There are two gateway components to configure for Google Distributed Cloud (GDC) air-gapped VPN:
- A VPN gateway in GDC.
- Your peer VPN gateway. This is a physical VPN gateway device or software application in the peer network to which the VPN gateway connects. The peer gateway can either be an on-premises VPN gateway or one hosted by another cloud provider.
Follow the instructions in this section to create a VPN gateway or a peer gateway resource.
Create a VPN gateway
Create a VPN gateway for the GDC organization by creating a VPNGateway
object in the org admin cluster. Specify an interface name on the gateway to
represent the IP address. When the gateway is created an external IPv4 address
is automatically allocated:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create -n platform -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: VPNGateway
metadata:
name: VPN_GW_NAME
spec:
interfaces:
- name: VPN_INTERFACE_NAME
EOF
Replace the following:
ORG_ADMIN_CLUSTER_KUBECONFIG: the org admin cluster's kubeconfig path.VPN_GW_NAME: the name of the VPN gateway object. For example,vpngateway.VPN_INTERFACE_NAME: the name of the VPN interface. For example,interface0.
Verify that the VPN_GW_NAME object was correctly reconciled by examining the Status field.
Get the details for the VPN gateway object:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform vpngateway VPN_GW_NAME
Examine the output, it must look similar to the following example:
status:
conditions:
- lastTransitionTime: "2024-05-10T00:12:58Z"
message: All interfaces are assigned an IP.
observedGeneration: 1
reason: Ready
status: "True"
type: IPsAssigned
- lastTransitionTime: "2024-05-10T00:12:36Z"
message: Condition "TunnelsAttached" is not ready.
observedGeneration: 1
reason: NotReady
status: "False"
type: Ready
- lastTransitionTime: "2024-05-10T00:12:36Z"
message: 'At least one interface is not attached to any VPNTunnel: ["interface0"]'
observedGeneration: 1
reason: NoTunnelAttached
status: "False"
type: TunnelsAttached
interfaces:
- ip: 10.252.218.240
name: interface0
The VPNGateway object must be attached to a VPNTunnel. We handle this step in Create a VPN Tunnel.
Create a peer VPN gateway
Create a peer VPN gateway by creating a PeerGateway object in the org admin
cluster. The PeerGateway object represents a remote VPN endpoint. An interface
on a PeerGateway object is used by a VPN tunnel to establish an
encrypted tunnel to the remote site. Specify an interface name and the static
external IPv4 address of your peer VPN gateway:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create -n platform -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: PeerGateway
metadata:
name: PEER_GW_NAME
spec:
interfaces:
- name: PEER_INTERFACE_NAME
ip: PEER_INTERFACE_IP
EOF
Replace the following:
PEER_GW_NAME: the name of the peer VPN gateway. For example,peergateway.PEER_INTERFACE_NAME: the name of the peer interface. For example,interface0.PEER_INTERFACE_IP: the static external IPv4 address of your peer VPN gateway.
Verify that the PEER_GW_NAME object was correctly reconciled by examining the Status field.
Get the details for the peer VPN gateway object:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform peergateway PEER_GW_NAME
Examine the output, it must look similar to the following example:
Status:
Conditions:
Last Transition Time: 2024-05-10T00:15:25Z
Message: Condition "TunnelsAttached" is not ready.
Observed Generation: 1
Reason: NotReady
Status: False
Type: Ready
Last Transition Time: 2024-05-10T00:20:45Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: ValidGatewayIPs
Last Transition Time: 2024-05-10T00:15:25Z
Message: At least one interface is not attached to any VPNTunnel: ["interface0"]
Observed Generation: 1
Reason: NoTunnelAttached
Status: False
Type: TunnelsAttached
The PeerGateway object must be referenced by a VPNTunnel. We handle this step in Create a VPN Tunnel.