Roy's Blog

Roy's Blog

Creating a route based Cloud VPN in GCP

Creating a route based Cloud VPN in GCP

Hello everyone. In this blog post we are going to look at the Google Cloud VPN offering and also learn how to setup a classic VPN to connect two Compute instances setup in different VPC networks.

What is Cloud VPN ?

Cloud VPN securely extends your peer network to Google's network through an IPsec VPN tunnel. Traffic is encrypted and travels between the two networks over the public internet. Cloud VPN is useful for low-volume data connections. You can also connect two instances of Cloud VPN to each other.

Types of Cloud VPN

Google Cloud offers two types of Cloud VPN gateways: HA VPN and Classic VPN. However, Classic VPN is deprecating certain functionality on October 31, 2021

HA VPN

HA VPN is a high-availability (HA) Cloud VPN solution that lets you securely connect your on-premises network to your VPC network through an IPsec VPN connection in a single region. HA VPN provides an SLA of 99.99% service availability.

When you create an HA VPN gateway, Google Cloud automatically chooses two external IP addresses, one for each of its fixed number of two interfaces. Each IP address is automatically chosen from a unique address pool to support high availability. Each of the HA VPN gateway interfaces supports multiple tunnels.

Classic VPN

Classic VPN gateways have a single interface, a single external IP address, and support tunnels that use dynamic (BGP) or static routing (policy-based or route-based). They provide an SLA of 99.9% service availability

Setting up a Classic VPN

Let us implement the below scenario

classic_vpn_gcp_v1.png

I will be using gcloud commands to create the infrastructure as shown above.

Create first GCP project

gcloud projects create gcp-project-12s1

Create second GCP project

gcloud projects create gcp-project-12s2

To find out your active billing account , use this command

gcloud beta billing accounts list --filter=open=true

Link the billing account to newly created projects

gcloud beta billing projects link gcp-project-12s1 --billing-account=0X0X0X-0X0X0X-0X0X0X

gcloud beta billing projects link gcp-project-12s2 --billing-account=0X0X0X-0X0X0X-0X0X0X

Create a VPC network in first GCP project with a subnet 10.5.1.0/24 in us-central1

gcloud compute networks create vpc-network-1 --project=gcp-project-12s1 --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional

gcloud compute networks subnets create subnet-a --project=gcp-project-12s1 --range=10.5.1.0/24 --network=vpc-network-1 --region=us-central1

Create a VPC network in second GCP project with a subnet 10.6.1.0/24 in europe-central2

gcloud compute networks create vpc-network-2 --project=gcp-project-12s2 --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional

gcloud compute networks subnets create subnet-b --project=gcp-project-12s2 --range=10.6.1.0/24 --network=vpc-network-2 --region=europe-central2

Create basic firewall rules

We will create firewall rules in both VPC for ICMP and SSH protocol to allow incoming traffic.

gcloud compute firewall-rules create network-1-allow-icmp --direction=INGRESS --priority=1000 --network=vpc-network-1 --action=ALLOW --rules=icmp --source-ranges=0.0.0.0/0 --project=gcp-project-12s1

gcloud compute firewall-rules create network-1-allow-ssh --direction=INGRESS --priority=1000 --network=vpc-network-1 --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0 --project=gcp-project-12s1

gcloud compute firewall-rules create network-2-allow-icmp --direction=INGRESS --priority=1000 --network=vpc-network-2 --action=ALLOW --rules=icmp --source-ranges=0.0.0.0/0 --project=gcp-project-12s2

gcloud compute firewall-rules create network-2-allow-ssh --direction=INGRESS --priority=1000 --network=vpc-network-2 --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0 --project=gcp-project-12s2

Create compute instances

Create VM server-1 in subnet-a

gcloud beta compute instances create server-1 --zone=us-central1-a --machine-type=e2-micro --subnet=subnet-a --network-tier=PREMIUM --maintenance-policy=MIGRATE --image=debian-10-buster-v20210817 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-balanced --boot-disk-device-name=server-1 --project=gcp-project-12s1

Create VM server-2 in subnet-b

gcloud beta compute instances create server-2 --zone=europe-central2-a --machine-type=e2-micro --subnet=subnet-b --network-tier=PREMIUM --maintenance-policy=MIGRATE --image=debian-10-buster-v20210817 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-balanced --boot-disk-device-name=server-2 --project=gcp-project-12s2

Login to Google Cloud console and you should see the VM's up and running with a internal IP assigned to it.

Screenshot 2021-09-12 at 5.54.16 PM.png

Screenshot 2021-09-12 at 5.54.46 PM.png

Now we will attempt to do a ping test from server-1 to server-2 and vice versa.

Screenshot 2021-09-12 at 5.59.52 PM.png

Screenshot 2021-09-12 at 6.05.53 PM.png

As you can see the results above we see 100% data packet loss because both the VPC networks cannot communicate with each other.

In order to make them communicate with each other we would need a static IP address which will be binded to a VPN network on both sides.

So lets create a static IP address for both the VPC networks

gcloud compute addresses create vpn-1-static-ip --project=gcp-project-12s1 --region=us-central1

gcloud compute addresses create vpn-2-static-ip --project=gcp-project-12s2 --region=europe-central2

Screenshot 2021-09-12 at 6.13.11 PM.png

Screenshot 2021-09-12 at 6.13.41 PM.png

The static IP's are now created but not in use.

So now lets create a VPN connection and a VPN tunnel for vpc-network-1

// Creating a classic VPN
gcloud compute target-vpn-gateways create vpn-1 --project=gcp-project-12s1 --region=us-central1 --network=vpc-network-1

// Creating the forwarding rules
gcloud compute forwarding-rules create vpn-1-rule-esp --project=gcp-project-12s1 --region=us-central1 --address=104.198.144.53 --ip-protocol=ESP --target-vpn-gateway=vpn-1

gcloud compute forwarding-rules create vpn-1-rule-udp500 --project=gcp-project-12s1 --region=us-central1 --address=35.225.21.155 --ip-protocol=UDP --ports=500 --target-vpn-gateway=vpn-1

gcloud compute forwarding-rules create vpn-1-rule-udp4500 --project=gcp-project-12s1 --region=us-central1 --address=35.225.21.155 --ip-protocol=UDP --ports=4500 --target-vpn-gateway=vpn-1

// Creating a VPN tunnel to destination IP 34.118.8.129 
gcloud compute vpn-tunnels create tunnel1to2 --project=gcp-project-12s1 --region=us-central1 --peer-address=34.118.8.129 --shared-secret=gcprocks --ike-version=2 --local-traffic-selector=0.0.0.0/0 --remote-traffic-selector=0.0.0.0/0 --target-vpn-gateway=vpn-1

// Creating a route to route traffic from VM server-1 to VM server-2 via VPN tunnel
gcloud compute routes create tunnel1to2-route-1 --project=gcp-project-12s1 --network=vpc-network-1 --priority=1000 --destination-range=10.6.1.0/24 --next-hop-vpn-tunnel=tunnel1to2 --next-hop-vpn-tunnel-region=us-central1

Similarly lets create a VPN connection and a VPN tunnel for vpc-network-2

// Creating a classic VPN
gcloud compute target-vpn-gateways create vpn-2 --project=gcp-project-12s2 --region=europe-central2 --network=vpc-network-2

// Creating the forwarding rules
gcloud compute forwarding-rules create vpn-2-rule-esp --project=gcp-project-12s2 --region=europe-central2 --address=34.118.8.129 --ip-protocol=ESP --target-vpn-gateway=vpn-2

gcloud compute forwarding-rules create vpn-2-rule-udp500 --project=gcp-project-12s2 --region=europe-central2 --address=34.118.8.129  --ip-protocol=UDP --ports=500 --target-vpn-gateway=vpn-2

gcloud compute forwarding-rules create vpn-2-rule-udp4500 --project=gcp-project-12s2 --region=europe-central2 --address=34.118.8.129 --ip-protocol=UDP --ports=4500 --target-vpn-gateway=vpn-2

// Creating a VPN tunnel to destination IP 35.225.21.155 
gcloud compute vpn-tunnels create tunnel2to1 --project=gcp-project-12s2 --region=europe-central2 --peer-address=35.225.21.155 --shared-secret=gcprocks --ike-version=2 --local-traffic-selector=0.0.0.0/0 --remote-traffic-selector=0.0.0.0/0 --target-vpn-gateway=vpn-2

// Creating a route to route traffic from VM server-2 to VM server-1 via VPN tunnel
gcloud compute routes create tunnel2to1-route-1project=gcp-project-12s2 --network=vpc-network-2 --priority=1000 --destination-range=10.5.1.0/24 --next-hop-vpn-tunnel=tunnel2to1 --next-hop-vpn-tunnel-region=europe-central2

Now we can see the status of the VPN tunnel as Established .

Screenshot 2021-09-12 at 6.31.55 PM.png Screenshot 2021-09-12 at 6.32.11 PM.png

We can now attempt to perform a ping test from server-1 to server-2 and vice versa.

Screenshot 2021-09-12 at 6.38.02 PM.png Screenshot 2021-09-12 at 6.39.08 PM.png

We have successfully established connectivity between the two VPC networks over the internet securely using encryption via VPN.

This completes the tutorial on how to setup a Classic VPN on GCP. The scenario is also similar for establishing VPN connectivity from an on-premise network to a Google Cloud network.

These articles are fueled by coffee. So if you enjoy my work and found it useful, consider buying me a coffee! I would really appreciate it.

Buy Me A Coffee

Thank you for taking the time to read this post. If you've found this useful, please give it some likes, share and comment.

 
Share this