This page describes how to connect two Virtual Private Cloud (VPC) networks in Google Cloud by using two HA VPN gateways. You can connect two VPC networks together as long as the primary and secondary subnet IPv4 or IPv6 address ranges in each network don't overlap.
For more information about Cloud VPN, see the following resources:
For diagrams of this topology, see HA VPN between Google Cloud networks.
To automate this setup, see the Terraform example for an HA VPN gateway.
For best practices to consider before setting up Cloud VPN, see Best practices.
For more information about Cloud VPN, see the Cloud VPN overview.
For definitions of terms used on this page, see Key terms.
Requirements
To receive a 99.99% SLA, make sure that you meet the following requirements when creating this configuration:
- Place one HA VPN gateway in each VPC network.
- Place both HA VPN gateways in the same Google Cloud region.
- Configure a tunnel on each interface of each gateway.
- Match the gateway interfaces as follows:
- The tunnel on
interface 0
of the first gateway must connect tointerface 0
on the second gateway. - The tunnel on
interface 1
of the first gateway must connect tointerface 1
on the second gateway.
- The tunnel on
Although it is possible to connect two VPC networks together by using a single tunnel between HA VPN gateways or by using Classic VPN gateways, this type of configuration is not considered to have high availability and does not meet the HA SLA of 99.99% availability.
Cloud Router recommendations
When configuring a new HA VPN gateway, you can create a new Cloud Router, or you can use an existing Cloud Router with existing Cloud VPN tunnels or VLAN attachments. However, the Cloud Router that you use must not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection because of the attachment's specific ASN requirements.
Manage permissions
HA VPN gateways might not always belong to you or your Google Cloud organization. When you create an HA VPN gateway or connect to a gateway owned by someone else, consider these requirements:
- If you own the project where you create an HA VPN gateway, configure the recommended permissions on it.
- If you want to connect to an HA VPN gateway that
resides in a Google Cloud organization or project that you don't own,
request the
compute.vpnGateways.use
permission from the owner.
Before you begin
Review information about how dynamic routing works in Google Cloud.
Make sure that your peer VPN gateway supports Border Gateway Protocol (BGP).
Set up the following items in Google Cloud to make it easier to configure Cloud VPN:
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you are using the Google Cloud CLI, set your project ID with the following command. The
gcloud
instructions on this page assume that you have set your project ID before issuing commands.gcloud config set project PROJECT_ID
-
You can also view a project ID that has already been set by running the following command:
gcloud config list --format='text(core.project)'
Create custom VPC networks and subnets
The procedures in this document use two different VPC networks. Each VPC network has at least two subnets, which are located in different regions.
Before you create your HA VPN gateways and your HA VPN tunnels, create two VPC networks.
Each VPC network must have at least one subnet in the region where you create the HA VPN gateway.
- To create a custom mode VPC network (recommended), see Create a custom mode VPC network.
- To create a subnet, see Working with subnets.
To enable IPv6 traffic in your HA VPN tunnels, you must enable the allocation of IPv6 internal addresses when you create the VPC networks. In addition, configure the subnets to use IPv6 internal addresses.
You must also configure IPv6 on the VMs in the subnet.
- To create a custom mode VPC network that has at least one dual-stack subnet or one IPv6-only subnet (Preview) with internal IPv6 addresses, see Create and manage VPC networks.
- To create a dual-stack subnet with IPv6 enabled, see Add a dual-stack subnet.
- To create an IPv6-only subnet, see Add an IPv6-only subnet (Preview).
- To enable IPv6 in an existing IPv4-only subnet, see Change an IPv4-only subnet to dual-stack.
- To create VMs with IPv6 enabled, see Configuring IPv6 for instances and instance templates.
The VPC subnets must be configured to use internal IPv6
addresses. When you use the gcloud CLI, you configure the subnets
with the --ipv6-access-type=INTERNAL
flag. Cloud Router does not
dynamically advertise routes for subnets that are configured to use external
IPv6 addresses (--ipv6-access-type=EXTERNAL
).
For information about using internal IPv6 address ranges in your VPC networks and subnets, see Internal IPv6 specifications.
The examples in this document also use VPC global dynamic routing mode, which behaves in the following way:
- All instances of Cloud Router apply the
to on-premises
routes that they learn to all subnets of the VPC network. - Routes to all subnets in the VPC network are shared with on-premises routers.
Create two fully configured HA VPN gateways that connect to each other
Follow the instructions in this section to create an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.
Create the HA VPN gateways
Console
The VPN setup wizard includes all required configuration steps for creating an HA VPN gateway, a peer VPN gateway resource, tunnels, and BGP sessions.
To create the first HA VPN gateway, follow these steps:
In the Google Cloud console, go to the VPN page.
If you are creating a gateway for the first time, click Create VPN connection.
Select the VPN setup wizard.
If you have an existing HA VPN gateway, select the option button for that gateway.
Click Continue.
Specify a VPN gateway name.
Under VPC network, select an existing network or the default network.
Select a Region.
Select a stack type for the gateway, either IPv4 (single stack) or IPv4 and IPv6 (dual stack).
Click Create and continue.
The console page refreshes and displays your gateway information. Two external IPv4 addresses are automatically allocated for each of your gateway interfaces. For future configuration steps, make note of the details of your gateway configuration.
To create the second HA VPN gateway, repeat the preceding steps in a new browser tab. Make sure you specify the same HA VPN tunnel stack type as the first HA VPN gateway.
gcloud
Depending on the workloads you plan to support with your tunnels, you can choose the stack type as follows while creating the gateways:
- To support only IPv4 workloads, create an
HA VPN gateway with the
IPV4_ONLY
stack type. - To support both IPv4 and IPv6 workloads, create an
HA VPN gateway with the
IPV4_IPV6
stack type. - To support only IPv6 workloads, create an
HA VPN gateway with the
IPV6_ONLY
stack type.
To create two HA VPN gateways, complete the following command sequence:
Create an HA VPN gateway in each network in
REGION
.When each gateway is created, two external IPv4 addresses are automatically allocated, one for each gateway interface. Take note of these IP addresses to use later on in the configuration steps.
In the following commands, replace the following:
GW_NAME_1
andGW_NAME_2
: the name of each gatewayNETWORK
: the name of your Google Cloud networkREGION
: the Google Cloud region where you need to create the gateway and tunnelIP_STACK
: Optional: the IP stack to use. SpecifyIPV4_ONLY
,IPV4_IPV6
, orIPV6_ONLY
. If you don't specify this flag, the stack type defaults toIPV4_IPV6
.
Create the first gateway
For a gateway with IPv4 interfaces:
gcloud compute vpn-gateways create GW_NAME_1 \ --network=NETWORK_1 \ --region=REGION \ --stack-type=IP_STACK
The gateway that you create is similar to the following example output. An external IPv4 address has been automatically assigned to each gateway interface:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnGateways/ha-vpn-gw-a]. NAME INTERFACE0 INTERFACE1 NETWORK REGION ha-vpn-gw-a 203.0.113.16 203.0.113.23 network-a us-central1
Create the second gateway
gcloud compute vpn-gateways create GW_NAME_2 \ --network=NETWORK_2 \ --region=REGION \ --stack-type=IP_STACK
If you specified a stack type for the first gateway, use the same stack type for the second gateway.
The gateway that you create is similar to the following example output:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-east1/vpnGateways/ha-vpn-gw-b]. NAME INTERFACE0 INTERFACE1 NETWORK REGION ha-vpn-gw-b 203.0.114.18 203.0.114.25 network-b us-east1
For a gateway with IPv6 interfaces:
gcloud compute vpn-gateways create GW_NAME_1 \ --network=NETWORK_1 \ --region=REGION \ --gateway-ip-version=IPV6 \ --stack-type=IP_STACK
An external IPv6 address is automatically assigned to each gateway interface.
API
To create BGP sessions, follow these steps:
To create the full configuration for an HA VPN gateway, use the API commands in the following sections. All field values used in these sections are example values.
For a gateway with IPv4 interfaces:
Create the first HA VPN gateway by making a
POST
request to thevpnGateways.insert
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways { "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a", "stackType": "IPV4_IPV6" }
The
stackType
field is optional. The only valid values areIPV4_IPV6
orIPV4_ONLY
. If you don't specify astackType
, the default isIPV4_ONLY
.Repeat the command to create the second HA VPN gateway, and specify the appropriate
project
,name
,network
, andregion
.If you specified
stackType
for the first gateway, use the same stack type for the second gateway, eitherIPV4_ONLY
orIPV4_IPV6
.
For a gateway with IPv6 interfaces:
Create the first HA VPN gateway by making a
POST
request to thevpnGateways.insert
method.POST https://compute.googleapis.com/compute/beta/projects/PROJECT_ID/regions/REGION/vpnGateways { "name": "ha-vpn-gw-a", "network": "https://www.googleapis.com/compute/beta/projects/PROJECT_ID/global/networks/network-a", "gatewayIpVersion": "IPV6", "stackType": "IPV6_ONLY" }
When you allocate external IPv6 addresses to the HA VPN gateway, you must specify
IPV6
as thegatewayIpVersion
value. ThestackType
field is optional.If you don't specify
stackType
, the default value isIPV4_IPV6
.The only valid
stackType
values for a gateway with agatewayIpVersion
ofIPV6
areIPV4_IPV6
orIPV6_ONLY
.
Repeat the command to create the second HA VPN gateway, and specify the appropriate
project
,name
,network
, andregion
.When you allocate external IPv6 addresses to the HA VPN gateway, you must specify
IPV6
as thegatewayIpVersion
value. ThestackType
field is optional.If you specified
stackType
for the first gateway, use the same stack type for the second gateway, eitherIPV6_ONLY
orIPV4_IPV6
.
Specify the peer VPN gateway resource
In this setup, the peer VPN gateway resource is the second HA VPN, which is the endpoint of the new VPN tunnel connections.
If you are connecting two VPC networks, the second VPC network can exist in the same Google Cloud project or in a separate Google Cloud project.
Console
To specify the peer HA VPN gateway resource, follow these steps:
- On the Create a VPN page, in the Peer VPN gateway section, select Google Cloud VPN gateway.
- For Project, select the Google Cloud project that contains the new gateway.
- For VPN gateway name, select the second HA VPN that you created in Create the HA VPN gateways.
- Continue to create VPN tunnels.
gcloud
You created the peer VPN gateway resource when you created the second HA VPN gateway in Create the HA VPN gateways.
You specify this HA VPN gateway as the peer VPN gateway resource when you create the HA VPN tunnels.
API
You created the peer VPN gateway resource when you created the second HA VPN gateway in Create the HA VPN gateways.
You specify this HA VPN gateway as the peer VPN gateway resource when you create the HA VPN tunnels.
Create Cloud Routers
Console
Under Cloud Router, if you haven't already, create a Cloud Router specifying the following options. You can use an existing Cloud Router if the router does not already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection.
To create a new Cloud Router, specify the following:
- A Name
- An optional Description
- A Google ASN for the new router
You can use any private ASN (
64512
through65534
,4200000000
through4294967294
) that you are not using elsewhere in your network. The Google ASN is used for all BGP sessions on the same Cloud Router, and you cannot change the ASN later.To create the new router, click Create.
gcloud
The following instructions assume that you haven't already created Cloud Routers to use for managing BGP sessions for your HA VPN tunnels. You can use an existing Cloud Router in each VPC network unless those routers already manage a BGP session for a VLAN attachment associated with a Partner Interconnect connection.
To create two Cloud Routers, complete the following command sequence:
Create a Cloud Router in each network in
REGION
.In the following commands, replace the following:
PEER_ASN_1
andPEER_ASN_2
: any private ASN (64512
through65534
,4200000000
through4294967294
) that you are not already using. This example uses ASN65001
for both interfaces ofROUTER_NAME_1
and ASN65002
for both interfaces ofROUTER_NAME_2
.- Replace all other options with the values that you used previously.
Create the first router
gcloud compute routers create ROUTER_NAME_1 \ --region=REGION \ --network=NETWORK_1 \ --asn=PEER_ASN_1
The router that you create is similar to the following example output:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a]. NAME REGION NETWORK router-a us-central1 network-a
Create the second router
gcloud compute routers create ROUTER_NAME_2 \ --region=REGION \ --network=NETWORK_2 \ --asn=PEER_ASN_2
The router that you create is similar to the following example output:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b]. NAME REGION NETWORK router-b us-central1 network-b
API
If you already created a Cloud Router in each of the VPC networks where each of your HA VPN gateways reside, you can use those Cloud Routers instead of creating new ones. However, if a Cloud Router manages a BGP session for a VLAN attachment associated with a Partner Interconnect connection, then create a new Cloud Router.
To create a Cloud Router, make a POST
request to the
routers.insert
method.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers { "name": "router-a", "network": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a" }
Create VPN tunnels
Console
To create VPN tunnels, follow these steps:
Under High availability, select either a pair of tunnels or one tunnel to the other HA VPN gateway:
If you select Create a pair of VPN tunnels (recommended), configure the two tunnel dialogs that appear at the bottom of the Create VPN page.
If you select Create a single VPN tunnel, you configure your single tunnel on the rest of the Create VPN page. However, to get a 99.99% SLA to the other HA VPN gateway, you must create a second tunnel. You can add a second tunnel later as described at the end of this procedure.
Complete the following steps either on the same page or in each tunnel's dialog at the bottom of the page.
If you are configuring one tunnel, under Associated Cloud VPN gateway interface, select the HA VPN interface and IP address combination for this gateway to associate it with the gateway interface on the other HA VPN gateway. For two-tunnel configurations, this option and the Associated peer VPN gateway interface option are both unavailable because the correct interface combinations are configured for you.
- Specify a Name for the tunnel.
- Specify an optional Description.
- Specify the IKE version. We recommend IKEv2, the default setting. To allow IPv6 traffic, you must select IKEv2.
- Specify an IKE pre-shared key by using your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you create on your peer gateway. If you haven't configured a pre-shared key on your peer VPN gateway and want to generate one, click Generate and copy. Make sure that you record the pre-shared key in a secure location because it cannot be retrieved after you create your VPN tunnels.
- Click Done.
- On the Create VPN page, repeat the tunnel creation steps for any remaining tunnel dialogs.
When you have configured all tunnels, click Create and continue.
gcloud
To create two VPN tunnels on each HA VPN gateway, complete the following command sequence.
- The tunnel that you create from
interface 0
ofGW_NAME_1
must connect to the external IP address associated withinterface 0
ofGW_NAME_2
inNETWORK_2
. - The tunnel from
interface 1
ofGW_NAME_1
must connect to the external IP address associated withinterface 1
ofGW_NAME_2
. When you create VPN tunnels on
GW_NAME_1
inNETWORK_1
, specify the information forGW_NAME_2
inNETWORK_2
. Google automatically connects the tunnel frominterface 0
ofGW_NAME_1
tointerface 0
ofGW_NAME_2
, andinterface 1
ofGW_NAME_1
tointerface 1
ofGW_NAME_2
.Create two tunnels on
GW_NAME_1
Create two VPN tunnels, one on each interface, of
GW_NAME_1
inNETWORK_1
.In the following commands, replace the following:
TUNNEL_NAME_GW1_IF0
andTUNNEL_NAME_GW1_IF1
: a name for each tunnel originating fromGW_NAME_1
; naming the tunnels by including the gateway interface name can help identify the tunnels laterGW_NAME_2
: the value of--peer-gcp-gateway
REGION
: the region whereGW_NAME_1
is located- Optional: The
--vpn-gateway-region
is the region of the HA VPN gateway to operate on. Its value should be the same as--region
. If not specified, this option is automatically set. This option overrides the default region property value for this command invocation. IKE_VERS
:2
for IKEv2; because both tunnels connect to another HA VPN gateway, Google recommends using IKEv2. To allow IPv6 traffic, you must use IKEv2.SHARED_SECRET
: your pre-shared key (shared secret), which must be the same pre-shared key that you use for the corresponding tunnel created fromGW_NAME_2
oninterface 0
andinterface 1
; for recommendations, see Generate a strong pre-shared keyINT_NUM_0
: the number0
for the first interface onGW_NAME_1
INT_NUM_1
: the number1
for the second interface onGW_NAME_1
- If the
peer-gcp-gateway
is in a different project from the VPN tunnel and local VPN gateway, to specify the project, use the--peer-gcp-gateway
option as a full URI or as a relative name. The following sample option is a relative name:--peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b
Create the first tunnel on
GW_NAME_1
INT_NUM_0
gcloud compute vpn-tunnels create TUNNEL_NAME_GW1_IF0 \ --peer-gcp-gateway=GW_NAME_2 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME_1 \ --vpn-gateway=GW_NAME_1 \ --interface=INT_NUM_0
Create the second tunnel on
GW_NAME_1
INT_NUM_1
gcloud compute vpn-tunnels create TUNNEL_NAME_GW1_IF1 \ --peer-gcp-gateway=GW_NAME_2 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME_1 \ --vpn-gateway=GW_NAME_1 \ --interface=INT_NUM_1
The command output looks similar to the following example:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0]. NAME REGION VPN_GATEWAY VPN_INTERFACE PEER_ADDRESS tunnel-a-to-b-if-0 us-central1 ha-vpn-gw-a 0 ha-vpn-gw-b Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1]. NAME REGION VPN_GATEWAY VPN_INTERFACE PEER_ADDRESS tunnel-a-to-b-if-1 us-central1 ha-vpn-gw-a 1 ha-vpn-gw-b
Create two tunnels on
GW_NAME_2
Create two VPN tunnels, one on each interface, of
GW_NAME_2
inNETWORK_2
.- The tunnel that you create from
interface 0
ofGW_NAME_2
must connect to the external IP address associated withinterface 0
ofGW_NAME_1
inNETWORK_1
. - The tunnel from
interface 1
ofGW_NAME_2
must connect to the external IP address associated withinterface 1
ofGW_NAME_1
.
In the following commands, replace the following:
REGION
: the region whereGW_NAME_2
is located- Optional: The
--vpn-gateway-region
is the region of the VPN gateway to operate on. Its value should be the same as--region
. If not specified, this option is automatically set. This option overrides the default region property value for this command invocation. TUNNEL_NAME_GW2_IF0
andTUNNEL_NAME_GW2_IF1
: a name for each tunnel originating fromGW_NAME_2
; naming the tunnels by including the gateway interface name can help identify the tunnels laterGW_NAME_1
: the value of--peer-gcp-gateway
IKE_VERS
:2
for IKEv2; because these tunnels connect to the two tunnels created in the previous step, they must use the same IKE version (Google recommends using IKEv2). To allow IPv6 traffic, you must use IKEv2.SHARED_SECRET
: your pre-shared key (shared secret), which must correspond with the pre-shared key for the partner tunnel that you created on each interface ofGW_NAME_1
; for recommendations, see Generate a strong pre-shared keyGW_NAME_2
: the name of the second gateway that you configured in the gateway configuration stepINT_NUM_0
: the number0
for the first interface onGW_NAME_2
INT_NUM_1
: the number1
for the second interface onGW_NAME_2
- If the
peer-gcp-gateway
is in a different project than the VPN tunnel and local VPN gateway, to specify the project, use the--peer-gcp-gateway
option as a full URI or as a relative name. The following sample option is a relative name:--peer-gcp-gateway projects/other-project/regions/us-central1/vpnGateways/ha-vpn-gw-b
- The
--peer-gcp-gateway-region
, which is the region of the peer-side HA VPN gateway to which the VPN tunnel is connected, must be in the same region as the VPN tunnel. If not specified, the region is automatically set.
Create the first tunnel on
GW_NAME_2
INT_NUM_0
gcloud compute vpn-tunnels create TUNNEL_NAME_GW2_IF0 \ --peer-gcp-gateway=GW_NAME_1 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME_2 \ --vpn-gateway=GW_NAME_2 \ --interface=INT_NUM_0
Create the second tunnel on
GW_NAME_2
INT_NUM_1
gcloud compute vpn-tunnels create TUNNEL_NAME_GW2_IF1 \ --peer-gcp-gateway=GW_NAME_1 \ --region=REGION \ --ike-version=IKE_VERS \ --shared-secret=SHARED_SECRET \ --router=ROUTER_NAME_2 \ --vpn-gateway=GW_NAME_2 \ --interface=INT_NUM_1
The command output looks similar to the following example:
Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0]. NAME REGION VPN_GATEWAY VPN_INTERFACE PEER_ADDRESS tunnel-b-to-a-if-0 us-central1 ha-vpn-gw-b 0 ha-vpn-gw-a Created [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1]. NAME REGION VPN_GATEWAY VPN_INTERFACE PEER_ADDRESS tunnel-b-to-a-if-1 us-central1 ha-vpn-gw-b 1 ha-vpn-gw-a
- The tunnel that you create from
After this step, wait a few minutes, and then check the status of each VPN tunnel.
A VPN tunnel's state changes to
Established
only when the corresponding partner tunnel is also available and properly configured. A valid IKE and Child Security Association (SA) must also be negotiated between them.For example,
tunnel-a-to-b-if-0
onha-vpn-gw-a
can only be established iftunnel-b-to-a-if-0
onha-vpn-gw-b
is configured and available.
API
To create two VPN tunnels, one for each interface on an
HA VPN gateway, make a POST
request to the
vpnTunnels.insert
method.
To create the first tunnel, run the following command:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels { "name": "ha-vpn-gw-a-tunnel-0", "ikeVersion": 2, "peerGcpGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-b", "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-a", "sharedSecret": "SECRET_1", "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a", "vpnGatewayInterface": 0 }
If you plan to enable IPv6 in the BGP session associated with this tunnel, you must specify
2
for theikeVersion
.To create the second tunnel, repeat the preceding command, but change the following parameters:
name
: for example,ha-vpn-gw-a-tunnel-1
sharedSecret
orsharedSecretHash
(if needed)vpnGatewayInterface
: change to the value of the other HA VPN gateway interface—in this example, change this value to1
Next, create two tunnels for your second HA VPN gateway that connect to your first HA VPN gateway.
To create the first tunnel on the second HA VPN gateway, run the following command:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnTunnels { "name": "ha-vpn-gw-b-tunnel-0", "ikeVersion": 2, "peerGcpGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-a", "router": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/router-b", "sharedSecret": SECRET_1, "vpnGateway": "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/ha-vpn-gw-b", "vpnGatewayInterface": 0 }
Use the same
sharedSecret
that you specified for the first tunnel on the first gateway (ha-vpn-gw-a-tunnel-0
).If you plan to enable IPv6 in the BGP session associated with this tunnel, you must specify
2
for theikeVersion
.To create the second tunnel on the second HA VPN gateway, repeat the preceding command, but change the following parameters:
name
: for exampleha-vpn-gw-b-tunnel-1
sharedSecret
orsharedSecretHash
: specify thesharedSecret
orsharedSecretHash
that you used when creating the second tunnel on the first gatewayvpnGatewayInterface
: change to the value of the other HA VPN gateway interface—in this example, change this value to1
Create BGP sessions
For each HA VPN tunnel, you can create an IPv4 BGP session, an IPv6 BGP session, or both.
To view specific instructions, select the type of BGP session that is appropriate for your HA VPN gateway and VPC network traffic needs.
BGP session type | HA VPN gateway | VPC network | MP-BGP allowed? |
---|---|---|---|
IPv4 BGP sessions | IPv4 only or dual stack | IPv4 only or dual stack | yes |
IPv6 BGP sessions | dual stack | dual stack | yes |
Both IPv4 and IPv6 BGP sessions | dual stack | dual stack | no |
To use multiprotocol BGP (MP-BGP) in the BGP sessions of your HA VPN tunnels, you must use dual-stack HA VPN gateways.
You must also use a dual-stack HA VPN gateway to set up both IPv4 and IPv6 BGP sessions in the same HA VPN tunnel. However, you can't enable dual-stack route exchange (MP-BGP) in the individual IPv4 and IPv6 BGP sessions.
IPv4 BGP sessions
Console
To create BGP sessions, follow these steps:
- Click Configure BGP session.
- On the Create BGP session page, complete the following steps:
- For BGP session type, select IPv4 BGP session.
- For Name, enter a name for the BGP session.
- For Peer ASN, enter the peer ASN configured for the peer VPN gateway.
- Optional: For Advertised route priority (MED), enter the priority of routes advertised to this BGP peer.
- Optional: To enable IPv6 route exchange, click the Enable IPv6 traffic toggle.
For Allocate BGP IPv4 address, select Automatically or Manually. If you select Manually, do the following:
- For Cloud Router BGP IPv4 address, enter the Cloud Router BGP IPv4 address.
For BGP peer IPv4 address, enter the IPv4 address of the BGP peer. The IPv4 address must meet the following requirements:
- Each IPv4 address must belong to the same
/30
subnet that fits within the169.254.0.0/16
address range. - Each IPv4 address is the first or second host of the
/30
subnet. The first and the last IP addresses of the subnet are reserved for network and broadcast addresses. - Each IPv4 address range for a BGP session must be unique among all Cloud Routers in all regions of a VPC network.
If you select Automatically, Google Cloud automatically selects the IPv4 addresses for your BGP session.
- Each IPv4 address must belong to the same
Optional: If you enabled IPv6 route exchange in the previous step, for Allocate BGP IPv6 next hop, select Automatically or Manually. If you select Manually, do the following:
- For Cloud Router BGP IPv6 next hop, enter an IPv6 address in the
2600:2d00:0:2::/63
address range. This IP address is the next hop address for IPv6 routes that are advertised by the Cloud Router. - For Peer BGP IPv6 next hop, enter an IPv6 address in the
2600:2d00:0:2::/63
address range. This IP address is the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer. - Optional: Expand the Advanced options section.
- To enable BGP peer, select Enabled. If enabled, the peer connection is established with routing information. For more information, see Establish BGP sessions.
- To enable MD5 authentication, select Enabled. If enabled, MD5 authentication is used to authenticate BGP sessions For more information, see Use MD5 authentication. You can alternatively choose to enable MD5 authentication later.
- To add outbound routes to the BGP session, for Priority of all custom learned routes, enter a learned route priority. For more information, see Learned routes.
- For Cloud Router BGP IPv6 next hop, enter an IPv6 address in the
Click Save and continue.
Repeat the previous steps for the rest of the tunnels configured on the gateway. For each tunnel, use a different Cloud Router BGP IP address and BGP Peer IP address.
Click Save BGP configuration.
gcloud
To create BGP sessions, follow these steps:
In this section, you configure Cloud Router interfaces and BGP peers; the following table provides an overview of these interfaces and peers. It shows the relationship between the IPv4 address range and the peer IPv4 addresses that you specify for each interface.
For example, the first interface of router-1
has an IPv4 address of
169.254.0.1
, which means router-1
is the first host in IPv4 subnet
169.254.0.0/30
. The other Cloud Router, router-2
, is the
BGP peer of router-1
. The first interface of router-2
is assigned
169.254.0.2
, which is the second host in the IPv4 subnet 169.254.0.0/30
.
Therefore, the peer IPv4 BGP address of router-1
is 169.254.0.2
and the peer IPv4 BGP address of router-2
is 169.254.0.1
.
This table also shows an example IPv6 next hop address configuration.
Router | Interface name | IPv4 address range | Peer IPv4 address | Peer ASN | IPv6 next hop address |
Peer IPv6 next hop address |
---|---|---|---|---|---|---|
router-1 | if-tunnel-a-to-b-if-0 | 169.254.0.1/30 | 169.254.0.2 | 65002 | 2600:2d00:0:2::1 | 2600:2d00:0:2::2 |
router-2 | if-tunnel-b-to-a-if-0 | 169.254.0.2/30 | 169.254.0.1 | 65001 | 2600:2d00:0:2::2 | 2600:2d00:0:2::1 |
router-1 | if-tunnel-a-to-b-if-1 | 169.254.1.1/30 | 169.254.1.2 | 65002 | 2600:2d00:0:2:1::1 | 2600:2d00:0:2:1::2 |
router-2 | if-tunnel-b-to-a-if-1 | 169.254.1.2/30 | 169.254.1.1 | 65001 | 2600:2d00:0:2:1::2 | 2600:2d00:0:2:1::1 |
To create Cloud Router interfaces and BGP peers, complete the following command sequence.
Create an interface and BGP peer on
ROUTER_NAME_1
for the tunnelTUNNEL_NAME_GW1_IF0
.This interface connects
TUNNEL_NAME_GW1_IF0
oninterface 0
ofGW_1
tointerface 0
ofGW_2
.In the following commands, replace the following:
ROUTER_1_INTERFACE_NAME_0
: a name for the Cloud Router interface; using a name related toTUNNEL_NAME_GW1_IF0
is helpfulIP_VERSION
: specifyIPV4
or leave unspecified. If unspecified, the default isIPV4
.IP_ADDRESS_1
: a BGP IPv4 address from the169.254.0.0/16
IPv4 address range that's not already in use; this example uses169.254.0.1
. If you omit this flag and don't manually assign a BGP IPv4 address, Google Cloud automatically assigns an address for you.MASK_LENGTH
: specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range.PEER_NAME_GW1_IF0
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW1_IF0
is helpfulPEER_IP_ADDRESS_1
: a BGP IPv4 address from the169.254.0.0/16
that's not already in use; this example uses169.254.0.2
. If you did not specifically assign a BGP IPv4 address,IP_ADDRESS_1
previously, omit this option as well and Google Cloud automatically assigns a matching BGP peer IPv4 address for you. If you manually specifiedIP_ADDRESS_1
, you must also manually configure this option.PEER_ASN_2
: the ASN number used for all interfaces on the other Cloud RouterROUTER_NAME_2
; this example uses ASN number65002
Optional: If you are creating IPv4 BGP sessions with MP-BGP, specify
--enable-ipv6
when you run theadd-bgp-peer
command to enable IPv6 route exchange. You also have the option to configure IPv6 next hop addresses automatically or manually. To configure next hop addresses manually, replace both of the following:IPV6_NEXTHOP_ADDRESS_1
: the next hop address for IPv6 routes that are advertised by Cloud Router.PEER_IPV6_NEXTHOP_ADDRESS_1
: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer.The next-hop address must be in the
2600:2d00:0:2::/63
IPv6 address range.
If you don't specify the IPv6 next hop addresses, then Google Cloud automatically assigns unused addresses from the
2600:2d00:0:2::/63
IPv6 address range.AUTHENTICATION_KEY
: the secret key to use for MD5 authentication onPEER_NAME_GW1_IF0
; for more information about this optional feature, see Use MD5 authentication.
Create a Cloud Router interface for
TUNNEL_NAME_GW1_IF0
To create an interface with an IPv4 address on Cloud Router, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0 \ --ip-address=IP_ADDRESS_1 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION
Create a BGP peer for
TUNNEL_NAME_GW1_IF0
The following example command creates an IPv6-enabled BGP peer with manually specified IPv4 BGP addresses and IPv6 next hop addresses:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --enable-ipv6 \ --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS_1 \ --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS_1
The following command creates an IPv4 BGP peer without IPv6 enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION
Optional: To use MD5 authentication, use the
--md5-authentication-key
flag to provide your secret key:gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Create an interface and a BGP peer on
ROUTER_NAME_1
for the tunnelTUNNEL_NAME_GW1_IF1
.This interface is used to connect
TUNNEL_NAME_GW1_IF1
oninterface 1
ofGW_1
tointerface 1
ofGW_2
.In the following commands, replace the following:
ROUTER_1_INTERFACE_NAME_1
: a Cloud Router interface name; using a name related toTUNNEL_NAME_GW1_IF1
is helpfulIP_VERSION
: specifyIPV4
or leave unspecifiedIP_ADDRESS_2
: optional: a BGP IPv4 address from the169.254.0.0/16
that's not already in use; this example uses169.254.1.1
. If you omit this flag and don't manually assign a BGP IPv4 address, Google Cloud automatically assigns an address for youMASK_LENGTH
: specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range.PEER_NAME_GW1_IF1
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW1_IF1
is helpfulPEER_IP_ADDRESS_2
: a BGP IPv4 address from the169.254.0.0/16
IPv4 address range that's not already in use; this example uses169.254.1.2
. If you did not specifically assign a BGP IPv4 address,IP_ADDRESS_2
, omit this option and Google Cloud automatically assigns a matching BGP peer IPv4 address for you. If you manually specifiedIP_ADDRESS_2
, you must also manually configure this option.PEER_ASN_2
: the ASN number used for all interfaces on the other Cloud RouterROUTER_NAME_2
; this example uses ASN number65002
Optional: If you are configuring an IPv4 BGP session with MP-BGP, specify
--enable-ipv6
in theadd-bgp-peer
command to enable IPv6 route exchange. You also have the option to configure IPv6 next hop addresses manually. To configure next hop addresses, replace both of the following:IPV6_NEXTHOP_ADDRESS_2
: the next hop address for IPv6 routes that are advertised by Cloud Router; the address must be in the2600:2d00:0:2::/63
IPv6 address rangePEER_IPV6_NEXTHOP_ADDRESS_2
: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer; the address must be in the2600:2d00:0:2::/63
IPv6 address range
If you don't specify the IPv6 next hop addresses, Google Cloud automatically assigns unused addresses from the
2600:2d00:0:2::/63
IPv6 address range.AUTHENTICATION_KEY_2
: the secret key to use for MD5 authentication onPEER_NAME_GW1_IF1
; for more information about this optional feature, see Use MD5 authentication
Create a Cloud Router interface for
TUNNEL_NAME_GW1_IF1
To create an interface with an IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1 \ --ip-address=IP_ADDRESS_2 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION
Create a BGP peer for
TUNNEL_NAME_GW1_IF1
The following example command creates an IPv6-enabled BGP peer with manually specified IPv4 BGP addresses and IPv6 next hop addresses:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --enable-ipv6 \ --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS_1 \ --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS_1
The following command creates an IPv4 BGP peer that does not have IPv6 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION
Optional: To use MD5 authentication, use the
--md5-authentication-key
flag to provide your secret key:gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY_2
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Verify the settings for
ROUTER_NAME_1
:gcloud compute routers describe ROUTER_NAME_1 \ --region=REGION
The command output looks similar to the following example:
bgp: advertisemode: DEFAULT asn: 65001 keepaliveInterval: 20 bgpPeers: — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv6: true interfaceName: if-tunnel-a-to-b-if-0 ipAddress: 169.254.0.1 ipv6NexthopAddress: 2600:2d00:0:2:0:0:0:1 name: bgp-peer-tunnel-a-to-b-if-0 peerAsn: 65002 peerIpAddress: 169.254.0.2 peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:0:2 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv6: true interfaceName: if-tunnel-a-to-b-if-1 ipAddress: 169.254.1.1 ipv6NexthopAddress: 2600:2d00:0:2:0:0:1:1 name: bgp-peer-tunnel-a-to-b-if-1 peerAsn: 65002 peerIpAddress: 169.254.1.2 peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:1:2 creationTimestamp: '2021-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: — ipRange: 169.254.0.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 name: if-tunnel-a-to-b-if-0 — ipRange: 169.254.1.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 name: if-tunnel-a-to-b-if-1 kind: compute#router name: router-a network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
Create an interface and a BGP peer on
ROUTER_NAME_2
for the tunnelTUNNEL_NAME_GW2_IF0
.This interface connects
TUNNEL_NAME_GW2_IF0
oninterface 0
ofGW_2
tointerface 0
ofGW_1
.In the following commands, replace the following:
ROUTER_2_INTERFACE_NAME_0
: a Cloud Router interface name; using a name related toTUNNEL_NAME_GW2_IF0
is helpfulIP_VERSION
: specifyIPV4
or leave unspecified. If unspecified, the default isIPV4
.IP_ADDRESS_3
: if you manually configuredPEER_IP_ADDRESS_1
forTUNNEL_NAME_GW1_IF0
, then specify that value forIP_ADDRESS_3
. If Google Cloud automatically assigned this peer IPv4 address, then you must find out which address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command. In the output for the BGP peerPEER_NAME_GW1_IF0
, use the value that appears in thepeerIpAddress
field. This example uses169.254.0.2
.MASK_LENGTH
: specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range.PEER_NAME_GW2_IF0
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW2_IF0
is helpfulPEER_IP_ADDRESS_3
: the BGP IPv4 address used previously when you configured the first gateway and interface. Run thegcloud compute routers describe ROUTER_NAME_1
command, and use the value that appears in theipAddress
field for the BGP peerPEER_NAME_GW1_IF0
that you created forTUNNEL_NAME_GW1_IF0
. This example uses169.254.0.1
.PEER_ASN_1
: the ASN number used for all interfaces onROUTER_NAME_1
and that was set previously; this example uses ASN number65001
Optional: If you are creating VPN tunnels with IPv4 BGP sessions and MP-BGP, specify
--enable-ipv6
in theadd-bgp-peer
command to enable IPv6 traffic. You must configure the IPv6 next hop addresses to match the interface and BGP peer configured for the first gateway. To configure next hop addresses, replace both of the following:IPV6_NEXTHOP_ADDRESS_3
: the next hop address for IPv6 routes that you specified previously inPEER_IPV6_NEXTHOP_ADDRESS_1
. If you automatically assigned IPv6 next hop addresses when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF0
onROUTER_NAME_1
, then you must find out what IPv6 next hop address has been allocated by Google Cloud. Rungcloud compute routers describe ROUTER_NAME_1
and check the output for the BPG peerPEER_NAME_GW1_IF0
that you set up forTUNNEL_NAME_GW1_IF0
. Use the value that appears in thepeerIpv6NextHopAddress
field. This example uses2600:2d00:0:2:0:0:0:2
.PEER_IPV6_NEXTHOP_ADDRESS_3
: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer. Use the value that you specified previously inIPV6_NEXTHOP_ADDRESS_1
. If you automatically assigned IPv6 next hop addresses, run thegcloud compute routers describe ROUTER_NAME_1
command and check the output for the BPG peer you set up forTUNNEL_NAME_GW1_IF0
. Use the value that appears in theIpv6NextHopAddress
field. This example uses2600:2d00:0:2:0:0:0:1
.
AUTHENTICATION_KEY
: the secret key to use for MD5 authentication onPEER_NAME_GW2_IF0
Create a Cloud Router interface for
TUNNEL_NAME_GW2_IF0
To create an interface with an IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=ROUTER_2_INTERFACE_NAME_0 \ --ip-address=IP_ADDRESS_3 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \ --region=REGION
Create a BGP peer for
TUNNEL_NAME_GW2_IF0
The following example command creates a BGP peer with IPv6 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0 \ --interface=ROUTER_2_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --enable-ipv6 \ --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS \ --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS
The following command creates an IPv4 BGP peer without IPv6 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0 \ --interface=ROUTER_2_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION
Alternatively, if you configured
ROUTER_NAME_1
to use MD5 authentication forPEER_NAME_GW1_IF0
, configureROUTER_NAME_2
to use MD5 authentication, as follows:gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0 \ --interface=ROUTER_2_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
Create an interface with an IPv4 address and a BGP peer on
ROUTER_NAME_2
for the tunnelTUNNEL_NAME_GW2_IF1
.This interface connects
TUNNEL_NAME_GW2_IF1
oninterface 1
ofGW_2
tointerface 1
ofGW_1
.In the following commands, replace the following:
ROUTER_2_INTERFACE_NAME_1
: a Cloud Router interface name; using a name related toTUNNEL_NAME_GW2_IF1
is helpfulIP_VERSION
: specifyIPV4
or leave unspecified. If unspecified, the default isIPV4
.IP_ADDRESS_4
: if you manually assigned a BGP IPv4 address forPEER_IP_ADDRESS_2
forTUNNEL_NAME_GW1_IF1
, then specify that value forIP_ADDRESS_4
. If Google Cloud automatically assigned the IPv4 address, then you must find out which address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command. In the output for the BGP peerPEER_NAME_GW1_IF1
, use the value that appears in thepeerIpAddress
field. This example uses169.254.1.2
.MASK_LENGTH
: for an interface with an IPv4 address, specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range. For an interface with an IPv6 address, specify a mask length of126
or lower.PEER_NAME_GW2_IF1
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW2_IF1
is helpfulPEER_IP_ADDRESS_4
: the IP address you specified asIP_ADDRESS_2
when you configured the first gateway and interface. Run thegcloud compute routers describe ROUTER_NAME_1
command, and use the value that appears in theipAddress
field for the BGP peer you created forTUNNEL_NAME_GW1_IF1
. This example uses169.254.1.1
.PEER_ASN_1
: the ASN number used for all interfaces onROUTER_NAME_1
and that was set previously; this example uses ASN number65001
Optional: If you are configuring an IPv4 BGP session with MP-BGP, specify
--enable-ipv6
in theadd-bgp-peer
command to enable IPv6 route exchange. You also have the option to configure IPv6 next hop addresses manually. To configure next hop addresses, replace both of the following:IPV6_NEXTHOP_ADDRESS_4
: the next hop address for IPv6 routes that you specified previously inPEER_IPV6_NEXTHOP_ADDRESS_2
. If you automatically assigned IPv6 next hop addresses when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF1
onROUTER_NAME_1
, then you must find out what IPv6 next hop address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command and check the output for the BPG peerPEER_NAME_GW1_IF1
that you set up forTUNNEL_NAME_GW1_IF1
. Use the value that appears in thepeerIpv6NextHopAddress
field.PEER_IPV6_NEXTHOP_ADDRESS_3
: the next hop address for IPv6 routes learned by the Cloud Router from the BGP peer. Use the value that you specified previously inIPV6_NEXTHOP_ADDRESS_2
. If you automatically assigned IPv6 next hop addresses, run thegcloud compute routers describe ROUTER_NAME_1
command and check the output for the BPG peerPEER_NAME_GW1_IF1
that you set up forTUNNEL_NAME_GW1_IF1
. Use the value that appears in theIpv6NextHopAddress
field. This example uses2600:2d00:0:2:0:0:1:1
.
AUTHENTICATION_KEY_2
: the secret key to use for MD5 authentication onPEER_NAME_GW2_IF1
Create a Cloud Router interface for
TUNNEL_NAME_GW2_IF1
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=ROUTER_2_INTERFACE_NAME_1 \ --ip-address=IP_ADDRESS_4 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \ --region=REGION
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
Create a BGP peer for
TUNNEL_NAME_GW2_IF1
The following example command creates a BGP peer with IPv6 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1 \ --interface=ROUTER_2_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --enable-ipv6 \ --ipv6-nexthop-address=IPV6_NEXTHOP_ADDRESS \ --peer-ipv6-nexthop-address=PEER_IPV6_NEXTHOP_ADDRESS
The following command creates a BGP peer without IPv6 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1 \ --interface=ROUTER_2_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION
Alternatively, if you configured
ROUTER_NAME_1
to use MD5 authentication forPEER_NAME_GW1_IF1
, configureROUTER_NAME_2
to use MD5 authentication, as follows: The command output looks similar to the following example:gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1 \ --interface=ROUTER_2_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY_2
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
Verify the settings for
ROUTER_NAME_2
:gcloud compute routers describe ROUTER_NAME_2 \ --region=REGION
The command output looks similar to the following example:
bgp: advertiseMode: DEFAULT asn: 65002 bgpPeers: — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv6: true interfaceName: if-tunnel-b-to-a-if-0 ipAddress: 169.254.0.2 ipv6NexthopAddress: 2600:2d00:0:2:0:0:0:2 name: bgp-peer-tunnel-b-to-a-if-0 peerAsn: 65001 peerIpAddress: 169.254.0.1 peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:0:1 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv6: true interfaceName: if-tunnel-b-to-a-if-1 ipAddress: 169.254.1.2 ipv6NexthopAddress: 2600:2d00:0:2:0:0:1:2 name: bgp-peer-tunnel-b-to-a-if-1 peerAsn: 65001 peerIpAddress: 169.254.1.1 peerIpv6NexthopAddress: 2600:2d00:0:2:0:0:1:1 creationTimestamp: '2021-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: — ipRange: 169.254.0.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 name: if-tunnel-b-to-a-if-0 — ipRange: 169.254.1.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 name: if-tunnel-b-to-a-if-1 kind: compute#router name: router-b network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-b region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b
API
To create a Cloud Router interface, make one of the following requests:
PATCH
: Use therouters.patch
methodUPDATE
: Use therouters.update
method
The
PATCH
request updates only the parameters that you include, whereas theUPDATE
request updates all the parameters of a Cloud Router.You must create a Cloud Router interface for each VPN tunnel on the HA VPN gateway.
The BGP IPv4 address ranges that you specify must be unique among all Cloud Routers in all regions of a VPC network.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "interfaces": [ { "name": "if-tunnel-a-to-on-prem-if-0", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipRange": "169.254.0.1/30" } ] }
To add a BGP peer configuration to the interface, make one of the following requests:
PATCH
: Use therouters.patch
methodUPDATE
: Use therouters.update
method
Repeat this command for the other VPN tunnel, changing all options except
name
andpeerAsn
.To create a full BGP session configuration for an HA VPN gateway, use the following API command:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "bgpPeers": [ { "name": "bgp-peer-tunnel-a-to-on-prem-if-0", "interfaceName": "if-tunnel-a-to-on-prem-if-0", "ipAddress": "169.254.0.1", "peerIpAddress": "169.254.0.2", "peerAsn": 65002, "advertiseMode": "DEFAULT" } ] }
To create the full BGP session configuration for an HA VPN gateway with IPv6 enabled, use the following API command:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "bgpPeers": [ { "name": "bgp-peer-tunnel-a-to-on-prem-if-0", "interfaceName": "if-tunnel-a-to-on-prem-if-0", "ipAddress": "169.254.0.1", "peerIpAddress": "169.254.0.2", "peerAsn": 65002, "advertiseMode": "DEFAULT" "enableIpv6": true "ipv6NexthopAddress: "2600:2d00:0:2:0:0:0:1" "peerIpv6NexthopAddress: "2600:2d00:0:2:0:0:0:2" } ] }
If you want to configure the session to use MD5 authentication, your request must include an authentication key, which means that it must provide both the key and a name for the key. It must also reference the key by name when creating the BGP peering session. For example:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "md5AuthenticationKeys": [ { "name": "bgppeer-1-key", "key": "secret_key_value" } ], } { "bgpPeers": [ { "interfaceName": "if-tunnel-a-to-on-prem-if-0", "ipAddress": "169.254.0.1", "name": "bgp-peer-tunnel-a-to-on-prem-if-0", "peerAsn": 65002, "peerIpAddress": "169.254.0.2", "advertiseMode": "DEFAULT", "md5AuthenticationKeyName": "bgppeer-1-key" } ], }
IPv6 BGP sessions
Console
To create BGP sessions, follow these steps:
- Click Configure BGP session.
On the Create BGP session page, complete the following steps:
- For BGP session type, select IPv6 BGP session.
- For Name, enter a name for the BGP session.
- For Peer ASN, enter the peer ASN configured for the peer VPN gateway.
- Optional: For Advertised route priority (MED), enter the priority of routes advertised to this BGP peer.
- Optional: To enable IPv4 route exchange, click the Enable IPv4 traffic toggle.
For Allocate BGP IPv6 address, select Automatically or Manually. If you select Manually, do the following:
- For Cloud Router BGP IPv6 address, enter the Cloud Router BGP IPv6 address.
- For BGP peer IPv6 address, enter the IPv6 address of the BGP
peer. The IPv6 address must meet the following requirements:
- Each address must be unique local addresses (ULA) from the
fdff:1::/64
address range with a mask length of/64
. For example,fdff:1::1
. - Each address must be unique among all Cloud Routers in all regions of a VPC network.
- Each address must be unique local addresses (ULA) from the
If you select Automatically, Google Cloud automatically selects the IPv6 addresses for your BGP session.
Optional: If you enabled IPv4 route exchange in the previous step, for Allocate BGP IPv4 next hop, select Automatically or Manually. If you select Manually, do the following:
- In the Cloud Router BGP IPv4 next hop field, enter an IPv4 address in
the
169.254.0.0/16
address range. This IP address is the next hop address for IPv4 routes that are advertised by the Cloud Router. - In the Peer BGP IPv4 next hop field, enter an IP address in the
169.254.0.0/16
address range. This IP address is the next hop address for IPv4 routes learned by the Cloud Router from the BGP peer. - Optional: Expand the Advanced options section.
- To enable BGP peer, select Enabled. If enabled, the peer connection is established with routing information. For more information, see Establish BGP sessions.
- To add MD5 authentication, select Enabled. If enabled, you can use MD5 authentication to authenticate BGP sessions between Cloud Router and its peers. For more information, see Use MD5 authentication. You can alternatively choose to enable MD5 authentication later.
- To add outbound routes to the BGP session, for Priority of all custom learned routes, enter a learned route priority. For more information, see Learned routes.
- In the Cloud Router BGP IPv4 next hop field, enter an IPv4 address in
the
Click Save and continue.
Repeat the previous steps for the rest of the tunnels configured on the gateway. For each tunnel, use a different Cloud Router BGP IP address and BGP peer IP address.
Click Save BGP configuration.
gcloud
To create BGP sessions, follow these steps:
In this section, you configure IPv6 Cloud Router interfaces and BGP peers; the following table provides an overview of these interfaces and peers. It shows the relationship between the IPv6 BGP ranges and peer IP addresses that you specify for each interface.
For example, the first interface of router-1
has an IPv6 address of
fdff:1::1
, which means router-1
is the first host in IPv6 subnet
fdff:1::/126
. The other Cloud Router, router-2
, is the
BGP peer of router-1
. The first interface of router-2
is assigned
fdff:1::2
, which is the second host in the IPv6 subnet
fdff:1::/126
.
Therefore, the BGP peer IPv6 address of router-1
is fdff:1::2
and the address of router-2
is fdff:1::2
.
Router | Interface name | IPv6 address range | Peer IPv6 address | Peer ASN | IPv4 next-hop address |
Peer IPv4 next-hop address |
---|---|---|---|---|---|---|
router-1 | if-tunnel-a-to-b-if-0 | fdff:1::/64 | fdff:1::2 | 65002 | 169.254.12.1 | 169.254.12.2 |
router-2 | if-tunnel-b-to-a-if-0 | fdff:1::/64 | fdff:1::1 | 65001 | 169.254.12.2 | 169.254.12.1 |
router-1 | if-tunnel-a-to-b-if-1 | fdff:1::/64 | fdff:1::2 | 65002 | 169.254.13.1 | 169.254.13.2 |
router-2 | if-tunnel-b-to-a-if-1 | fdff:1::/64 | fdff:1::1 | 65001 | 169.254.13.2 | 169.254.13.1 |
To create Cloud Router interfaces and BGP peers, complete the following command sequence.
Create an interface and BGP peer on
ROUTER_NAME_1
for the tunnelTUNNEL_NAME_GW1_IF0
.This interface connects
TUNNEL_NAME_GW1_IF0
oninterface 0
ofGW_1
tointerface 0
ofGW_2
.In the following commands, replace the following:
ROUTER_1_INTERFACE_NAME_0
: a name for the Cloud Router interface; using a name related toTUNNEL_NAME_GW1_IF0
is helpfulIP_VERSION
:IPV6
; this parameter is only required if you want Google Cloud to assign the IPv6 address automatically for this interface. If you are manually assigning an IPv6 address to this interface, you can omit this flag.IP_ADDRESS_1
: a BGP IPv6 address from thefdff:1::/64
IPv6 address range that's not already in use; this example usesfdff:1::1
. If you omit this flag and don't manually assign an IPv6 address, Google Cloud automatically assigns an address for you.MASK_LENGTH
: specify a mask length of126
.PEER_NAME_GW1_IF0
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW1_IF0
is helpfulPEER_IP_ADDRESS_1
: a BGP IPv6 address from thefdff:1::/64
IPv6 address range that's not already in use; this example usesfdff:1::2
. If you did not previously assign a specific BGP IPv6 address,IP_ADDRESS_1
, omit this option as well and Google Cloud automatically assigns a matching BGP peer IPv6 address for you. If you manually specifiedIP_ADDRESS_1
, you must also manually configure this option.PEER_ASN_2
: the ASN number used for all interfaces on the other Cloud RouterROUTER_NAME_2
; this example uses ASN number65002
Optional: To enable IPv4 route exchange in IPv6 BGP sessions with MP-BGP, specify
--enable-ipv4
when you run thegcloud compute routers add-bgp-peer
command. You also have the option to configure IPv4 next hop addresses automatically or manually.To configure IPv4 next hop addresses manually, replace both of the following:
IPV4_NEXTHOP_ADDRESS_1
: the next hop address for IPv4 routes that are advertised by Cloud Router; the address must be in the link-local IPv4 address range169.254.0.0/16
. for IPv4 routes learned by the Cloud Router from the BGP peer; the address must be in the link-local address range169.254.0.0/16
.
If you don't specify IPv4 next hop addresses, then Google Cloud automatically assigns unused addresses from the
169.254.0.0/16
IPv4 address range for you.AUTHENTICATION_KEY
: the secret key to use for MD5 authentication onPEER_NAME_GW1_IF0
; for more information about this optional feature, see Use MD5 authentication.
Optional: Assign a BGP identifier range
When you add the first interface to a Cloud Router with an IPv6 address, a BGP identifier range is automatically assigned to the Cloud Router. If you prefer to define your own BGP identifier range for a Cloud Router, you can create your own range. You can also modify this range later.
For more information, see Configure the BGP identifier range for a Cloud Router.
Automatic
Create an interface for
TUNNEL_NAME_GW1_IF0
To create an interface with an automatically assigned IPv6 address, run the following command.
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION \ --ip-version=IPV6
Create a BGP peer for
TUNNEL_NAME_GW1_IF0
To create an IPv6 BGP peer with IPv4 route exchange enabled and automatically assigned IPv4 next-hop addresses, run the following command.
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --enable-ipv4 \
The following command creates a BGP peer without IPv4 enabled and an automatically assigned IPv6 address:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-asn=PEER_ASN_2 \ --region=REGION
Optional: To use MD5 authentication, use the
--md5-authentication-key
flag to provide your secret key:gcloud compute routers add-bgp-peer ROUTER_NAME_1
--peer-name=PEER_NAME_GW1_IF0
--interface=ROUTER_1_INTERFACE_NAME_0
--peer-asn=PEER_ASN_2
--region=REGION
--md5-authentication-key=AUTHENTICATION_KEYThe command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Manual
Create an interface for
TUNNEL_NAME_GW1_IF0
To create an interface with a manually specified IPv6 address, run the following command.
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0 \ --ip-address=IP_ADDRESS_1 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION \
Create a BGP peer for
TUNNEL_NAME_GW1_IF0
To create a BGP peer with IPv4 route exchange enabled and manually specified IPv4 next-hop addresses, run the following command.
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --enable-ipv4 \ --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS_1 \ --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS_1
The following command creates a BGP peer without IPv4 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION
Optional: To use MD5 authentication, use the
--md5-authentication-key
flag to provide your secret key:gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0 \ --interface=ROUTER_1_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Create an interface and BGP peer on
ROUTER_NAME_1
for the tunnelTUNNEL_NAME_GW1_IF1
.This interface connects
TUNNEL_NAME_GW1_IF1
oninterface 1
ofGW_1
tointerface 1
ofGW_2
.In the following commands, replace the following:
ROUTER_1_INTERFACE_NAME_1
: a Cloud Router interface name; using a name related toTUNNEL_NAME_GW1_IF1
is helpfulIP_VERSION
:IPV6
IP_ADDRESS_2
: a BGP IPv6 address from thefdff:1::/64
IPv6 address range that's not already in use; this example usesfdff:1::1:1
. If you omit this flag and don't manually assign a BGP IPv6 address, Google Cloud automatically assigns an address for you.MASK_LENGTH
: specify a mask length of64
PEER_NAME_GW1_IF1
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW1_IF1
is helpfulPEER_IP_ADDRESS_2
: a BGP IPv6 address from thefdff:1::/64
IPv6 address range that's not already in use; this example usesfdff:1::1:2
. If you did not specifically assign an IPv6 address,IP_ADDRESS_2
, omit this option, and Google Cloud automatically assigns a matching BGP peer IPv6 address for you. If you manually specifiedIP_ADDRESS_2
, you must also manually configure this option.PEER_ASN_2
: the ASN number used for all interfaces on the other Cloud RouterROUTER_NAME_2
; this example uses ASN number65002
Optional: To enable IPv4 route exchange in IPv6 BGP sessions with MP-BGP, specify
--enable-ipv4
when you run thegcloud compute routers add-bgp-peer
command. You also have the option to configure IPv4 next hop addresses automatically or manually.To configure IPv4 next hop addresses manually, replace both of the following:
IPV4_NEXTHOP_ADDRESS_2
: the next hop address for IPv4 routes that are advertised by Cloud Router; the address must be in the link-local IPv4 address range169.254.0.0/16
.PEER_IPV4_NEXTHOP_ADDRESS_2
: the next hop address for IPv4 routes learned by the Cloud Router from the BGP peer; the address must be in the link-local IPv4 address range169.254.0.0/16
.
AUTHENTICATION_KEY_2
: the secret key to use for MD5 authentication onPEER_NAME_GW1_IF1
; for more information about this optional feature, see Use MD5 authentication
Automatic
Create a Cloud Router interface for
TUNNEL_NAME_GW1_IF1
To create an interface with an automatically assigned IPv6 address, run the following command.
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION \ --ip-version=IPV6
Create a BGP peer for
TUNNEL_NAME_GW1_IF1
To create an IPv6 BGP peer with IPv4 route exchange enabled and automatically assigned IPv4 next-hop addresses, run the following command.
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --enable-ipv4 \
The following command creates a BGP peer without IPv4 enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION
Optional: To use MD5 authentication, use the
--md5-authentication-key
flag to provide your secret key:gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY_2
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Manual
Create a Cloud Router interface for
TUNNEL_NAME_GW1_IF1
To create an interface with a manually specified IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1 \ --ip-address=IP_ADDRESS_2 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION \
Create a BGP peer for
TUNNEL_NAME_GW1_IF1
To create an IPv6 BGP peer with IPv4 route exchange enabled, run the following command:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --enable-ipv4 \ --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS_2 \ --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS_2
The following command creates a BGP peer without IPv4 enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION
Optional: To use MD5 authentication, use the
--md5-authentication-key
flag to provide your secret key:gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1 \ --interface=ROUTER_1_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY_2
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a].
Verify the settings for
ROUTER_NAME_1
:gcloud compute routers describe ROUTER_NAME_1 \ --region=REGION
The command output looks similar to the following example:
bgp: advertisemode: DEFAULT asn: 65001 keepaliveInterval: 20 bgpPeers: — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv4: true interfaceName: if-tunnel-a-to-b-if-0 ipAddress: fdff:1::1 ipv4NexthopAddress: 169.254.12.2 name: bgp-peer-tunnel-a-to-b-if-0 peerAsn: 65002 peerIpAddress: fdff:1::2 peerIpv4NexthopAddress: 169.254.12.1 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv4: true interfaceName: if-tunnel-a-to-b-if-1 ipAddress: fdff:1:1:2::1 ipv4NexthopAddress: 169.254.13.2 name: bgp-peer-tunnel-a-to-b-if-1 peerAsn: 65002 peerIpAddress: fdff:1::2 peerIpv4NexthopAddress: 169.254.13.1 creationTimestamp: '2021-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: — ipRange: fdff:1::1/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 name: if-tunnel-a-to-b-if-0 — ipRange: fdff:1::1/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 name: if-tunnel-a-to-b-if-1 kind: compute#router name: router-a network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
Create an interface and BGP peer on
ROUTER_NAME_2
for the tunnelTUNNEL_NAME_GW2_IF0
.This interface connects
TUNNEL_NAME_GW2_IF0
oninterface 0
ofGW_2
tointerface 0
ofGW_1
.In the following commands, replace the following:
ROUTER_2_INTERFACE_NAME_0
: a Cloud Router interface name; using a name related toTUNNEL_NAME_GW2_IF0
is helpfulIP_VERSION
:IPV6
; this parameter is only required if you want Google Cloud to assign the IPv6 address automatically for this interface. If you are manually assigning an IPv6 address to this interface, you can omit this flag.IP_ADDRESS_3
: if you manually assigned a BGP IPv6 address forPEER_IP_ADDRESS_1
forTUNNEL_NAME_GW1_IF0
, then specify that value forIP_ADDRESS_3
. If Google Cloud automatically assigned this peer IPv6 address, then you must find out which address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command. In the output for the BGP peerPEER_NAME_GW1_IF0
, use the value that appears in thepeerIpAddress
field. This example usesfdff:1::2
.MASK_LENGTH
: specify a mask length of126
or smaller.PEER_NAME_GW2_IF0
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW2_IF0
is helpfulPEER_IP_ADDRESS_3
: the BGP IPv6 address used previously when you configured the first gateway and interface. Run thegcloud compute routers describe ROUTER_NAME_1
command, and use the value that appears in theipAddress
field for the BGP peer you created forfdff:1::1
.PEER_ASN_1
: the ASN number used for all interfaces onROUTER_NAME_1
and that was set previously; this example uses ASN number65001
Optional: If you are creating IPv6 BGP sessions and MP-BGP, specify
--enable-ipv4
when you run thegcloud compute routers add-bgp-peer
command to enable IPv4 traffic. You must configure the IPv4 next hop addresses to match the interface and IPv4-enabled BGP peer configured for the first gateway.To configure next hop addresses, replace both of the following:
IPV4_NEXTHOP_ADDRESS_3
: the next hop address for IPv4 routes specified previously inPEER_IPV4_NEXTHOP_ADDRESS_1
; if you automatically assigned IPv4 next hop addresses when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF0
onROUTER_NAME_1
, then you must find out what address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command, and check the output for the BPG peer you set up forTUNNEL_NAME_GW1_IF0
. Use the value that appears in thepeerIpv4NextHopAddress
field. This example uses169.254.13.1
.PEER_IPV4_NEXTHOP_ADDRESS_2
: the next hop address for IPv4 routes learned by the Cloud Router from the BGP peer; the address must be in the IPv4 link-local range169.254.0.0/16
. This example uses169.254.13.2
.
AUTHENTICATION_KEY
: the secret key to use for MD5 authentication onPEER_NAME_GW2_IF0
Optional: Assign a BGP identifier range
When you add the first interface to a Cloud Router with an IPv6 address, a BGP identifier range is automatically assigned to the Cloud Router. If you prefer to define your own BGP identifier range for a Cloud Router, you can create your own range. You can also modify this range later.
For more information, see Configure the BGP identifier range for a Cloud Router.
Create a Cloud Router interface for
TUNNEL_NAME_GW2_IF0
To create an interface with an IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_2_INTERFACE_NAME_0 \ --ip-address=IP_ADDRESS_3 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \ --region=REGION \ --ip-version=IPV6
Create a BGP peer for
TUNNEL_NAME_GW2_IF0
The following example command creates an IPv4-enabled BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0 \ --interface=ROUTER_2_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --enable-ipv4 \ --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS \ --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS
The following command creates a BGP peer without IPv4 enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0 \ --interface=ROUTER_2_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION
Alternatively, if you configured
ROUTER_NAME_1
to use MD5 authentication forPEER_NAME_GW1_IF0
, configureROUTER_NAME_2
to use MD5 authentication, as follows:gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0 \ --interface=ROUTER_2_INTERFACE_NAME_0 \ --peer-ip-address=PEER_IP_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY
The command output looks similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
Create an interface and BGP peer on
ROUTER_NAME_2
for the tunnelTUNNEL_NAME_GW2_IF1
.This interface connects
TUNNEL_NAME_GW2_IF1
oninterface 1
ofGW_2
tointerface 1
ofGW_1
.In the following commands, replace the following:
ROUTER_2_INTERFACE_NAME_1
: a Cloud Router interface name; using a name related toTUNNEL_NAME_GW2_IF1
is helpfulIP_ADDRESS_4
: if you manually assigned a BGP IPv6 address forPEER_IP_ADDRESS_2
forTUNNEL_NAME_GW1_IF1
, then specify that value forIP_ADDRESS_4
. If Google Cloud automatically assigned the peer BGP IPv6 address when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF1
onROUTER_NAME_1
, then you must find out which address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command. In the output for the BGP peer, use the value that appears in thepeerIpAddress
field. This example usesfdff:1::1:2
.MASK_LENGTH
: specify a mask length of126
.PEER_NAME_GW2_IF1
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW2_IF1
is helpfulPEER_IP_ADDRESS_4
: if you manually assigned a BGP IP address forIP_ADDRESS_2
forTUNNEL_NAME_GW1_IF1
, then specify that value forPEER_IP_ADDRESS_4
. If Google Cloud automatically assigned the BGP IPv6 address for you, then you must find out which address has been allocated by Google Cloud. Rungcloud compute routers describe ROUTER_NAME_1
, and use the value that appears in theipAddress
field for the BGP peer you created. This example usesfdff:1::1:1
.PEER_ASN_1
: the ASN number used for all interfaces onROUTER_NAME_1
and that was set previously; this example uses ASN number65001
Optional: If you are creating IPv6 BGP sessions and MP-BGP, specify
--enable-ipv4
when you run thegcloud compute routers add-bgp-peer
command to enable IPv4 traffic. You must configure the IPv4 next hop addresses to match the interface and IPv4-enabled BGP peer configured for the first gateway.To configure next hop addresses, replace both of the following:
IPV4_NEXTHOP_ADDRESS_4
: the next hop address for IPv4 routes specified previously inPEER_IPV4_NEXTHOP_ADDRESS_3
; if you automatically assigned IPv4 next hop addresses when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF0
onROUTER_NAME_1
, then you must find out what address has been allocated by Google Cloud. Run thegcloud compute routers describe ROUTER_NAME_1
command and check the output for the BPG peer you set up forTUNNEL_NAME_GW1_IF0
. Use the value that appears in thepeerIpv4NextHopAddress
field. This example uses169.254.13.1
.PEER_IPV4_NEXTHOP_ADDRESS_4
: the next hop address for IPv4 routes learned by the Cloud Router from the BGP peer; the address must be in the link-local IPv4 address range169.254.0.0/16
. This example uses169.254.13.2
.
AUTHENTICATION_KEY_2
: the secret key to use for MD5 authentication onPEER_NAME_GW2_IF1
Create a Cloud Router interface for
TUNNEL_NAME_GW2_IF1
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=ROUTER_2_INTERFACE_NAME_1 \ --ip-address=IP_ADDRESS_4 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \ --region=REGION \
The command output is similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
Create a BGP peer for
TUNNEL_NAME_GW2_IF1
The following example command creates an IPv6 BGP peer with IPv4 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1 \ --interface=ROUTER_2_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --enable-ipv4 \ --ipv4-nexthop-address=IPV4_NEXTHOP_ADDRESS \ --peer-ipv4-nexthop-address=PEER_IPV4_NEXTHOP_ADDRESS
The following command creates an IPv6 BGP peer without IPv4 route exchange enabled:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1 \ --interface=ROUTER_2_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION
Alternatively, if you configured
ROUTER_NAME_1
to use MD5 authentication forPEER_NAME_GW1_IF1
, configureROUTER_NAME_2
to use MD5 authentication, as follows:gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1 \ --interface=ROUTER_2_INTERFACE_NAME_1 \ --peer-ip-address=PEER_IP_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION \ --md5-authentication-key=AUTHENTICATION_KEY_2
The command output is similar to the following example:
Updated [https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b].
Verify the settings for
ROUTER_NAME_2
:gcloud compute routers describe ROUTER_NAME_2 \ --region=REGION
The command output is similar to the following example:
bgp: advertiseMode: DEFAULT asn: 65002 bgpPeers: — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv4: true interfaceName: if-tunnel-b-to-a-if-0 ipAddress: fdff:1::2 ipv4NexthopAddress: 169.254.12.2 name: bgp-peer-tunnel-b-to-a-if-0 peerAsn: 65001 peerIpAddress: fdff:1::1 peerIpv4NexthopAddress: 169.254.12.1 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' enableIpv4: true interfaceName: if-tunnel-b-to-a-if-1 ipAddress: fdff:1::1 ipv4NexthopAddress: 169.254.13.2 name: bgp-peer-tunnel-b-to-a-if-1 peerAsn: 65001 peerIpAddress: fdff:1::2 peerIpv4NexthopAddress: 169.254.13.2 creationTimestamp: '2021-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: — ipRange: fdff:1::2/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 name: if-tunnel-b-to-a-if-0 — ipRange: fdff:1::1:2/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 name: if-tunnel-b-to-a-if-1 kind: compute#router name: router-b network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-b region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b
API
To create a Cloud Router interface with an IPv6 address, make either a
PATCH
orUPDATE
request to therouters.patch
method or therouters.update
method.PATCH
updates only the parameters that you include.UPDATE
updates all parameters for Cloud Router. Create an interface for each VPN tunnel on the HA VPN gateway.The following example creates an interface with a manually configured IPv6 BGP address.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "interfaces": [ { "name": "if-tunnel-a-to-b-if-0", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipRange": "fdff:1::1/126" } ] }
Each BGP IPv6 address range for each BGP session must be unique among all Cloud Routers in all regions of a VPC network.
As another example, the following command creates an interface with an automatically assigned IPv6 address.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "interfaces": [ { "name": "if-tunnel-a-to-b-if-0", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipVersion": "IPV6" } ] }
Repeat this step for each VPN tunnel on the HA VPN gateway.
Add a BGP peer to Cloud Router for each interface.
To create a BGP peer, make either a
PATCH
orUPDATE
request by using therouters.patch
method or therouters.update
method. Repeat this command for the other interfaces, changing the field values as needed.PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "bgpPeers": [ { "name": "bgp-peer-tunnel-a-to-b-if-0", "interfaceName": "if-tunnel-a-to-b-if-0", "ipAddress": "fdff:1::2", "peerIpAddress": "fdff:1::1", "peerAsn": 65002, "advertiseMode": "DEFAULT" } ] }
To create an IPv6 BGP session with MP-BGP and IPv4 next-hop addresses configured, use the following API command:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "bgpPeers": [ { "name": "bgp-peer-tunnel-a-to-b-if-0", "interfaceName": "if-tunnel-a-to-b-if-0", "ipAddress": "fdff:1::2", "peerIpAddress": "fdff:1::1", "peerAsn": 65002, "advertiseMode": "DEFAULT", "enableIpv4": true, "ipv4NexthopAddress: "169.254.12.2", "peerIpv4NexthopAddress: "169.254.12.1" } ] }
If you want to configure the session to use MD5 authentication, your request must include an authentication key, which means that it must provide both the key and a name for the key. It must also reference the key by name when creating the BGP peering session. For example:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "md5AuthenticationKeys": [ { "name": "bgppeer-1-key", "key": "secret_key_value" } ], } { "bgpPeers": [ { "interfaceName": "if-tunnel-a-to-b-if-0", "ipAddress": "fdff:1::2", "name": "bgp-peer-tunnel-a-to-b-if-0", "peerAsn": 65002, "peerIpAddress": "fdff:1::1", "advertiseMode": "DEFAULT", "md5AuthenticationKeyName": "bgppeer-1-key" } ], }
Both IPv4 and IPv6 BGP sessions
Console
To create both IPv4 and IPv6 BGP sessions, follow these steps:
- Click Configure BGP session.
On the Create BGP session page, complete the following steps:
- For BGP session type, select Both.
IPv4 BGP session
- For Name, enter a name for the BGP session.
- For Peer ASN, enter the peer ASN configured for the peer VPN gateway.
- For Allocate BGP IPv4 address, select Automatically or Manually. If you select Manually, do the following:
- For Cloud Router BGP IPv4 address, enter the Cloud Router BGP IPv4 address.
For BGP peer IPv4 address, enter the IPv4 address of the BGP peer. The IPv4 address must meet the following requirements:
- Each IPv4 address must belong to the same
/30
subnet that fits within the169.254.0.0/16
address range. - Each IPv4 address is the first or second host of the
/30
subnet. The first and the last IP addresses of the subnet are reserved for network and broadcast addresses. - Each IPv4 address range for a BGP session must be unique among all Cloud Routers in all regions of a VPC network.
If you select Automatically, Google Cloud automatically selects the IPv4 addresses for your BGP session.
If you select automatic IPv6 address allotment, Google Cloud automatically selects the IPv6 addresses for your BGP session.
- Each IPv4 address must belong to the same
Optional: Expand the Advanced options section.
To enable BGP peer, select Enabled. If enabled, the peer connection is established with routing information. For more information, see Establish BGP sessions.
To add MD5 authentication, select Enabled. If enabled, you can use MD5 authentication to authenticate BGP sessions between Cloud Router and its peers. For more information, see Use MD5 authentication. You can alternatively choose to enable MD5 authentication later.
To add outbound routes to the BGP session, for Priority of all custom learned routes, enter a learned route priority. For more information, see Learned routes.
Click Save and continue.
IPv6 BGP session
- For Name, enter a name for the BGP session.
- For Peer ASN, enter the peer ASN configured for the peer VPN gateway.
- Optional: For Advertised route priority (MED), enter the priority of routes advertised to this BGP peer.
- For Allocate BGP IPv6 address, select Automatically or Manually. If you select Manually, do the following:
- For Cloud Router BGP IPv6 address, enter the Cloud Router BGP IPv6 address.
For BGP peer IPv6 address, enter the IPv6 address of the BGP peer. The IPv4 address must meet the following requirements:
- Each address must be unique local addresses (ULA) from the
fdff:1::/64
address range with a mask length of/64
. For example,fdff:1::1
. - Each address must be unique among all Cloud Routers in all regions of a VPC network.
If you select Automatically, Google Cloud automatically selects the IPv6 addresses for your BGP session.
- Each address must be unique local addresses (ULA) from the
Optional: Expand the Advanced options section.
To enable BGP peer, select Enabled. If enabled, the peer connection is established with routing information. For more information, see Establish BGP sessions.
To enable MD5 authentication, select Enabled. If enabled, MD5 authentication is used to authenticate BGP sessions between Cloud Router and its peers. For more information, see Use MD5 authentication. You can alternatively choose to enable MD5 authentication later.
To add outbound routes to the BGP session, for Priority of all custom learned routes, enter a learned route priority. For more information, see Learned routes.
Click Save and continue.
Repeat the previous steps for the rest of the tunnels configured on the gateway. For each tunnel, use a different Cloud Router BGP IP address and BGP peer IP address.
Click Save BGP configuration.
gcloud
In this section, you configure two interfaces and BGP peers for each HA VPN tunnel. The following table provides an overview of these interfaces and peers. It shows the relationship between the IP address ranges and peer IP addresses that you specify for each interface.
For example, the first interface of router-1
is assigned an IPv4 address of 169.254.0.1
. The second interface
of router-1
is assigned an IPv6 address of fdff:1::1
.
The other Cloud Router, router-2
, is the
BGP peer of router-1
. The first interface of router-2
is assigned
169.254.0.2
, which is the second host in the IPv4 subnet 169.254.0.0/30
.
The second interface of router-2
is assigned fdff:1::2
, which
is the second host in the IPv6 subnet fdff:1::/126
.
Therefore, the peer IPv4 BGP address of router-1
is 169.254.0.2
and its peer BGP peer IPv6 address is fdff:1::2
.
The peer IPv4 BGP address of router-2
is 169.254.0.1
and its
peer BGP peer IPv6 address is fdff:1::1
.
Router | Interface name | BGP IP address | Peer IP address | Peer ASN |
---|---|---|---|---|
router-1 | if-tunnel-a-to-b-if-0_ipv4 | 169.254.0.1/30 | 169.254.0.2 | 65002 |
router-1 | if-tunnel-a-to-b-if-0_ipv6 | fdff:1::1/126 | fdff:1::2 | 65002 |
router-1 | if-tunnel-a-to-b-if-1_ipv4 | 169.254.1.1/30 | 169.254.1.2 | 65002 |
router-1 | if-tunnel-a-to-b-if-1_ipv6 | fdff:1::1:1/126 | fdff:1::1:2 | 65002 |
router-2 | if-tunnel-b-to-a-if-0_ipv4 | 169.254.0.2/30 | 169.254.0.1 | 65001 |
router-2 | if-tunnel-b-to-a-if-0_ipv6 | fdff:1::2/126 | fdff:1::1 | 65001 |
router-2 | if-tunnel-b-to-a-if-1_ipv4 | 169.254.1.2/30 | 169.254.1.1 | 65001 |
router-2 | if-tunnel-b-to-a-if-1_ipv6 | fdff:1::1:2/126 | fdff:1::1:1 | 65001 |
To create Cloud Router interfaces and BGP peers, complete the following command sequence.
Create both interfaces and BGP peers on
ROUTER_NAME_1
for the tunnelTUNNEL_NAME_GW1_IF0
.The two interfaces connect
TUNNEL_NAME_GW1_IF0
oninterface 0
ofGW_1
tointerface 0
ofGW_2
.In the commands, replace the following:
ROUTER_1_INTERFACE_NAME_0_ipv4
andROUTER_1_INTERFACE_NAME_0_ipv6
: names for the Cloud Router interfaces; using names related toTUNNEL_NAME_GW1_IF0
is helpfulIP_VERSION
: IPv6 version of the interface, eitherIPV6
orIPV4
. This parameter is only required if you want Google Cloud to assign the IPv6 address automatically for an interface. If you are manually assigning an IPv6 address to this interface, you can omit this flag.IPV4_ADDRESS_1
andIPV6_ADDRESS_1
: a BGP IP address from the169.254.0.0/16
orfdff:1::/64
address range that's not already in use; this example uses169.254.0.1
andfdff:1::1
. If you omit this flag and don't manually assign a BGP IP address, Google Cloud automatically assigns an address for you.MASK_LENGTH
: when you specify a BGP IPv6 address for an interface, specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range. When specifying an IPv6 address for an interface, specify a mask length of126
.PEER_NAME_GW1_IF0_ipv4
andPEER_NAME_GW1_IF0_ipv6
: names describing the IPv4 and IPv6 BGP peers; using names related toTUNNEL_NAME_GW1_IF0
is helpfulPEER_IPV4_ADDRESS_1
andPEER_IPV6_ADDRESS_1
: a BGP address from the169.254.0.0/16
orfdff:1::/64
IPv6 address range that's not already in use; this example uses169.254.0.2
andfdff:1::2
. If you did not previously assign specific BGP addresses forIPV4_ADDRESS_1
andIPV6_ADDRESS_1
, omit these options as well and Google Cloud automatically assigns a matching BGP peer IP addresses for you. If you manually specifiedIPV4_ADDRESS_1
andIPV6_ADDRESS_1
, you must also manually configure these options.PEER_ASN_2
: the ASN number used for all interfaces onROUTER_NAME_2
; this example uses ASN number65002
Optional: Assign a BGP identifier range
When you add the first interface with an IPv6 address to a Cloud Router, a BGP identifier range is automatically assigned to the Cloud Router. If you prefer to define your own BGP identifier range for a Cloud Router, you can create your own range. You can also modify this range later.
For more information, see Configure the BGP identifier range for a Cloud Router.
Automatic
Create Cloud Router interfaces for
TUNNEL_NAME_GW1_IF0
To create an interface with an automatically configured BGP IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv4 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION \ --ip-version=IPV4
To create an interface with an automatically configured BGP IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv6 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION \ --ip-version=IPV6
Create BGP peers for
TUNNEL_NAME_GW1_IF0
The following example command creates the IPv4 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0_ipv4 \ --interface=ROUTER_1_INTERFACE_NAME_0_ipv4 \ --peer-asn=PEER_ASN_2 \ --region=REGION \
The following example command creates the IPv6 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0_ipv6 \ --interface=ROUTER_1_INTERFACE_NAME_0_ipv6 \ --peer-asn=PEER_ASN_2 \ --region=REGION
By creating two interfaces and BGP peers, you run two parallel IPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Manual
Create Cloud Router interfaces for
TUNNEL_NAME_GW1_IF0
To create an interface with a manually configured BGP IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv4 \ --ip-address=IPV4_ADDRESS_1 \ --mask-length=30 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION
To create an interface with a manually configured BGP IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_0_ipv6 \ --ip-address=IPV6_ADDRESS_1 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW1_IF0 \ --region=REGION \
Create BGP peers for
TUNNEL_NAME_GW1_IF0
The following example command creates the IPv4 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0_ipv4 \ --interface=ROUTER_1_INTERFACE_NAME_0_ipv4 \ --peer-ip-address=PEER_IPV4_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION \
The following command creates the IPv6 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF0_ipv6 \ --interface=ROUTER_1_INTERFACE_NAME_0_ipv6 \ --peer-ip-address=PEER_IPV6_ADDRESS_1 \ --peer-asn=PEER_ASN_2 \ --region=REGION
By creating two interfaces and BGP peers, you run two parallel IPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Create both interfaces and BGP peers on
ROUTER_NAME_1
for the tunnelTUNNEL_NAME_GW1_IF1
.The two interfaces connect
TUNNEL_NAME_GW1_IF1
oninterface 1
ofGW_1
tointerface 1
ofGW_2
.In the following commands, replace the following:
ROUTER_1_INTERFACE_NAME_1_ipv4
andROUTER_1_INTERFACE_NAME_1_ipv6
: names for the Cloud Router interfaces; using names related toTUNNEL_NAME_GW1_IF1
is helpfulIP_VERSION
: the version of the interface, eitherIPV6
orIPV4
. If unspecified, the default isIPV4
. This parameter is only required if you want Google Cloud to assign an IPv6 address automatically to an interface. If you are manually assigning an IPv4 or IPv6 address to this interface, you can omit this flag.IPV4_ADDRESS_2
orIPV6_ADDRESS_2
: a BGP IPv4 or IPv6 address from the169.254.0.0/16
orfdff:1::/64
IPv6 address range that's not already in use; this example uses169.254.1.1
and orfdff:1::1:1
. If you omit this flag and don't manually assign a BGP IPv4 or IPv6 address, Google Cloud automatically assigns an address for you.MASK_LENGTH
: when you specify an IPv4 address for an interface, specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range. When you specify an IPv6 address for an interface, specify a mask length of64
.PEER_NAME_GW1_IF1_ipv4
andPEER_NAME_GW1_IF0_ipv6
: names describing the IPv4 and IPv6 BGP peers; using names related toTUNNEL_NAME_GW1_IF1
is helpfulPEER_IPV4_ADDRESS_2
orPEER_IPV6_ADDRESS_2
: a BGP IPv4 or IPv6 address from the169.254.0.0/16
orfdff:1::/64
IPv6 address range that's not already in use; this example uses169.254.1.2
andfdff:1::1:2
. If you did not specifically assign an IPv4 or IPv6 address,IPV4_ADDRESS_2
orIPV6_ADDRESS_2
, omit this option and Google Cloud automatically assigns a matching BGP peer IPv4 or IPv6 address for you. If you manually specifiedIPV4_ADDRESS_2
orIPV6_ADDRESS_2
, you must also manually configure this option.PEER_ASN_2
: the ASN number used for all interfaces on the other Cloud RouterROUTER_NAME_2
; this example uses ASN number65002
AUTHENTICATION_KEY_2
: the secret key to use for MD5 authentication onPEER_NAME_GW1_IF1
; for more information about this optional feature, see Use MD5 authentication
Automatic
Create Cloud Router interfaces for
TUNNEL_NAME_GW1_IF1
To create an interface with an automatically configured IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv4 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION \ --ip-version=IPV4
To create an interface with an automatically configured IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv6 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION \ --ip-version=IPV6
Create BGP peers for
TUNNEL_NAME_GW1_IF1
The following example command creates an IPv4 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1_ipv4 \ --interface=ROUTER_1_INTERFACE_NAME_1_ipv4 \ --peer-ip-address=PEER_IPV4_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION
The following example command creates an IPv6 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1_ipv6 \ --interface=ROUTER_1_INTERFACE_NAME_1_ipv6 \ --peer-ip-address=PEER_IPV6_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION
By creating two interfaces and BGP peers, you run two parallel IPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Manual
Create Cloud Router interfaces for
TUNNEL_NAME_GW1_IF1
To create an interface with a manually configured IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv4 \ --ip-address=IPV4_ADDRESS_2 \ --mask-length=30 \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION
To create an interface with a manually configured IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_1_INTERFACE_NAME_1_ipv6 \ --ip-address=IPV6_ADDRESS_2 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW1_IF1 \ --region=REGION
Create BGP peers for
TUNNEL_NAME_GW1_IF1
The following example command creates an IPv4 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1_ipv4 \ --interface=ROUTER_1_INTERFACE_NAME_1_ipv4 \ --peer-ip-address=PEER_IPV4_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION
The following example command creates an IPv6 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_1 \ --peer-name=PEER_NAME_GW1_IF1_ipv6 \ --interface=ROUTER_1_INTERFACE_NAME_1_ipv6 \ --peer-ip-address=PEER_IPV6_ADDRESS_2 \ --peer-asn=PEER_ASN_2 \ --region=REGION
By creating two interfaces and BGP peers, you run two parallel IPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Verify the settings for
ROUTER_NAME_1
:gcloud compute routers describe ROUTER_NAME_1 \ --region=REGION
The command output is similar to the following example:
bgp: advertisemode: DEFAULT asn: 65001 keepaliveInterval: 20 bgpPeers: — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-a-to-b-if-0_ipv4 ipAddress: 169.254.0.1 name: bgp-peer-tunnel-a-to-b-if-0_ipv4 peerAsn: 65002 peerIpAddress: 169.254.0.2 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-a-to-b-if-1_ipv4 ipAddress: 169.254.1.1 name: bgp-peer-tunnel-a-to-b-if-1_ipv4 peerAsn: 65002 peerIpAddress: 169.254.1.2 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-a-to-b-if-0_ipv6 ipAddress: fdff:1::1 name: bgp-peer-tunnel-a-to-b-if-0_ipv6 peerAsn: 65002 peerIpAddress: fdff:1::2 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-a-to-b-if-1_ipv6 ipAddress: fdff:1::1 name: bgp-peer-tunnel-a-to-b-if-1_ipv6 peerAsn: 65002 peerIpAddress: fdff:1::2 creationTimestamp: '2021-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: — ipRange: 169.254.0.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 name: if-tunnel-a-to-b-if-0 — ipRange: 169.254.1.1/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-0 name: if-tunnel-a-to-b-if-0 — ipRange: fdff:1::1/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 name: if-tunnel-a-to-b-if-1 — ipRange: fdff:1::1:1/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-a-to-b-if-1 name: if-tunnel-a-to-b-if-1 kind: compute#router name: router-a network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-a region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-a
Create both interfaces and BGP peers on
ROUTER_NAME_2
for the tunnelTUNNEL_NAME_GW2_IF0
.The two interfaces connect
TUNNEL_NAME_GW2_IF0
oninterface 0
ofGW_2
tointerface 0
ofGW_1
.You must configure the interface and BGP peering addresses on this Cloud Router manually because the corresponding addresses have already been configured on the other Cloud Router,
ROUTER_NAME_1
.In the commands, replace the following:
ROUTER_2_INTERFACE_NAME_0_ipv4
andROUTER_2_INTERFACE_NAME_0<_ipv6
: Cloud Router interface names; using names related toTUNNEL_NAME_GW2_IF0
is helpfulIPV4_ADDRESS_3
andIPV6_ADDRESS_3
: the BGP IPv4 and IPv6 addresses used previously for this gateway and interface. If you automatically assigned the peer IPv4 and IPv6 addresses when you created the interfaces and BGP peers forTUNNEL_NAME_GW1_IF0
onROUTER_NAME_1
, then you must specify the allocated addresses asIPV4_ADDRESS_3
andIPV6_ADDRESS_3
. To find out which addresses have been allocated by Google Cloud, run thegcloud compute routers describe ROUTER_NAME_1
command. In the output for the BGP peers, use the values that appear in thepeerIpAddress
field. This example uses169.254.0.2
andfdff:1::2
.MASK_LENGTH
: for an interface with an IPv4 address, specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range. For an interface with an IPv6 address, specify a mask length of64
.PEER_NAME_GW2_IF0_ipv4
andPEER_NAME_GW2_IF0_ipv6
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW2_IF0
is helpfulPEER_IPV4_ADDRESS_3
andPEER_IPV6_ADDRESS_3
: the BGP IPv4 or IPv6 addresses used previously when you configured the first gateway and interface. Rungcloud compute routers describe ROUTER_NAME_1
, and use the values that appear in theipAddress
field for the BGP peers you created forTUNNEL_NAME_GW1_IF0
. This example uses169.254.0.1
andfdff:1::1
.PEER_ASN_1
: the ASN number used for all interfaces onROUTER_NAME_1
and that was set previously; this example uses ASN number65001
Create Cloud Router interfaces for
TUNNEL_NAME_GW2_IF0
To create an interface and manually configure its IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=ROUTER_2_INTERFACE_NAME_0 \ --ip-address=IPV4_ADDRESS_3 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \ --region=REGION
To create an interface and manually configure its IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_1 \ --interface-name=ROUTER_2_INTERFACE_NAME_0 \ --ip-address=IPV6_ADDRESS_3 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF0 \ --region=REGION \
Create BGP peers for
TUNNEL_NAME_GW2_IF0
The following example command creates the IPv4 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0_ipv4 \ --interface=ROUTER_2_INTERFACE_NAME_0_ipv4 \ --peer-ip-address=PEER_IPV4_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION
The following example command creates the IPv6 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF0_ipv6 \ --interface=ROUTER_2_INTERFACE_NAME_0_ipv6 \ --peer-ip-address=PEER_IPV6_ADDRESS_3 \ --peer-asn=PEER_ASN_1 \ --region=REGION
By creating two interfaces and BGP peers, you run two parallel IPv4 and IPv6 BGP sessions in the same tunnel.
You can't use MP-BGP in this configuration.
Create both interfaces and BGP peers on
ROUTER_NAME_2
for the tunnelTUNNEL_NAME_GW2_IF1
.The two interfaces connect
TUNNEL_NAME_GW2_IF0
oninterface 0
ofGW_2
tointerface 0
ofGW_1
.You must configure the interface and BGP peering addresses on this Cloud Router manually because the corresponding addresses have already been configured on the other Cloud Router,
ROUTER_NAME_1
.The two interfaces connect
TUNNEL_NAME_GW2_IF1
oninterface 1
ofGW_2
tointerface 1
ofGW_1
.In the following commands, replace the following:
ROUTER_2_INTERFACE_NAME_1_ipv4
andROUTER_2_INTERFACE_NAME_1_ipv6
: names for the Cloud Router interfaces; using names related toTUNNEL_NAME_GW2_IF1
is helpfulIPV4_ADDRESS_4
andIPV6_ADDRESS_4
: the BGP IPv4 and IPv6 addresses used previously for this gateway and interface. If you automatically assigned the peer BGP IP address when you created the interface and BGP peer forTUNNEL_NAME_GW1_IF1
onROUTER_NAME_1
, then you must manually specify these allocated addresses asIPV4_ADDRESS_4
andIPV6_ADDRESS_4
. To find out which addresses have been allocated by Google Cloud, run thegcloud compute routers describe ROUTER_NAME_1
command. In the output for the BGP peer, use the values that appear in thepeerIpAddress
field. This example uses169.254.1.2
andfdff:1::1:2
.MASK_LENGTH
: for an interface with an IPv4 address, specify30
because the Cloud Router must use a unique/30
CIDR from the same169.254.0.0/16
IPv4 address range. For an interface with an IPv6 address, specify a mask length of64
.PEER_NAME_GW2_IF1_ipv4
andPEER_NAME_GW2_IF1_ipv6
: a name describing the BGP peer; using a name related toTUNNEL_NAME_GW2_IF1
is helpfulPEER_IPV4_ADDRESS_4
andPEER_IPV6_ADDRESS_4
: the IP address you specified asIPV4_ADDRESS_2
andIPV6_ADDRESS_2
and when you configured the first gateway and interface. Rungcloud compute routers describe ROUTER_NAME_1
, and use the values that appear in theipAddress
field for the BGP peer you created forTUNNEL_NAME_GW2_IF1
. This example uses169.254.1.1
andfdff:1::1:1
.PEER_ASN_1
: the ASN number used for all interfaces onROUTER_NAME_1
and that was set previously; this example uses ASN number65001
Create Cloud Router interfaces for
TUNNEL_NAME_GW2_IF1
To create an interface and manually configure its IPv4 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=ROUTER_2_INTERFACE_NAME_1 \ --ip-address=IPV4_ADDRESS_4 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \ --region=REGION
To create an interface and manually configure its IPv6 address, run the following command:
gcloud compute routers add-interface ROUTER_NAME_2 \ --interface-name=ROUTER_2_INTERFACE_NAME_1 \ --ip-address=IPV6_ADDRESS_4 \ --mask-length=MASK_LENGTH \ --vpn-tunnel=TUNNEL_NAME_GW2_IF1 \ --region=REGION
Create BGP peers for
TUNNEL_NAME_GW2_IF1
The following example command creates the IPv4 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1_ipv4 \ --interface=ROUTER_2_INTERFACE_NAME_1_ipv4 \ --peer-ip-address=PEER_IPV4_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION
The following example command creates the IPv6 BGP peer:
gcloud compute routers add-bgp-peer ROUTER_NAME_2 \ --peer-name=PEER_NAME_GW2_IF1_ipv6 \ --interface=ROUTER_2_INTERFACE_NAME_1_ipv6 \ --peer-ip-address=PEER_IPV6_ADDRESS_4 \ --peer-asn=PEER_ASN_1 \ --region=REGION
Verify the settings for
ROUTER_NAME_2
:gcloud compute routers describe ROUTER_NAME_2 \ --region=REGION
The command output looks similar to the following example:
bgp: advertisemode: DEFAULT asn: 65002 keepaliveInterval: 20 bgpPeers: — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-b-to-a-if-0_ipv4 ipAddress: 169.254.0.2 name: bgp-peer-tunnel-b-to-a-if-0_ipv4 peerAsn: 65002 peerIpAddress: 169.254.0.1 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-b-to-a-if-1_ipv4 ipAddress: 169.254.1.2 name: bgp-peer-tunnel-b-to-a-if-1_ipv4 peerAsn: 65001 peerIpAddress: 169.254.1.1 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-b-to-a-if-0_ipv6 ipAddress: fdff:1::2 name: bgp-peer-tunnel-b-to-a-if-0_ipv6 peerAsn: 65001 peerIpAddress: fdff:1::1 — bfd: minReceiveInterval: 1000 minTransmitInterval: 1000 mode: DISABLED multiplier: 5 sessionInitializationMode: DISABLED enable: 'TRUE' interfaceName: if-tunnel-b-to-a-if-1_ipv6 ipAddress: fdff:1::2 name: bgp-peer-tunnel-b-to-a-if-1_ipv6 peerAsn: 65001 peerIpAddress: fdff:1::1 creationTimestamp: '2021-10-19T14:31:52.639-07:00' id: '4047683710114914215' interfaces: — ipRange: 169.254.0.2/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 name: if-tunnel-b-to-a-if-0 — ipRange: 169.254.1.2/30 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-0 name: if-tunnel-b-to-a-if-0 — ipRange: fdff:1::2/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 name: if-tunnel-b-to-a-if-1 — ipRange: fdff:1::1:2/126 linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/vpnTunnels/tunnel-b-to-a-if-1 name: if-tunnel-b-to-a-if-1 kind: compute#router name: router-b network: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/network-b region: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1 selfLink: https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/us-central1/routers/router-b
API
To create multiple Cloud Router interfaces, make either a
PATCH
orUPDATE
request by using therouters.patch
method or therouters.update
method.PATCH
updates only the parameters that you include.UPDATE
updates all parameters for Cloud Router.The BGP address ranges that you specify must be unique among all Cloud Routers in all regions of a VPC network.
Repeat this step and command for each VPN tunnel defined on each HA VPN gateway. For an HA VPN gateway to HA VPN deployment, this means four HA VPN tunnel configurations.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "interfaces": [ { "name": "if-tunnel-a-to-b-if-0_ipv4", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipRange": "169.254.0.1/30" }, { "name": "if-tunnel-a-to-b-if-0_ipv6", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipRange": "fdff:1::1/126" } ] }
The following example adds an interface with an IPv4 address and an interface with an IPv6 address to the same
linkedVpnTunnel
. The command automatically assigns IPv4 and IPv6 addresses to the interfaces:PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "interfaces": [ { "name": "if-tunnel-a-to-b-if-0_ipv4", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipVersion": "IPV4" }, { "name": "if-tunnel-a-to-b-if-0_ipv6", "linkedVpnTunnel": "ha-vpn-gw-a-tunnel-0", "ipVersion": "IPV6" } ] }
To add BGP peers to the Cloud Router for each VPN tunnel, make either a
PATCH
orUPDATE
request by using therouters.patch
method or therouters.update
method. Repeat this command for each VPN tunnel, changing all options as needed.For example:
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers/ROUTER_NAME { "bgpPeers": [ { "interfaceName": "if-tunnel-a-to-b-if-0_ipv4", "ipAddress": "169.254.0.1", "name": "bgp-peer-tunnel-a-to-b-if-0_ipv4", "peerAsn": 65002, "peerIpAddress": "169.254.0.2", "advertiseMode": "DEFAULT" }, { "interfaceName": "if-tunnel-a-to-b-if-0_ipv6", "ipAddress": fdff:1::1", "name": "bgp-peer-tunnel-a-to-b-if-0_ipv6", "peerAsn": 65002, "peerIpAddress": "fdff:1::2", "advertiseMode": "DEFAULT" } ] }
Verify the configuration
Console
To verify the configuration, follow these steps.
In the Google Cloud console, go to the Cloud VPN tunnels page.
View the VPN tunnel status and the BGP session status.
If your configuration is correct, the VPN tunnel status is
Established
and the BGP session status isBGP established
.For more information about the VPN tunnel status and the BGP session states, see Interpret tunnel status messages and BGP session states.
gcloud
- To verify the HA VPN tunnel configuration, see Check HA VPN tunnels.
- To verify the Cloud Router configuration, see View router details.
API
To verify the Cloud Router configuration, make a GET
request
by using the
routers.getRouterStatus
method, and use an empty request body:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/routers
To learn about how to troubleshoot your Cloud VPN connection, see Troubleshooting.
Create an additional tunnel on a single-tunnel gateway
Console
To receive a 99.99% uptime SLA, configure a tunnel on each HA VPN interface on each side of an HA VPN-to-HA VPN gateway configuration.
If you configured one tunnel on an HA VPN gateway to another HA VPN gateway but want to receive a 99.99% uptime SLA, you must configure a second tunnel.
To configure a second tunnel, follow the steps at Add a tunnel from an HA VPN gateway to another HA VPN gateway.
Set the base advertised route priority (optional)
The BGP sessions that you create let each Cloud Router advertise routes to peer networks. The advertisements use unmodified base priorities.
Use the configuration documented in
Create two fully configured HA VPN gateways that connect to each other
for active-active routing configurations where the
advertised route priorities of the two tunnels on both sides match. Omitting the
advertised route priority (--advertised-route-priority
) results in the same
advertised route priorities to both BGP peers.
For active-passive routing configurations, you can control the advertised
route priority of the to Google Cloud
routes that Cloud Router
shares with your peer VPN gateway by setting the advertised route priority
(--advertised-route-priority
) when adding or updating a BGP peer. To create
an active-passive configuration, set a higher advertised route
priority for one BGP session and its corresponding VPN tunnel than for the other
BGP session and VPN tunnel.
For more information about the base advertised route priority, see Advertised priority.
You can also refine the routes that are advertised by using Advertised routes:
- Add the
--advertisement-mode=CUSTOM
flag (gcloud
) or theadvertiseMode: custom
flag (API). - Specify IP address ranges with the
--set-advertisement-ranges
flag (gcloud
) or theadvertisedIpRanges
flag (API).
Complete the configuration
Before you can use a new Cloud VPN gateway and its associated VPN tunnels, complete the following steps:
- Configure firewall rules in Google Cloud for your VPC networks.
- Check the status of your VPN tunnels. This step includes checking the high-availability configuration of your HA VPN gateway.
What's next
- To control which IP addresses are allowed for peer VPN gateways, see Restrict IP addresses for peer VPN gateways.
- To use high-availability and high-throughput scenarios or multiple subnet scenarios, see Advanced configurations.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.