How to Create a Google Cloud VPN for Your Google Cloud Platform Console



Your Google Cloud Network is composed of IP address range, routes, firewalls, virtual private network (VPN), and Cloud Router. The VPN is responsible for protecting the traffic that you exchange with your peer networks through a secure, encrypted tunnel. You can set up a VPN and configure its settings through the following steps, as seen from the Google Cloud Platform documentation in their website.

Google Cloud VPN

How to Choose Your Google Cloud Platform Network Configuration

            The easiest way to setup a VPN is through route-based VPN, in which you will need to do the following: configure the VPN tunnel, accept all traffic routed through it, and rely on network routes to route only the correct traffic through the tunnel. It is the easiest way to configure IKE and the most flexible setup if the subnet sizes are subject to change.

How to Create a Gateway and a Tunnel for an Auto Subnet Network

These steps are applicable for the use of the gateway subnet only.

  1. Go to the VPN page in the Google Cloud Platform Console.
  2. Click the ‘Create VPN Connection’ option.
  3. Fill out the following fields for the gateway:

Name – Choose the name of the VPN gateway which will be displayed in the console and used in all gcloud commands to reference the gateway.

Network – This is the GCP network containing the instances the VPN gateway will serve.

Region – This is the region where you want to locate the VPN gateway or the instances you wish to reach.

IP address – Select a pre-existing static external IP address, or create one by clicking New Static IP address in the drop-down menu.


Fill out the following fields for at least one tunnel:

Peer IP address – This is the public IP address of the other VPN gateway.

IKE version – IKEv1 and IKEv2 are both supported, but there are instances where the gateway only supports IKEv1.

Shared secret – This is like the password for the gateway, used in establishing the encryption for that tunnel. You can create one if it doesn’t automatically generate something.

Remote network IP range – This is the range of the network on the other side of the tunnel from your gateway.

Local subnetworks – This specifies which IP ranges will be routed through the tunnel. Be careful with this one since this value cannot be changed after the tunnel is created because it is used in the IKE handshake.

  1. Click the ‘Add Tunnel’ option if you want to add more tunnels.
  2. Click the ‘Create’ to save all your configurations.
  3. Configure your firewall rules.

How to Create a Gateway and a Tunnel for More Than One Subnet

Basically, the same steps are applied with those listed above except when filling out the Local Subnetworks field.

If you want the gateway’s entire subnet to be able to use the tunnel, select it in the pull-down menu. If you only want a smaller prefix to use the tunnel, or you only want other ranges to use the tunnel, skip the pull-down menu.

If you want other ranges to be able to use the tunnel, specify those ranges in the Local IP ranges field.


How to Create a Gateway and a Tunnel for a Custom Subnet

In creating a gateway for a custom subnet, the same steps for creating one subnet still apply.


How to Configure Firewall Rules

  1. Go to the VPN page in the Google Cloud Platform Console.
  2. View the VPN tunnels for that project.
  3. Click ‘Configure in the Firewall Rules’ column of the new tunnel. This takes you to a configuration page for the network containing the tunnel.
  4. Click New Firewall Rule. Add a rule for TCP, UDP, and ICMP:

Name: allow-tcp-udp-icmp

Source filter: IP ranges.

Source IP ranges: Remote Network IP Range value from when you created the tunnel. If you have more than one peer network range, enter each one. Press the Tab key between entries.

Allowed protocols or ports: tcp; udp; icmp

Target tags: Any valid tag or tags.

  1. Click the ‘Create’ option.
  2. Create other firewall rules if necessary.


How to Check the Status of Your Tunnel

  1. Go to the VPN page in the Google Cloud Platform Console.
  2. Look for a check mark next to the Peer IP address field. If one is there, your gateways have negotiated a tunnel. If no mark appears after a few minutes, see Troubleshooting.

Google Cloud VPN


Please follow and like us:
Social media & sharing icons powered by UltimatelySocial