Skip to content
Hybrid Networking
Cloud VPN
Cloud VPN securely extends your peer network to your through an
connection. The VPN connection encrypts traffic traveling between the networks, with one VPN gateway handling encryption and the other handling decryption. This process protects your data during transmission. You can also connect two VPC networks together by connecting two Cloud VPN instances. You cannot use Cloud VPN to route traffic to the public internet; it is designed for secure communication between private networks.Types of Cloud VPN
Google Cloud offers two types of Cloud VPN gateways:
HA VPN
HA VPN is a high-availability (HA) Cloud VPN solution that lets you securely connect your on-premises network to your VPC network through an IPsec VPN connection. Based on the topology and configuration, HA VPN can provide an SLA of 99.99% or 99.9% service availability.
When you create an HA VPN gateway, Google Cloud automatically chooses two external IP addresses, one for each of its interfaces. Each IP address is automatically chosen from a unique address pool to support high availability. Each of the HA VPN gateway interfaces supports multiple tunnels. You can also create multiple HA VPN gateways. When you delete the HA VPN gateway, Google Cloud releases the IP addresses for reuse. You can configure an HA VPN gateway with only one active interface and one external IP address; however, this configuration does not provide an availability SLA.
One option for using HA VPN is to use . With HA VPN over Cloud Interconnect, you get the security of IPsec encryption from Cloud VPN alongside the increased capacity of Cloud Interconnect. In addition, because you are using Cloud Interconnect, your network traffic never traverses the public internet. If you use Partner Interconnect, you must add IPsec encryption to your Cloud Interconnect traffic to meet data security and compliance requirements when connecting to third-party providers. HA VPN uses an external VPN gateway resource in Google Cloud to provide information to Google Cloud about your peer VPN gateway or gateways.
HA VPN can provide an availability SLA of 99.99% or 99.9% depending on the topologies or configuration scenarios. For more information about HA VPN topologies and supported SLAs, see .
Note: Your peer VPN gateway device must support dynamic Border Gateway Protocol (BGP) routing.
An HA VPN gateway to two peer VPN gateways
Classic VPN
Caution: Dynamic routing or Border Gateway Protocol (BGP) with Classic VPN tunnels will be deprecated on August 1, 2025. After this date, existing tunnels with these configurations will no longer be supported. Tunnels that are in use will continue to function but without an availability SLA. If you use BGP with Classic VPN for production workloads, we recommend that you migrate to . For more information, see .
All Cloud VPN gateways created before the introduction of HA VPN are considered Classic VPN gateways. For information about how to move from Classic VPN to HA VPN, see .
In contrast to HA VPN, Classic VPN gateways have a single interface, a single external IP address, and support tunnels that use static routing (policy based or route based). You can also configure dynamic routing (BGP) for Classic VPN, but only for tunnels that connect to third-party VPN gateway software running on Google Cloud VM instances.
Classic VPN gateways provide an SLA of 99.9% service availability.
Classic VPN gateways don't support IPv6.
Comparison table
Feature
HA VPN
Classic VPN
SLA
Provides 99.99% SLA for most topologies, with a few exceptions. For more information, see .
Provides a 99.9% SLA.
Creation of external IP addresses and forwarding rules
External IP addresses created from a pool; no forwarding rules required.
External IP addresses and forwarding rules must be created.
Supported routing options
Only dynamic routing (BGP).
Static routing (policy-based, route-based). Dynamic routing is only supported for tunnels that connect to third-party VPN gateway software running on Google Cloud VM instances.
Caution: Dynamic routing or Border Gateway Protocol (BGP) with Classic VPN tunnels will be deprecated on August 1, 2025. For more information, see Feature deprecation: Classic VPN.
Two tunnels from one Cloud VPN gateway to the same peer gateway
Supported
Not supported
Connect a Cloud VPN gateway to Compute Engine VMs with external IP addresses.
Supported.
API resources
Known as the vpn-gateway resource.
Known as the target-vpn-gateway resource.
IPv6 traffic
Supports dual stack (IPv4 and IPv6) and IPv6-only configuration
Not supported
There are no rows in this table
Best practices for Cloud VPN
Routing and failover
Choose dynamic routing
Choose a Cloud VPN gateway that uses and the Border Gateway Protocol (BGP). Google recommends using HA VPN and deploying on-premises devices that support BGP.
Use HA VPN whenever possible
To achieve the highest level of availability, use HA VPN whenever possible.
Choose the appropriate tunnel configuration
Choose the appropriate tunnel configuration based on the number of HA VPN tunnels:
For more information, see the following sections in the Cloud VPN overview:
Reliability
Configure your peer VPN gateway with only one cipher for each cipher role
Cloud VPN can act as an initiator or a responder to IKE requests depending on the origin of traffic when a new security association (SA) is needed.
When Cloud VPN initiates a VPN connection, Cloud VPN proposes the algorithms in the order shown in the for each cipher role. The peer side receiving the proposal selects an algorithm.
If the peer side initiates the connection, then Cloud VPN selects a cipher from the proposal by using the same order shown in the table for each cipher role.
Depending on which side is the initiator or the responder, the selected cipher can be different. For example, the selected cipher might even change over time as new security associations (SAs) are created during key rotation. Because a change in cipher selection can impact important tunnel characteristics such as performance or MTU, ensure that your cipher selection is stable. For more information about MTU, see .
To prevent frequent changes in cipher selection, configure your peer VPN gateway to propose and accept only one cipher for each cipher role. This cipher must be supported by both Cloud VPN and your peer VPN gateway. Do not provide a list of ciphers for each cipher role. This best practice ensures that both sides of your Cloud VPN tunnel always select the same IKE cipher during IKE negotiation.
For HA VPN tunnel pairs, configure both HA VPN tunnels on your peer VPN gateway to use the same cipher and IKE Phase 2 lifetime values.
Note: HA VPN topologies that connect VPC networks do not require any cipher configuration. The HA VPN gateways auto-negotiate the cipher consistently no matter which side initiates the connection.
Security
Set up firewall rules for your VPN gateways
Create secure firewall rules for traffic that travels over Cloud VPN. For more information, see the .
Use strong pre-shared keys
Restrict IP addresses for your peer VPN gateways
By restricting which IP addresses can be specified for a peer VPN gateway, you can prevent unauthorized VPN tunnels from being created.
Configure the strongest cipher on your peer VPN gateway
When configuring your peer VPN gateway, choose the strongest cipher for each cipher role that is supported by both your peer VPN gateway and Cloud VPN.
The listed proposal order for Cloud VPN is not ordered by strength.
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.