Stay organized with collections
Save and categorize content based on your preferences.
This page describes the specifications a VPN Border Gateway
Protocol (BGP) session must adhere to and how to create a VPN BGP session.
Google Distributed Cloud (GDC) air-gapped VPN supports dynamic routing using an IPv4 BGP session for each VPN tunnel. The BGP session lets the BGP peers
in the remote network and in the GDC organization advertise routes to each
other.
Before you begin
To create a VPN BGP session, you must have the necessary identity and access roles:
VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (vpn-admin) role.
VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (vpn-viewer) role.
The BGP peer in the organization supports a BGP keepalive interval of 30 seconds, with a hold timer of 90 seconds.For each BGP session, the IPv4 addresses must meet the following requirements:
Each BGP IPv4 address must belong to the same /30 subnet that fits within
the 169.254.0.0/16 range.
Each BGP IPv4 address is the first or second host of the /30 subnet. The first and the last IP addresses of the subnet are reserved for network and broadcast addresses.
Each BGP address range for each BGP session must be unique among all VPN BGP sessions for the organization.
MD5 authentication is not supported. This is a method of verifying the integrity and authenticity of data using the MD5 hashing algorithm.
Create a VPN BGP session
To create a BGP session for the VPN tunnel, follow these steps:
Create a VPNBGPPeer object in the
org admin cluster in the platform namespace:
MANAGEMENT_API_SERVER: the zonal API
server's kubeconfig path. If you have not yet generated a kubeconfig file
for the API server in your targeted zone, see
Sign in for details.
VPN_BGP_PEER_NAME: the name of the VPN BGP peer.
REMOTE_PEER_NAME: the name for the BGP peer in the remote
network.
REMOTE_PEER_IP: the BGP IPv4 address from the /30 subnet
of the BGP peer in the remote network.
REMOTE_PEER_ASN: the Autonomous System Number (ASN)
configured for the remote network.
LOCAL_PEER_NAME: a name for the BGP peer in the GDC organization.
LOCAL_PEER_IP: the BGP IPv4 address from the /30 subnet
of the BGP peer in the GDC organization.
LOCAL_PEER_ASN: the ASN configured for the GDC organization.
Verify that the VPN_BGP_PEER_NAME object was correctly reconciled by examining the Status field. Get the details of the VPNBGPPeer object:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document outlines the requirements and procedures for establishing a VPN Border Gateway Protocol (BGP) session within Google Distributed Cloud (GDC) air-gapped environments.\u003c/p\u003e\n"],["\u003cp\u003eCreating a VPN BGP session requires either the VPN Admin or VPN Viewer role, which can be granted by the Organization IAM Admin.\u003c/p\u003e\n"],["\u003cp\u003eEach VPN BGP session must use unique IPv4 addresses from a \u003ccode\u003e/30\u003c/code\u003e subnet within the \u003ccode\u003e169.254.0.0/16\u003c/code\u003e range, and addresses must be the first or second host in the subnet, with a keepalive interval of 30 seconds and a hold timer of 90 seconds.\u003c/p\u003e\n"],["\u003cp\u003eThe process of creating a BGP session for a VPN tunnel involves creating a \u003ccode\u003eVPNBGPPeer\u003c/code\u003e object with specific remote and local parameters, then verifying its status.\u003c/p\u003e\n"],["\u003cp\u003eMD5 authentication is not supported.\u003c/p\u003e\n"]]],[],null,["# Create a VPN BGP session\n\nThis page describes the specifications a VPN Border Gateway\nProtocol (BGP) session must adhere to and how to create a VPN BGP session.\n\nGoogle Distributed Cloud (GDC) air-gapped VPN supports dynamic routing using an IPv4 BGP session for each VPN tunnel. The BGP session lets the BGP peers\nin the remote network and in the GDC organization advertise routes to each\nother.\n\nBefore you begin\n----------------\n\nTo create a VPN BGP session, you must have the necessary identity and access roles:\n\n- VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (`vpn-admin`) role.\n- VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (`vpn-viewer`) role.\n- For more information, see [Role definitions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/role-definitions).\n\nVPN BGP session specifications\n------------------------------\n\nThe BGP peer in the organization supports a BGP keepalive interval of 30 seconds, with a hold timer of 90 seconds.For each BGP session, the IPv4 addresses must meet the following requirements:\n\n- Each BGP IPv4 address must belong to the same `/30` subnet that fits within the `169.254.0.0/16` range.\n- Each BGP IPv4 address is the first or second host of the `/30` subnet. The first and the last IP addresses of the subnet are reserved for network and broadcast addresses.\n- Each BGP address range for each BGP session must be unique among all VPN BGP sessions for the organization.\n\nMD5 authentication is not supported. This is a method of verifying the integrity and authenticity of data using the MD5 hashing algorithm.\n\nCreate a VPN BGP session\n------------------------\n\nTo create a BGP session for the VPN tunnel, follow these steps:\n\n1. Create a `VPNBGPPeer` object in the\n org admin cluster in the platform namespace:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e create -n platform -f - \u003c\u003cEOF\n apiVersion: networking.gdc.goog/v1\n kind: VPNBGPPeer\n metadata:\n name: \u003cvar translate=\"no\"\u003eVPN_BGP_PEER_NAME\u003c/var\u003e\n spec:\n remote:\n name: \u003cvar translate=\"no\"\u003eREMOTE_PEER_NAME\u003c/var\u003e\n ip: \u003cvar translate=\"no\"\u003eREMOTE_PEER_IP\u003c/var\u003e\n asn: \u003cvar translate=\"no\"\u003eREMOTE_PEER_ASN\u003c/var\u003e\n local:\n name: \u003cvar translate=\"no\"\u003eLOCAL_PEER_NAME\u003c/var\u003e\n ip: \u003cvar translate=\"no\"\u003eLOCAL_PEER_IP\u003c/var\u003e\n asn: \u003cvar translate=\"no\"\u003eLOCAL_PEER_ASN\u003c/var\u003e\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n - \u003cvar translate=\"no\"\u003eVPN_BGP_PEER_NAME\u003c/var\u003e: the name of the VPN BGP peer.\n - \u003cvar translate=\"no\"\u003eREMOTE_PEER_NAME\u003c/var\u003e: the name for the BGP peer in the remote network.\n - \u003cvar translate=\"no\"\u003eREMOTE_PEER_IP\u003c/var\u003e: the BGP IPv4 address from the `/30` subnet of the BGP peer in the remote network.\n - \u003cvar translate=\"no\"\u003eREMOTE_PEER_ASN\u003c/var\u003e: the Autonomous System Number (ASN) configured for the remote network.\n - \u003cvar translate=\"no\"\u003eLOCAL_PEER_NAME\u003c/var\u003e: a name for the BGP peer in the GDC organization.\n - \u003cvar translate=\"no\"\u003eLOCAL_PEER_IP\u003c/var\u003e: the BGP IPv4 address from the `/30` subnet of the BGP peer in the GDC organization.\n - \u003cvar translate=\"no\"\u003eLOCAL_PEER_ASN\u003c/var\u003e: the ASN configured for the GDC organization.\n2. Verify that the \u003cvar translate=\"no\"\u003eVPN_BGP_PEER_NAME\u003c/var\u003e object was correctly reconciled by examining the `Status` field. Get the details of the `VPNBGPPeer` object:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e describe -n platform vpnbgppeer \u003cvar translate=\"no\"\u003eVPN_BGP_PEER_NAME\u003c/var\u003e\n\n Examine the output, it must look similar to the following example: \n\n Status:\n Conditions:\n Last Transition Time: 2024-05-10T00:26:13Z\n Message: Ready\n Observed Generation: 1\n Reason: Ready\n Status: True\n Type: ValidIPs\n Last Transition Time: 2024-05-10T00:26:00Z\n Message: Used by 0 VPNTunnels, must be used by a single VPNTunnel\n Observed Generation: 1\n Reason: GetResourceFailed\n Status: False\n Type: TunnelsAttached\n Last Transition Time: 2024-05-10T00:26:00Z\n Message: TunnelsAttached or ValidIPs Condition not Ready.\n Observed Generation: 1\n Reason: Unknown\n Status: False\n Type: Reconciled\n Last Transition Time: 2024-05-10T00:26:01Z\n Message: ValidIPs or Reconciled Condition not Ready.\n Observed Generation: 1\n Reason: Unknown\n Status: False\n Type: AdvertisedRoutesReady\n Last Transition Time: 2024-05-10T00:26:13Z\n Message: Ready\n Observed Generation: 1\n Reason: Ready\n Status: True\n Type: ReceivedRoutesValid\n Last Transition Time: 2024-05-10T00:26:01Z\n Message: TunnelsAttached Condition not Ready.\n Observed Generation: 1\n Reason: Unknown\n Status: False\n Type: ReceivedRoutesReady\n Last Transition Time: 2024-05-10T00:26:01Z\n Message: Condition \"TunnelsAttached\" is not ready.\n Observed Generation: 1\n Reason: NotReady\n Status: False\n Type: Ready\n ```\n\nThe `VPNBGPPeer` must be attached to a `VPNTunnel`. We handle this step in [Create a VPN Tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel#create-a-vpn-tunnel).\n\nWhat's next\n-----------\n\n- [Create the secret with a PSK](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/create-secret)"]]