Google Distributed Cloud (GDC) air-gapped VPN securely extends a peer network to a user's virtual machine (VM) in an organization of a GDC zone through an Internet Protocol Security (IPsec) VPN connection.
Configure the GDC VPN using the VPNGateway,
PeerGateway, VPNBGPPeer, and VPNTunnel resources from the Networking
API.
Before you begin
You must obtain authorization to manage or view VPN resources from the GDC console:
- To manage VPN resources, ask your Organization IAM Admin to grant you the VPN Admin (
vpn-admin) role. - To view existing VPN resources, ask your Organization IAM Admin to grant you the VPN Viewer (
vpn-viewer) role.
For information about setting role bindings from the GDC console, see Grant access to resources.
Specifications
The GDC VPN has the following specifications:
- GDC VPN only supports site-to-site IPsec VPN connectivity. IPsec is a suite of protocols designed to secure communication over IP networks. Other VPN technologies, such as SSL and VPN are not supported.
- The peer VPN gateway must have a static external IPv4 address. You need this IP address to configure VPN.
- If your peer VPN gateway is behind a firewall rule, you must configure the firewall rule to pass both Encapsulating Security Payload (ESP) IPsec protocol and Internet Key Exchange (IKE) UDP 500 and UDP 4500 traffic to it.
- GDC VPN only supports one-to-one NAT by using UDP encapsulation for NAT-Traversal (NAT-T). The peer VPN gateway must be configured to identify itself using its static external IPv4 address, not its internal private IP.
- IPv6 traffic is not supported.
IPsec and IKE support
GDC VPN supports IKEv2 by using an IKE pre-shared key (shared secret) and IKE ciphers. GDC VPN only supports a pre-shared key for authentication. When you create the GDC VPN tunnel, specify a pre-shared key. When you create the tunnel at the peer VPN gateway, specify this same pre-shared key.
GDC VPN supports ESP in tunnel mode with authentication, but does not support AH or ESP in transport mode.