Skip to main content

Connecting Networks with Google Cloud VPN Using Static Routes

Hands-On Lab


Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content





Cloud VPN allows you to connecting an on-premises network (or other external network) to a Google Cloud VPC over a secure IPSec connection for secure internal network (RFC1918) access. We will practice using the Cloud VPN service to connect two separate VPC networks to communicate over an internal IP address using static routes.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.


In this lab, we will be presented with two separate custom mode VPC networks, each with a single subnet and an instance in each one. We will connect the VPC's together using the Cloud VPN service using static routes. From a broad perspective, the main steps are as follows:

  1. Create a static IP address for each VPN gateway (region-specific)
  2. Create our VPN gateways
  3. Create a tunnel from our first VPN gateway to the second.
  4. Create another tunnel from our second VPN gateway to the first.
  5. Test for success by pinging the internal IP address of one instance from another instance.

Let's get started!

First, we need to create a static IP address for each VPN gateway. To do so:

  1. From the top left menu, go to VPC Network - External IP addresses
  2. Click the RESERVE STATIC ADDRESS button.
  3. For name, input "gateway-1".
  4. Set region to us-central-1
  5. Leave all other defaults, as is, and click Reserve.
  6. Click RESERVE STATIC ADDRESS to reserve a second address
  7. Name the address "gateway-2", and place it in the us-east-1 region, then click Reserve. IMPORTANT - copy/paste both addresses down somewhere, as you will need to refer to them.

Next, we will create our first VPN gateway and tunnel

  1. From the top left menu, select Hybrid Connectivity - VPN
  2. Click Create VPN Connection
  3. Name the VPN Gateway 'vpn-gateway-1'.
  4. Select the network-1 network.
  5. Select the us-central-1 region.
  6. Under IP address, choose the gateway-1 address we created earlier.
  7. Scroll down further and proceed to the next steps.

Next, we will create the tunnel to our second VPN gateway (it is OK that we have not created it yet).

  1. In the Tunnels menu, name your tunnel 'vpn-tunnel-1'.
  2. Under Remote peer ip address, enter the static IP address we reserved for 'gateway-2', earlier.
  3. Under shared secret, choose a secure password, be sure to write it down somewhere as we will need it later.
    • alternatively, you can click the Generate button to generate a secret, be sure to copy/paste it for reference later.
  4. Under Routing options, select the Route-based tab.
  5. Under Remote network IP ranges, enter the subnet range for subnet-b in network-2 (
  6. Click Done
  7. Click the blue Create button to confirm creation of your first VPN gateway and tunnel.

Now that we have our first VPN gateway and tunnel for network-1, we next need to create our second VPN gateway and tunnel for network-2 to connect back to the network-1 VPN gateway. The steps will be very similar to above.

  1. Back at the main VPN menu, click CREATE to create our second VPN gateway and tunnel.
  2. Name the gateway 'vpn-tunnel-2'.
  3. Choose network-2 from the Network menu.
  4. Set region to us-east1.
  5. Select our 'gateway-2' IP address. Scroll down to the Tunnels options.
  6. Name the tunnel 'vpn-tunnel-2'.
  7. Under Remote peer IP address, enter the 'gateway-1' IP address from earlier.
  8. Enter the same shared secret your created earlier.
  9. Click the Route-based routing options tab.
  10. Enter the IP range for subnet-a in network-1 under 'Remote network IP ranges' (
  11. Click Done, then click Create.

If we did it correctly, both VPN gateways will establish a connection after a few minutes. We can check the status by clicking on the 'Google VPN Tunnels tab under the main VPN menu (you might need to manually refresh). If you have a green check mark that says 'Established' under the 'VPN tunnel status' column, then we are successful!

Finally, let's test for internal network connectivity.

  1. Under Compute Engine, SSH into the 'server-1' instance by clicking the SSH button.
  2. Attempt to ping 'server-2' over its internal IP address by typing ping <internal-ip>.
  3. If you receive a response back, you have successfully established a private network connection between two separate VPC networks! 4 To verify, SSH into 'server-2' and ping 'server-1' by it's internal IP address.

This concludes the lab.