions required for this task

Create the HA VPN gateways

Console

gcloud

API

Specify the peer VPN gateway resource

Console

gcloud

API

Create Cloud Routers

Console

gcloud

API

Create VPN tunnels

Console

gcloud

API

Create BGP sessions

IPv4 BGP sessions

Console

gcloud

API

IPv6 BGP sessions

Console

gcloud

Automatic

Manual

Automatic

Manual

API

Both IPv4 and IPv6 BGP sessions

Console

gcloud

Automatic

Manual

Automatic

Manual

API

Verify the configuration

Console

gcloud

API

Create an additional tunnel on a single-tunnel gateway

Console

Set the base advertised route priority (optional)

Complete the configuration

What's next

Create HA VPN gateways to connect VPC networks