Skip to main content

Connecting Networks with Google Cloud VPN Using Cloud Router (Dynamic Routes)

Hands-On Lab

 

Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content

Length

01:00:00

Difficulty

Intermediate

In this lab, we will connect two different VPC networks using the Cloud VPN service, which will be configured with dynamic routes using the Cloud Router service.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

In this lab, we will be presented with two separate custom mode VPC networks, each with a single subnet and an instance in each one. We will connect the VPC's together using the Cloud VPN service using dynamic routes in conjunction with the Cloud Router service. From a broad perspective, the main steps are as follows:

  • Create a static IP address for each VPN gateway (region-specific)
  • Enable global dynamic routing on each VPC network
  • Create a Cloud Router for each VPC network
  • Create our VPN gateways
  • Create a tunnel from our first VPN gateway to the second using dynamic routing with Cloud Router
    • Includes setting up BGP connection information
  • Create another tunnel from our second VPN gateway to the first using dynamic routing with Cloud Router
    • Includes setting up BGP connection information
  • Test for success by pinging the internal IP address of one instance from another instance.

Let's get started!

First, we need to create a static IP address for each VPN gateway. To do so:

  • From the top left menu, go to VPC Network - External IP addresses
  • Click the RESERVE STATIC ADDRESS button.
  • For name, input gateway-address-1.
  • Set region to us-central-1
  • Leave all other defaults, as is, and click Reserve.
  • Click RESERVE STATIC ADDRESS to reserve a second address
  • Name the address gateway-address-2, and place it in the us-east-1 region, then click Reserve. IMPORTANT - copy/paste both addresses down somewhere, as you will need to refer to them.

Next, we need to enable global dynamic routing on each VPC network. This is necessary to allow a single Cloud Router to dynamically route traffic to all regions in the VPC network:

  • Go to the VPC networks menu
  • Click on 'network-1'
  • Click 'EDIT'
  • Under 'Dynamic routing mode', switch to 'Global'
  • Click Save
  • Do the exact same actions above for 'network-2'

Next, we will create a Cloud Router for each VPC network. For the 'network-1' network:

  • From the top left menu, select Hybrid Connectivity- Cloud Routers
  • Click Create Router
  • Name the router router-1
  • In the Network dropdown menu, select 'network-1'
  • In the Region dropdown menu, select 'us-central1'
  • In the Google ASN field, enter 65000
  • Click Create

Let's now create the second router for our 'network-2' network:

  • Click Create Router
  • Name the router router-2
  • In the Network dropdown menu, select 'network-2'
  • In the Region dropdown menu, select 'us-east1'
  • In the Google ASN field, enter 65001
  • Click Create

Next, we will create our first VPN gateway and tunnel

  • From the top left menu, select Hybrid Connectivity - VPN
  • Click Create VPN Connection
  • Name the VPN Gateway vpn-gateway-1.
  • Select the network-1 network.
  • Select the us-central-1 region.
  • Under IP address, choose the gateway-address-1 address we created earlier.
  • Scroll down further and proceed to the next steps.

Next, we will create the tunnel to our second VPN gateway (it is OK that we have not created it yet).

  • In the Tunnels menu, name your tunnel vpn-tunnel-1.
  • Under Remote peer ip address, enter the static IP address we reserved for 'vpn-gateway-2', earlier.
  • Under shared secret, choose a secure password, be sure to write it down somewhere as we will need it later.
  • Alternatively, you can click the Generate button to generate a secret, be sure to copy/paste it for reference later.
  • Under Routing options, select the 'Dynamic (BGP)' tab.
  • In the 'Cloud router' dropdown menu, select 'router-1'
  • In the 'BGP session' field, click the pencil icon to the right of the field. Here, we will configure our BGP session:
    • In 'Name', enter bgp-1
    • In 'Peer ASN', enter the ASN of the other Cloud Router, which is 65001
    • In 'Cloud Router BGP IP', enter 169.254.0.1
    • In 'BGP peer IP', enter 169.254.0.2
    • Click 'Save and Continue'
  • Click Done
  • Click the blue Create button to confirm creation of your first VPN gateway and tunnel.

Now that we have our first VPN gateway and tunnel for network-1, we next need to create our second VPN gateway and tunnel for network-2 to connect back to the network-1 VPN gateway. The steps will be very similar to above.

  • Back at the main VPN menu, click CREATE to create our second VPN gateway and tunnel.
  • Name the gateway vpn-gateway-2.
  • Choose network-2 from the Network menu.
  • Set region to us-east1.
  • Select our gateway-address-2 IP address. Scroll down to the Tunnels options.
  • Name the tunnel vpn-tunnel-2.
  • Under Remote peer IP address, enter the vpn-gateway-1 IP address from earlier.
  • Enter the same shared secret your created earlier.
  • Under Routing options, select the 'Dynamic (BGP)' tab.
  • In the 'Cloud router' dropdown menu, select 'router-2'
  • In the 'BGP session' field, click the pencil icon to the right of the field. Here, we will configure our BGP session:
    • In 'Name', enter bgp-2
    • In 'Peer ASN', enter the ASN of the other Cloud Router, which is 65000
    • In 'Cloud Router BGP IP', enter 169.254.0.2
    • In 'BGP peer IP', enter 169.254.0.1
    • Click 'Save and Continue'
  • Click Done, then click Create.

If we did it correctly, both VPN gateways will establish a connection after a few minutes. We can check the status by clicking on the 'Google VPN Tunnels tab under the main VPN menu (you might need to manually refresh). If you have a green check mark that says 'Established' under the 'VPN tunnel status' column, then we are successful!

Finally, let's test for internal network connectivity.

  • Under Compute Engine, SSH into the 'instance-1' instance by clicking the SSH button.
  • Attempt to ping 'instance-2' over its internal IP address by typing ping <internal-ip>.
  • If you receive a response back, you have successfully established a private network connection between two separate VPC networks!
  • To verify, SSH into 'instance-2' and ping 'instance-1' by it's internal IP address.

This concludes the lab.