Thank you! Your submission has been received!
Oops! Something went wrong.
Welcome to our blog on building a VPN from on-premises/hybrid to Google Cloud Platform (GCP). As more and more businesses move to the cloud, it is important to have secure and reliable connections between on-premises and cloud resources. This is where a VPN (Virtual Private Network) comes in.
A VPN allows you to create a secure, encrypted connection between your on-premises infrastructure and GCP, ensuring that your data is protected as it travels between these two environments.
In this blog, we will explore:
Let's get started!
CLASSIC VPN gateways has a single interface, a single external IP address, and support tunnels using dynamic (BGP) or static routing (route-based or policy-based). The external IPs and forwarding rules must be created before the setup of the VPN. They provide an SLA of 99.9% service availability, but it doesn’t support IPv6.
Classic VPN architecture
HA VPN gateways has two external IP addresses and two interfaces. To support high availability, each IP address is automatically selected from a unique address pool. They support only Dynamic Routing (BGP) and provide an SLA of 99.99% service availability when configured with two interfaces and two external IPs, it supports two tunnels from one gateway. It supports IPv6.
HA VPN Architecture
Let’s get started!
1. CREATE VPC NETWORK
Create a new VPC networks by pasting the following command in google cloud shell
“gcloud compute networks create quadra-vpc-sandbox --subnet-mode custom”
2. CREATE SUBNETS
“gcloud beta compute networks subnets create quadra-vpc-sandbox-subnet1 \
--network vpc-demo --range 10.1.1.0/24 --region asia-south1”
3. CREATE FIREWALL RULES
“gcloud compute firewall-rules create quadra-vpc-allow-internal \
--network quadra-vpc-sandbox \
--allow tcp:0-65535,udp:0-65535,icmp \
--source-ranges 10.0.0.0/8”
“gcloud compute firewall-rules create quadra-vpc-allow-ssh-icmp \
--network quadra-vpc-sandbox \
--allow tcp:22,icmp”
4. CONFIGURE ON-PREMISES SETUP
“gcloud compute networks create on-prem --subnet-mode custom”
“gcloud beta compute networks subnets create on-prem-subnet1 \
--network on-prem --range 192.168.1.0/24 --region us-central1”
“gcloud compute firewall-rules create on-prem-allow-internal \
--network on-prem \
--allow tcp:0-65535,udp:0-65535,icmp \
--source-ranges 192.168.0.0/16”
5. Configure HA VPN setup (GCP)
“gcloud beta compute vpn-gateways create quadra-vpn-gw1 --network quadra-vpc-sandbox
--region asia-south1”
6. Configure HA-VPN setup (On-Prem)
“gcloud beta compute vpn-gateways create on-prem-vpn-gw1 --network on-prem
--region us-central1”
View details on both VPN-Gateways
“gcloud beta compute vpn-gateways describe quadra-vpn-gw1 --region asia-south1”
“gcloud beta compute vpn-gateways describe on-prem-vpn-gw1 --region us-central1”
In console you can verify the status of the tunnel created (refer below image)
Now that we have both tunnel IP’s let’s start configuring VPN in the cloud console
Go to console and search for “Hybrid Connectivity à Cloud VPN”
Search for Hybrid connectivity in list of services and choose cloud VPN
Click on Create VPN connection
Click Classic VPN
In tunnels section
Once created wait for few minutes to get the VPN tunnels up and running, you can see the status of the connection in the “VPN Status”, Kindly find the below reasons to troubleshoot in case you are faced with an error
Go to console and search for Hybrid connectivity and choose VPN
Click on High-availability (HA) VPN
Give necessary details in the gateway details (steps followed in creating classic VPN)
Choose on-prem/Other cloud (Since we are trying to connect on-prem)
Create Peer VPN gateway Name can be 1,2,4 Interface
Once gateway is created, create router for you gateway interface
After creating router make sure the interface IP are correct and generate pre-shared key or use existing pre-shared key (steps followed in classic VPN)
Configure BGP session with peer ASN number and double check the IP address
Once BGP configured, you will see the status of the connection as below
Please find the below reasons to troubleshoot in case you faced with an error.
Conclusion:
In this blog, we were able to create a secured VPN connection from on-premises / Hybrid to Google Cloud using both classic VPN and HA VPN models.
The TCP forwarding functionality of IAP enables you to manage who can access administrative services like SSH and RDP on your backends via the open internet. These services are shielded from the public internet via the TCP forwarding capability. Instead, to access their intended resource, requests to your services must first....