Best practices for Cloud VPN

The following best practices can be helpful when planning for and configuring Cloud VPN.

Use separate Google Cloud projects for networking resources

To make configuration of Identity and Access Management (IAM) roles and permissions easier, wherever possible, keep your Cloud VPN and Cloud Router resources in a project separate from your other Google Cloud resources.

Routing and failover

Choose dynamic routing

Choose a Cloud VPN gateway that uses dynamic routing and the Border Gateway Protocol (BGP). Google recommends using HA VPN and deploying on-premises devices that support BGP.

Use HA VPN whenever possible

To achieve the highest level of availability, use HA VPN whenever possible.

For more information, see types of VPN in the Cloud VPN overview.

Choose the appropriate tunnel configuration

Choose the appropriate tunnel configuration based on the number of HA VPN tunnels:

  • If you have two HA VPN tunnels, use an active/passive tunnel configuration.

  • If you have more than two HA VPN tunnels, use an active/active tunnel configuration.

For more information, see the following sections in the Cloud VPN overview:


Configure your peer VPN gateway with only one cipher for each cipher role

Cloud VPN can act as an initiator or a responder to IKE requests depending on the origin of traffic when a new security association (SA) is needed.

When Cloud VPN initiates a VPN connection, Cloud VPN proposes the algorithms in the order shown in the supported cipher tables for each cipher role. The peer side receiving the proposal selects an algorithm.

If the peer side initiates the connection, then Cloud VPN selects a cipher from the proposal by using the same order shown in the table for each cipher role.

Depending on which side is the initiator or the responder, the selected cipher can be different. For example, the selected cipher might even change over time as new security associations (SAs) are created during key rotation. Because a change in cipher selection can impact important tunnel characteristics such as performance or MTU, ensure that your cipher selection is stable. For more information about MTU, see MTU considerations.

To prevent frequent changes in cipher selection, configure your peer VPN gateway to propose and accept only one cipher for each cipher role. This cipher must be supported by both Cloud VPN and your peer VPN gateway. Do not provide a list of ciphers for each cipher role. This best practice ensures that both sides of your Cloud VPN tunnel always select the same IKE cipher during IKE negotiation.

For HA VPN tunnel pairs, configure both HA VPN tunnels on your peer VPN gateway to use the same cipher and IKE Phase 2 lifetime values.


Set up firewall rules for your VPN gateways

Create secure firewall rules for traffic that travels over Cloud VPN. For more information, see the VPC firewall rules overview.

Use strong pre-shared keys

Google recommends generating a strong pre-shared key for your Cloud VPN tunnels.

Restrict IP addresses for your peer VPN gateways

By restricting which IP addresses can be specified for a peer VPN gateway, you can prevent unauthorized VPN tunnels from being created.

For more information, see Restrict IP addresses for peer VPN gateways.

Configure the strongest cipher on your peer VPN gateway

When configuring your peer VPN gateway, choose the strongest cipher for each cipher role that is supported by both your peer VPN gateway and Cloud VPN.

The listed proposal order for Cloud VPN is not ordered by strength.

For a list of supported IKE ciphers, see Supported IKE ciphers.

What's next

  • To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.