This page describes supported Virtual Private Cloud (VPC) networks and routing options. Show
For definitions of terms used on this page, see Key terms. Supported networksCloud VPN supports custom mode VPC networks, auto mode VPC networks, and legacy networks. However, you should consider the following best practices:
Routing options for VPN tunnelsClassic VPN supports dynamic and static routing options for VPN tunnels, while HA VPN requires the dynamic routing option. Dynamic routing uses the Border Gateway Protocol (BGP). Dynamic (BGP) routingDynamic routing uses a Cloud Router to automatically manage the exchange of routes by using BGP. A BGP interface on a Cloud Router in the same region as the corresponding Cloud VPN tunnel manages this exchange. The Cloud Router adds and removes routes without requiring that the tunnel be deleted and re-created. The dynamic routing mode of your VPC network controls the behavior of all its Cloud Routers. This mode determines whether the routes learned from your peer network are applied to Google Cloud resources in the same region as the VPN tunnel, or if they are applied in all regions. You control the routes advertised by your peer router or gateway. The dynamic routing mode also determines whether subnet routes from only the tunnel's region or all regions are shared with your peer router or gateway. In addition to these subnet routes, you can configure custom route advertisements on a Cloud Router. Static routingClassic VPN tunnels support policy-based and route-based static routing options. Consider a static routing option only if you cannot use dynamic (BGP) routing or HA VPN.
You can find more information about these two static routing options in the next section. Traffic selectorsA traffic selector defines a set of IP address ranges or CIDR blocks used to establish a VPN tunnel. These ranges are used as part of the IKE negotiation for the tunnel. Some literature refers to traffic selectors as encryption domains. There are two types of traffic selectors:
Traffic selectors are an intrinsic part of a VPN tunnel, used to establish the IKE handshake. If either the local or remote CIDRs need to be changed, the Cloud VPN tunnel and its peer counterpart tunnel must be destroyed and re-created. Routing options and traffic selectorsThe IP range (CIDR block) values for local and remote traffic selectors depend on the routing option used by the Cloud VPN tunnel.
Policy-based tunnels and traffic selectorsThis section describes special considerations for traffic selectors when you create policy-based Classic VPN tunnels. It does not apply to any other type of Classic VPN or HA VPN tunnel. You can choose to specify the local traffic selector of a policy-based Cloud VPN tunnel when you create it:
Specify the remote traffic selector of a policy-based Cloud VPN tunnel when you create it. If you use the Google Cloud console to create the Cloud VPN tunnel, custom static routes whose destinations correspond to the CIDRs of the remote traffic selector are automatically created. IKEv1 limits remote traffic selectors to a single CIDR. For instructions, see Create a Classic VPN using static routing. Important considerations for traffic selectorsBefore you create a Cloud VPN policy-based tunnel, consider the following:
For consistent and predictable VPN behavior, do the following:
Multiple CIDRs per traffic selectorWhen you create a policy-based Classic VPN tunnel, if you use IKEv2, you can specify multiple CIDRs per traffic selector. Cloud VPN always uses a single Child Security Association (SA), regardless of IKE version. The following table summarizes Cloud VPN support for multiple CIDRs per traffic selector in policy-based VPN tunnels.
Traffic selector strategiesConsider the following strategies if your on-premises VPN gateway creates multiple Child SAs per VPN tunnel, or if multiple CIDRs per traffic selector would cause an IKE proposal for IKEv2 to exceed 1460 bytes (for details, see Routing options and traffic selectors):
What's next
Which VPN tunnel style route only certain types of traffic?All traffic is basically fully tunneled. Which VPN tunnel style routes only certain types of traffic? EXPLANATION A VPN split tunnel routes only certain types of traffic, usually determined by destination IP address, through the VPN tunnel.
What are 3 types of VPN tunnels?We'll look at three of the most common: IPsec tunnels, Dynamic multi point VPNs, and MPLS-based L3VPNs.. IPsec Tunnels. In principle, a network-based VPN tunnel is no different from a client-based IPsec tunnel. ... . Dynamic Multi point VPN (DMVPN) ... . MPLS-based L3VPN.. Which are the two main types of VPN tunnels?Virtual Private Network (VPN) is basically of 2 types:. Remote Access VPN: Remote Access VPN permits a user to connect to a private network and access all its services and resources remotely. ... . Site to Site VPN: A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the large companies.. What are the four types of VPN?VPNs can be divided into three main categories – remote access, intranet-based site-to-site, and extranet-based site-to-site.
|