Google Distributed Cloud (GDC) air-gapped VPN securely extends a peer network to a user's virtual machine (VM) in an organization of a GDC zone through an Internet Protocol Security (IPsec) VPN connection.
Configure the GDC VPN using the VPNGateway
,
PeerGateway
, VPNBGPPeer
, and VPNTunnel
resources from the Networking
API.
Before you begin
You must obtain authorization to manage or view VPN resources from the GDC console:
- To manage VPN resources, ask your Organization IAM Admin to grant you the VPN Admin (
vpn-admin
) role. - To view existing VPN resources, ask your Organization IAM Admin to grant you the VPN Viewer (
vpn-viewer
) role.
For information about setting role bindings from the GDC console, see Grant access to resources.
Specifications
The GDC VPN has the following specifications:
- GDC VPN only supports site-to-site IPsec VPN connectivity. IPsec is a suite of protocols designed to secure communication over IP networks. Other VPN technologies, such as SSL and VPN are not supported.
- The peer VPN gateway must have a static external IPv4 address. You need this IP address to configure VPN.
- If your peer VPN gateway is behind a firewall rule, you must configure the firewall rule to pass both Encapsulating Security Payload (ESP) IPsec protocol and Internet Key Exchange (IKE) UDP 500 and UDP 4500 traffic to it.
- GDC VPN only supports one-to-one NAT by using UDP encapsulation for NAT-Traversal (NAT-T). The peer VPN gateway must be configured to identify itself using its static external IPv4 address, not its internal private IP.
- IPv6 traffic is not supported.
IPsec and IKE support
GDC VPN supports IKEv2 by using an IKE pre-shared key (shared secret) and IKE ciphers. GDC VPN only supports a pre-shared key for authentication. When you create the GDC VPN tunnel, specify a pre-shared key. When you create the tunnel at the peer VPN gateway, specify this same pre-shared key.
GDC VPN supports ESP in tunnel mode with authentication, but does not support AH or ESP in transport mode.