pre-loading
backtotop
Hybrid Connectivity
Hybrid Connectivity

Building a VPN from on-premises/hybrid to GCP

June 23, 2022

Introduction

Welcome to our blog on building a VPN from on-premises/hybrid to Google Cloud Platform (GCP). As more and more businesses move to the cloud, it is important to have secure and reliable connections between on-premises and cloud resources. This is where a VPN (Virtual Private Network) comes in.  

A VPN allows you to create a secure, encrypted connection between your on-premises infrastructure and GCP, ensuring that your data is protected as it travels between these two environments.

In this blog, we will explore:

  1. The steps involved in building a VPN from on-premises/hybrid to GCP.  
  2. We will cover topics such as selecting the appropriate VPN gateway, configuring the VPN connection, and testing the connection to ensure it is working properly.
  3. How to confidently set one up for your own business.  

Let's get started!

Types of GCP Cloud VPN

  • Classic VPN
  • HA VPN

CLASSIC VPN gateways has a single interface, a single external IP address, and support tunnels using dynamic (BGP) or static routing (route-based or policy-based). The external IPs and forwarding rules must be created before the setup of the VPN. They provide an SLA of 99.9% service availability, but it doesn’t support IPv6.

Classic VPN architecture

HA VPN gateways has two external IP addresses and two interfaces. To support high availability, each IP address is automatically selected from a unique address pool. They support only Dynamic Routing (BGP) and provide an SLA of 99.99% service availability when configured with two interfaces and two external IPs, it supports two tunnels from one gateway. It supports IPv6.

HA VPN Architecture

Configuration overview for Classic and HA

  • Create a VPC Network (VPC, subnets, firewall rules) for your workloads in CLI mode
  • Configure networks in on-premises / other cloud
  • Create gateway IP in GCP and vice versa for On-premises /other cloud
  • Create Classic VPN tunnel with gateway IP and pre-shared key
  • Establish connection and tunnel error troubleshoot overview
  • Create HA VPN tunnel with gateway IP and BGP protocol
  • Establish connection and tunnel error troubleshoot overview

Let’s get started!

Pre-requisites

1. CREATE VPC NETWORK

Create a new VPC networks by pasting the following command in google cloud shell

  • Click the Google cloud shell icon on top of the console page
  • Paste the following command in cloud shell

“gcloud compute networks create quadra-vpc-sandbox --subnet-mode custom”

2. CREATE SUBNETS

“gcloud beta compute networks subnets create quadra-vpc-sandbox-subnet1 \

             --network vpc-demo --range 10.1.1.0/24 --region asia-south1”

3. CREATE FIREWALL RULES

“gcloud compute firewall-rules create quadra-vpc-allow-internal \

            --network quadra-vpc-sandbox \

            --allow tcp:0-65535,udp:0-65535,icmp \

            --source-ranges 10.0.0.0/8”

“gcloud compute firewall-rules create quadra-vpc-allow-ssh-icmp \

        --network quadra-vpc-sandbox \

        --allow tcp:22,icmp”

4. CONFIGURE ON-PREMISES SETUP

  • Create VPC network in on-premises:

“gcloud compute networks create on-prem --subnet-mode custom”

  • Create Subnets for on-premises network

“gcloud beta compute networks subnets create on-prem-subnet1 \

--network on-prem --range 192.168.1.0/24 --region us-central1”

  • Create firewall rules for you network connection

“gcloud compute firewall-rules create on-prem-allow-internal \

 --network on-prem \

 --allow tcp:0-65535,udp:0-65535,icmp \

 --source-ranges 192.168.0.0/16”

5. Configure HA VPN setup (GCP)

“gcloud beta compute vpn-gateways create quadra-vpn-gw1 --network quadra-vpc-sandbox  

             --region asia-south1”

6. Configure HA-VPN setup (On-Prem)

“gcloud beta compute vpn-gateways create on-prem-vpn-gw1 --network on-prem

     --region us-central1”

 View details on both VPN-Gateways

“gcloud beta compute vpn-gateways describe quadra-vpn-gw1 --region asia-south1”

“gcloud beta compute vpn-gateways describe on-prem-vpn-gw1 --region us-central1”

In console you can verify the status of the tunnel created (refer below image)

Now that we have both tunnel IP’s let’s start configuring VPN in the cloud console

Go to console and search for “Hybrid Connectivity à Cloud VPN”

Creating a Classic VPN

Search for Hybrid connectivity in list of services and choose cloud VPN

Click on Create VPN connection

Click Classic VPN

  1. In the name field specify as “quadra-vpn ”
  2. In the network, Choose the network you created in the above steps
  3. Specify region as “us-central1”
  4. In IP address tab choose a static IP address or use existing reserved IP  

In tunnels section

  1. Name your tunnel and give the peer IP address (On-prem firewall IP / Other Cloud peer IP)
  2. Choose either IKEv2 or IKEv1 as per your firewall policies.
  3. Create a new key or paste the key if you have already had it handy.
  4. Choose Route-Based as a routing option and provide the IP address range that will be used in On-Premises/other cloud and click create.

Once created wait for few minutes to get the VPN tunnels up and running, you can see the status of the connection in the “VPN Status”, Kindly find the below reasons to troubleshoot in case you are faced with an error

Creating a HA VPN

Go to console and search for Hybrid connectivity and choose VPN


Click on High-availability (HA) VPN


Give necessary details in the gateway details (steps followed in creating classic VPN)

Choose on-prem/Other cloud (Since we are trying to connect on-prem)

Create Peer VPN gateway Name can be 1,2,4 Interface

  1. Choose the name for your vpn-gateway
  2. Choose the required interface for your workloads
  3. Provide the interface IP(create new one ) and click create.

Once gateway is created, create router for you gateway interface

  1. Choose Name for your router
  2. Choose Network where you router will be available (chosen by default)
  3. Choose a random Google ASN number, it should also match with peer ASN and click create.

After creating router make sure the interface IP are correct and generate pre-shared key or use existing pre-shared key (steps followed in classic VPN)

Configure BGP session with peer ASN number and double check the IP address

Once BGP configured, you will see the status of the connection as below

Please find the below reasons to troubleshoot in case you faced with an error.

Conclusion:

In this blog, we were able to create a secured VPN connection from on-premises / Hybrid to Google Cloud using both classic VPN and HA VPN models.

More Blogs

Accessing Virtual Machines in Google Cloud using IAP desktop
Accessing Virtual Machines in Google Cloud using IAP desktop
Tue, May 25th 2021 8:04 AM

The TCP forwarding functionality of IAP enables you to manage who can access administrative services like SSH and RDP on your backends via the open internet. These services are shielded from the public internet via the TCP forwarding capability. Instead, to access their intended resource, requests to your services must first....

Read more 
External link
Go back