GCPcloud~5 mins

Cloud VPN for hybrid connectivity in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes your office network and your cloud network need to talk securely. Cloud VPN creates a safe tunnel between your on-premises network and your cloud network so they can share data privately.

When you want your company office network to connect securely to your cloud resources.

When you have applications running both on your local servers and in the cloud that need to communicate.

When you want to extend your internal network to the cloud without exposing it to the internet.

When you need a backup connection between your data center and cloud in case the main link fails.

When you want to connect multiple cloud regions or different cloud providers securely.

Config File - vpn-tunnel.yaml

vpn-tunnel.yaml

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeVPNGateway
metadata:
  name: example-vpn-gateway
  namespace: default
spec:
  networkRef:
    name: example-vpc
  region: us-central1
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeVPNGatewayInterface
metadata:
  name: example-vpn-gateway-interface
  namespace: default
spec:
  vpnGatewayRef:
    name: example-vpn-gateway
  id: 0
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeVpnTunnel
metadata:
  name: example-vpn-tunnel
  namespace: default
spec:
  vpnGatewayRef:
    name: example-vpn-gateway
  peerIp: 203.0.113.1
  sharedSecret: "mysecretpassword"
  ikeVersion: 2
  region: us-central1
  targetVpnGatewayRef:
    name: example-vpn-gateway
  interface: 0
  localTrafficSelector:
    - 10.0.0.0/16
  remoteTrafficSelector:
    - 192.168.1.0/24

This file creates a VPN gateway in the cloud connected to your VPC network.

The VPN gateway interface defines the connection point.

The VPN tunnel sets up the secure tunnel to your on-premises VPN device using the peer IP and shared secret.

Traffic selectors define which IP ranges are allowed through the tunnel.

Commands

This command creates a VPN gateway in the cloud in the specified region and network. It acts as the endpoint for your VPN tunnel.

Terminal

gcloud compute vpn-gateways create example-vpn-gateway --network example-vpc --region us-central1

Expected OutputExpected

Created [https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/vpnGateways/example-vpn-gateway].

→

--network - Specifies the VPC network to attach the VPN gateway.

→

--region - Specifies the region where the VPN gateway is created.

This command creates the VPN tunnel connecting your cloud VPN gateway to your on-premises VPN device using the peer IP and shared secret for encryption.

Terminal

gcloud compute vpn-tunnels create example-vpn-tunnel --peer-address 203.0.113.1 --ike-version 2 --shared-secret mysecretpassword --target-vpn-gateway example-vpn-gateway --region us-central1 --local-traffic-selector 10.0.0.0/16 --remote-traffic-selector 192.168.1.0/24

Expected OutputExpected

Created [https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/vpnTunnels/example-vpn-tunnel].

→

--peer-address - The public IP address of your on-premises VPN device.

→

--shared-secret - The secret key used to encrypt the VPN tunnel.

→

--local-traffic-selector - The IP range in your cloud network allowed through the tunnel.

This command checks the status and details of the VPN tunnel to confirm it is up and running.

Terminal

gcloud compute vpn-tunnels describe example-vpn-tunnel --region us-central1

Expected OutputExpected

creationTimestamp: '2024-06-01T12:00:00.000-07:00' ikeVersion: 2 localTrafficSelector: - 10.0.0.0/16 name: example-vpn-tunnel peerIp: 203.0.113.1 region: us-central1 remoteTrafficSelector: - 192.168.1.0/24 sharedSecret: (hidden) status: ESTABLISHED targetVpnGateway: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-central1/vpnGateways/example-vpn-gateway

→

--region - Specifies the region of the VPN tunnel.

Key Concept

If you remember nothing else from this pattern, remember: Cloud VPN creates a secure, encrypted tunnel between your cloud network and your on-premises network so they can communicate privately.

Common Mistakes

Using incorrect peer IP address for the on-premises VPN device.

The VPN tunnel cannot establish if the peer IP is wrong or unreachable.

Verify the public IP address of your on-premises VPN device before creating the tunnel.

Mismatched shared secret between cloud VPN and on-premises device.

The tunnel will fail to establish because both sides must use the same secret key.

Ensure the shared secret is exactly the same on both VPN endpoints.

Not specifying correct traffic selectors for local and remote networks.

Traffic outside these ranges will not pass through the VPN tunnel, causing connectivity issues.

Set local and remote traffic selectors to the correct IP ranges that need to communicate.

Summary

Create a VPN gateway in your cloud network to act as the VPN endpoint.

Create a VPN tunnel connecting the cloud VPN gateway to your on-premises VPN device using peer IP and shared secret.

Verify the VPN tunnel status to ensure the secure connection is established.