Google Distributed Cloud (GDC) air-gapped VPN supports dynamic routing using an IPv4 Border Gateway Protocol (BGP) session for each VPN tunnel. The BGP session lets the BGP peers in the remote network and in the GDC organization advertise routes to each other.
VPN BGP session specifications
- The BGP peer in the organization supports a BGP keepalive interval of 30 seconds, with a hold timer of 90 seconds.
For each BGP session, make sure that the IPv4 addresses meet the following requirements:
- Each BGP IPv4 address must belong to the same
/30subnet that fits within the169.254.0.0/16range. - Each BGP IPv4 address is the first or second host of the
/30subnet. The first and the last IP addresses of the subnet are reserved for network and broadcast addresses. - Each BGP address range for each BGP session must be unique among all VPN BGP sessions for the organization.
- Each BGP IPv4 address must belong to the same
MD5 authentication is not supported. This is a method of verifying the integrity and authenticity of data using the MD5 hashing algorithm.
Create a VPN BGP session
To create a BGP session for the VPN tunnel, create a VPNBGPPeer object in the
org admin cluster. Each VPN BGP session object must use a unique /30 subnet from
the 169.254.0.0/16 range. Additionally, the IP addresses must not be the
network or broadcast IP address.
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create -n platform -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: VPNBGPPeer
metadata:
name: VPN_BGP_PEER_NAME
spec:
remote:
name: REMOTE_PEER_NAME
ip: REMOTE_PEER_IP
asn: REMOTE_PEER_ASN
local:
name: LOCAL_PEER_NAME
ip: LOCAL_PEER_IP
asn: LOCAL_PEER_ASN
EOF
Replace the following:
VPN_BGP_PEER_NAME: the name of the VPN BGP peer.REMOTE_PEER_NAME: the name for the BGP peer in the remote network.REMOTE_PEER_IP: the BGP IPv4 address from the/30subnet of the BGP peer in the remote network.REMOTE_PEER_ASN: the Autonomous System Number (ASN) configured for the remote network.LOCAL_PEER_NAME: a name for the BGP peer in the GDC organization.LOCAL_PEER_IP: the BGP IPv4 address from the/30subnet of the BGP peer in the GDC organization.LOCAL_PEER_ASN: the ASN configured for the GDC organization.
Verify that the VPN_BGP_PEER_NAME object was correctly reconciled by examining the Status field.
Get the details of the VPNBGPPeer object:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform vpnbgppeer VPN_BGP_PEER_NAME
Examine the output, it must look similar to the following example:
Status:
Conditions:
Last Transition Time: 2024-05-10T00:26:13Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: ValidIPs
Last Transition Time: 2024-05-10T00:26:00Z
Message: Used by 0 VPNTunnels, must be used by a single VPNTunnel
Observed Generation: 1
Reason: GetResourceFailed
Status: False
Type: TunnelsAttached
Last Transition Time: 2024-05-10T00:26:00Z
Message: TunnelsAttached or ValidIPs Condition not Ready.
Observed Generation: 1
Reason: Unknown
Status: False
Type: Reconciled
Last Transition Time: 2024-05-10T00:26:01Z
Message: ValidIPs or Reconciled Condition not Ready.
Observed Generation: 1
Reason: Unknown
Status: False
Type: AdvertisedRoutesReady
Last Transition Time: 2024-05-10T00:26:13Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: ReceivedRoutesValid
Last Transition Time: 2024-05-10T00:26:01Z
Message: TunnelsAttached Condition not Ready.
Observed Generation: 1
Reason: Unknown
Status: False
Type: ReceivedRoutesReady
Last Transition Time: 2024-05-10T00:26:01Z
Message: Condition "TunnelsAttached" is not ready.
Observed Generation: 1
Reason: NotReady
Status: False
Type: Ready
The VPNBGPPeer must be attached to a VPNTunnel. We handle this step in Create a VPN Tunnel.