Cloud VPN in GCP Explained: HA VPN, Setup, and Troubleshooting
Cloud VPN connects your on-premises network to a GCP VPC using encrypted IPsec tunnels over the public internet. It is quick to provision, reasonably priced, and secure enough for most workloads.
High Availability VPN (HA VPN) is the recommended type for all new deployments. It uses two gateway interfaces and achieves a 99.99% availability SLA when paired with BGP routing and redundant tunnels. If you need dedicated private bandwidth with no internet transit, Cloud Interconnect is the better fit.
Simple explanation
Your office network and your GCP VPC are two separate environments with no natural path between them. Cloud VPN creates a secure connection across the public internet so they can communicate privately.
On the GCP side, a VPN gateway sits at the edge of your VPC. On the on-premises side, your existing router or firewall acts as the other endpoint. The two gateways negotiate an IPsec session, agree on encryption keys, and then encrypt all traffic flowing between them. Nothing in between can read it.
Cloud Router handles routing on the GCP side. Instead of manually entering static routes on both sides of the tunnel, Cloud Router runs BGP, a protocol that lets both routers automatically tell each other which address ranges they own. Your VPC routes update automatically as tunnels come up or go down.
Think of Cloud VPN like a sealed diplomatic courier service between two cities. Anyone watching the road can see a courier van driving past, but they cannot open the pouches inside. The route is public, but the contents are completely private. Cloud Interconnect, by contrast, is a private road that only you use.
What is Cloud VPN?
Cloud VPN is GCP’s managed IPsec VPN service. It creates encrypted tunnels between a GCP VPC network and a remote network. This is typically an on-premises data centre, office, or another cloud. All traffic through the tunnels is encrypted using IKEv2 by default.
GCP offers two VPN types. HA VPN (High Availability VPN) is the current recommended option. It creates a gateway with two redundant interfaces, each with its own external IP address, and achieves a 99.99% SLA when configured with BGP and at least two tunnels. Classic VPN is the older option: a single-interface gateway with no high availability SLA. Google recommends treating Classic VPN as legacy and not using it for new deployments.
Cloud VPN is distinct from Cloud Interconnect, which uses a dedicated physical or partner circuit instead of the public internet. VPN is faster to set up and lower cost at moderate throughput. Interconnect is better when dedicated bandwidth, latency predictability, or compliance requirements exclude internet-based connectivity.
Cloud VPN is also unrelated to VPC Peering, which connects two GCP VPC networks directly using Google’s internal backbone. VPC Peering is for GCP-to-GCP connectivity only, not on-premises integration.
If you have existing Classic VPN tunnels, plan to migrate them to HA VPN. Classic VPN is still functional but receives no new feature development and has no availability SLA.
How Cloud VPN works
When an HA VPN connection is running, traffic flows like this:
- A packet leaves your on-premises server heading toward a GCP resource.
- Your on-premises VPN gateway encrypts the packet using IPsec and sends it over the internet.
- The GCP HA VPN gateway receives the packet, decrypts it, and forwards it into the VPC.
- Return traffic follows the same path in reverse. The VPC knows where to send it because Cloud Router has already exchanged BGP routes with your on-premises router.
BGP is what makes the routing automatic. In plain terms, it is a protocol that lets two routers tell each other which IP ranges they own. Your on-premises router says “I own 10.0.0.0/8” and Cloud Router responds “I own 192.168.1.0/24”, and both sides update their route tables without you managing any static routes.
BGP is like two post offices sending each other a list of the neighbourhoods they deliver to. Once each post office has the other’s list, mail automatically goes to the right place. If one office adds a new neighbourhood, it sends an update and routing adjusts without anyone touching a central directory.
In a fully redundant HA VPN setup there are four tunnels total: two GCP gateway interfaces each connecting to two on-premises gateway interfaces. If one tunnel fails, traffic shifts to the remaining active tunnels automatically. The 99.99% SLA only applies when all four tunnels are configured and both BGP sessions are active.
HA VPN is like two parallel road tunnels connecting two cities through a mountain. If one tunnel is closed for maintenance, traffic continues through the other without drivers noticing. Classic VPN is a single tunnel. If it closes, everything stops until it reopens.
When to use Cloud VPN
Cloud VPN is a good fit when:
- You are connecting an office, data centre, or colocation site to GCP and internet-based transport is acceptable
- You are running a hybrid migration and need temporary secure connectivity before committing to a permanent architecture
- You need private access from on-premises systems to GCP workloads, databases, or internal services without exposing them publicly
- You are setting up disaster recovery or backup connectivity to GCP where cost matters more than raw throughput
- Your per-tunnel bandwidth requirements are under roughly 3 Gbps (multiple tunnels with ECMP can scale throughput beyond that)
See the hybrid connectivity overview for a full comparison of GCP connectivity options including cost trade-offs and architecture guidance.
If you are unsure whether to use Cloud VPN or Cloud Interconnect, start with HA VPN. It is fast to deploy and easy to test. You can add Interconnect later and keep VPN as a backup path — many production architectures use both.
When not to use Cloud VPN
- High throughput or predictable latency. If your workload needs sustained high bandwidth or cannot tolerate internet jitter, use Cloud Interconnect instead.
- Connecting two GCP VPCs. If you want to connect two VPC networks within or across GCP projects, VPC Peering or Shared VPC is the right approach, not Cloud VPN.
- Regulatory requirements that prohibit internet transit. Some compliance frameworks require data to travel only over private dedicated circuits. Cloud VPN traverses the public internet even though traffic is encrypted. Cloud Interconnect does not.
Cloud VPN is often chosen by mistake when VPC Peering is what is actually needed. If you want to connect two GCP VPCs in different projects, use VPC Peering. Cloud VPN adds unnecessary cost and latency for that use case.
HA VPN vs Classic VPN
GCP offers two VPN types. Use HA VPN for all new deployments.
| Feature | HA VPN | Classic VPN |
|---|---|---|
| Availability SLA | 99.99% (with 4 tunnels and BGP) | No SLA |
| Gateway interfaces | Two | One |
| Routing | BGP only (via Cloud Router) | Static or dynamic |
| Recommendation | Use for all new deployments | Legacy. Migrate to HA VPN |
Classic VPN is still available but should be treated as a migration target, not a starting point. If you have existing Classic VPN deployments, plan to move them to HA VPN.
Cloud VPN vs Cloud Interconnect
Cloud VPN and Cloud Interconnect both connect your on-premises network to GCP, but they use fundamentally different transport paths. VPN goes over the public internet; Interconnect uses a dedicated private circuit.
| Cloud VPN | Cloud Interconnect | |
|---|---|---|
| Transport | Public internet (encrypted) | Private dedicated circuit |
| Throughput per link | ~3 Gbps per tunnel | 10 or 100 Gbps (Dedicated) |
| Setup time | Minutes to hours | Weeks (physical provisioning) |
| Encryption | Yes (IPsec by default) | Not by default (requires MACsec or VPN overlay) |
| Cost | Lower | Higher |
| Best for | Moderate bandwidth, fast setup, budget-conscious hybrid | High throughput, stable latency, no internet dependency |
For most teams starting a hybrid deployment, Cloud VPN is the right choice. Interconnect becomes worthwhile when data transfer volumes, latency sensitivity, or compliance requirements push you toward a private circuit.
Cloud VPN vs VPC Peering
VPC Peering connects two GCP VPC networks directly using Google’s internal backbone. There is no internet transit, no encryption overhead, and no VPN gateways involved. It is purely for GCP-to-GCP connectivity.
Cloud VPN connects an on-premises or external network to a GCP VPC over the internet using IPsec. If your goal is to link two GCP projects or VPCs, use VPC Peering or Shared VPC. If your goal is to connect an on-premises network to GCP, use Cloud VPN.
They are not alternatives to each other. They solve completely different connectivity problems.
Setting up HA VPN
An HA VPN deployment has four components: a Cloud Router, an HA VPN gateway on the GCP side, a peer VPN gateway resource representing your on-premises device, and the VPN tunnels connecting them.
Prerequisites
- An existing VPC network in the target region
- A compatible on-premises VPN device that supports IKEv2 and BGP
- The external IP addresses of your on-premises VPN gateway interfaces
- An ASN for your on-premises router (it must differ from the ASN you assign Cloud Router)
Step-by-step
# Step 1: Create a Cloud Router for BGP routing
gcloud compute routers create ha-vpn-router \
--network=my-vpc \
--region=europe-west1 \
--asn=65001
# Step 2: Create the HA VPN gateway on the GCP side
# GCP assigns two external IPs, one per interface
gcloud compute vpn-gateways create ha-vpn-gw \
--network=my-vpc \
--region=europe-west1
# Inspect the gateway to note the two external IPs on interface 0 and interface 1
gcloud compute vpn-gateways describe ha-vpn-gw \
--region=europe-west1
# Step 3: Create a peer VPN gateway resource representing your on-premises device
# Replace these IPs with your actual on-premises gateway addresses
gcloud compute external-vpn-gateways create on-prem-gw \
--interfaces=0=203.0.113.1,1=203.0.113.2
# Step 4: Create two VPN tunnels, one per HA VPN gateway interface
gcloud compute vpn-tunnels create ha-tunnel-0 \
--peer-external-gateway=on-prem-gw \
--peer-external-gateway-interface=0 \
--region=europe-west1 \
--ike-version=2 \
--shared-secret=SHARED_SECRET \
--router=ha-vpn-router \
--vpn-gateway=ha-vpn-gw \
--vpn-gateway-interface=0
gcloud compute vpn-tunnels create ha-tunnel-1 \
--peer-external-gateway=on-prem-gw \
--peer-external-gateway-interface=1 \
--region=europe-west1 \
--ike-version=2 \
--shared-secret=SHARED_SECRET \
--router=ha-vpn-router \
--vpn-gateway=ha-vpn-gw \
--vpn-gateway-interface=1Always specify —ike-version=2 unless your on-premises device cannot support IKEv2. The peer gateway resource is a logical placeholder that stores your on-premises IP addresses so GCP knows where to direct tunnel traffic.
Never reuse shared secrets across tunnels or store them in scripts or source code. Generate a strong, random secret for each tunnel and store it in Secret Manager. A weak or reused pre-shared key is one of the most common VPN security vulnerabilities.
Configuring BGP
After creating the tunnels, configure BGP on the Cloud Router. Each tunnel needs a BGP interface on the Cloud Router side and a corresponding BGP peer entry representing the on-premises router.
BGP sessions inside VPN tunnels use link-local addresses in the 169.254.x.x range. These addresses are not routable on the internet. They exist only inside the tunnel between the two endpoints. Each tunnel uses a unique /30 block from this range, providing two usable addresses: one for the GCP side and one for the on-premises side.
# Add BGP interface for tunnel 0
gcloud compute routers add-interface ha-vpn-router \
--interface-name=bgp-tunnel-0 \
--vpn-tunnel=ha-tunnel-0 \
--ip-address=169.254.0.1 \
--mask-length=30 \
--region=europe-west1
# Add BGP peer for tunnel 0
# The on-premises router uses the other address in the /30: 169.254.0.2
gcloud compute routers add-bgp-peer ha-vpn-router \
--peer-name=bgp-peer-0 \
--interface=bgp-tunnel-0 \
--peer-ip-address=169.254.0.2 \
--peer-asn=65002 \
--region=europe-west1
# Add BGP interface for tunnel 1 (use a different /30)
gcloud compute routers add-interface ha-vpn-router \
--interface-name=bgp-tunnel-1 \
--vpn-tunnel=ha-tunnel-1 \
--ip-address=169.254.1.1 \
--mask-length=30 \
--region=europe-west1
# Add BGP peer for tunnel 1
gcloud compute routers add-bgp-peer ha-vpn-router \
--peer-name=bgp-peer-1 \
--interface=bgp-tunnel-1 \
--peer-ip-address=169.254.1.2 \
--peer-asn=65002 \
--region=europe-west1Use a different /30 block for each tunnel pair. 169.254.0.0/30 for tunnel 0 and 169.254.1.0/30 for tunnel 1 is a clean convention. Check whether your on-premises equipment reserves any blocks from that range before choosing addresses.
Verifying tunnel and BGP status
After configuring BGP, run these checks before treating the connection as operational.
# List all tunnel statuses in the region
gcloud compute vpn-tunnels list \
--region=europe-west1
# Check a specific tunnel in detail
gcloud compute vpn-tunnels describe ha-tunnel-0 \
--region=europe-west1 \
--format="get(status,detailedStatus)"
# Check Cloud Router BGP sessions and learned routes
gcloud compute routers get-status ha-vpn-router \
--region=europe-west1 \
--format="json(result.bgpPeerStatus)"A working connection shows ESTABLISHED for both the tunnel status and the BGP peer status. The Cloud Router status output also lists routes learned from the on-premises network and the prefixes being advertised back. Verify that both sides are exchanging the expected prefixes before declaring success.
Verification checklist
- Both tunnels show
status: ESTABLISHED - Both BGP sessions show
bgpSessionStatus: ESTABLISHED - Learned routes include your on-premises prefixes
- Advertised routes include your GCP subnet ranges
- Traffic flows in both directions, tested with ping or curl to an internal IP address
A tunnel in ESTABLISHED state but a BGP session that is not is almost always an ASN mismatch or wrong link-local IP. Check both before looking at anything else. The troubleshooting section below covers the full diagnostic flow.
Scaling throughput
Each HA VPN tunnel supports up to approximately 3 Gbps of combined ingress and egress throughput. If you need more, create additional tunnels between the same gateways. Cloud Router uses ECMP (Equal Cost Multi-Path) routing to distribute traffic across tunnels that advertise the same routes at equal BGP metrics.
The four-tunnel fully redundant pattern already provides high availability. Additional tunnel pairs beyond that increase aggregate throughput while maintaining redundancy.
For ECMP to spread load across tunnels, all tunnels carrying the same prefixes must advertise them with the same BGP MED value. If one tunnel has a lower metric, all traffic goes to that tunnel and the others sit idle.
Common mistakes
Creating only one tunnel and believing the connection is highly available. HA VPN’s 99.99% SLA only applies when both gateway interfaces have active tunnels connected to redundant on-premises endpoints. With a single tunnel, there is no SLA guarantee and no automatic failover.
- Configuring only one tunnel and assuming you have HA. HA VPN’s 99.99% SLA requires at least two tunnels across both gateway interfaces. A single tunnel is a single point of failure and if it drops, connectivity is lost until it recovers. Always configure a tunnel on each of the two HA VPN gateway interfaces.
- Using a weak or reused shared secret. The pre-shared key authenticates both tunnel endpoints. A simple, short, or reused key is a real security risk. Generate a strong unique secret for each tunnel and store it in Secret Manager rather than hardcoding it in scripts or documentation.
- Using IKEv1 when IKEv2 is available. IKEv2 is faster to establish, more secure, and more efficient than IKEv1. Most modern VPN devices support it. Use
—ike-version=2unless your on-premises hardware genuinely cannot support IKEv2. - BGP ASN mismatch. The ASN you assign Cloud Router must match what your on-premises router expects as the remote ASN, and vice versa. A mismatch silently prevents BGP from establishing. Confirm both sides have consistent ASN values before troubleshooting anything else.
- Wrong peer IPs or interface mapping. The peer IP and interface number in each tunnel config must exactly match your on-premises gateway. A mismatched interface 0/1 mapping is a common cause of tunnels that negotiate but never pass traffic correctly.
- Skipping firewall and route checks after setup. Even with tunnels and BGP established, traffic can fail if firewall rules block expected ports or if routes are not propagating correctly. Validate both before assuming the VPN is fully operational.
Troubleshooting Cloud VPN
Most Cloud VPN problems fall into four categories. Work through each one systematically rather than guessing.
Tunnel not establishing
IKE negotiation uses UDP port 500 and UDP port 4500 for NAT traversal. Both must be open in both directions between your on-premises gateway and the GCP VPN gateway’s external IPs. This is the most frequent cause of tunnels that never come up.
- Confirm the shared secret matches exactly on both sides (it is case-sensitive)
- Verify both sides are configured for the same IKE version since a mismatch causes negotiation failure
- Check the peer gateway IPs are correct in the tunnel configuration
BGP not establishing
- Run
gcloud compute routers get-status ha-vpn-router —region=europe-west1and inspectbgpPeerStatus - Confirm the ASN values are consistent on both sides: Cloud Router’s ASN and the peer ASN you configured must match what your on-premises device expects
- Verify the link-local IPs are correct (Cloud Router uses the .1 address in each /30; the on-premises device should use .2)
- Confirm the tunnel itself is in ESTABLISHED state first, since BGP cannot run over a failed tunnel
Routes not being learned
- Check that your on-premises router is actively advertising the correct prefixes over BGP
- Look at the
learnedRoutessection in thegcloud compute routers get-statusoutput - Check routes in GCP to confirm that Cloud Router-learned routes are appearing in your VPC route table
- Verify Cloud Router is advertising your VPC subnets back to the on-premises router (by default it advertises all primary subnet ranges in the region)
Tunnel established but no traffic flows
- Confirm both BGP sessions are ESTABLISHED using
gcloud compute routers get-status - Check route advertisements and learned prefixes in the Cloud Router status output
- Validate subnet route propagation and route priorities using the routes in GCP guide
- Check firewall rules allow the expected internal service ports in both directions
- Confirm you are using private IP addresses since traffic destined for a public IP will not route through the VPN tunnel
- Follow the systematic diagnostic steps in the troubleshooting network issues guide for further analysis
For broader network security hardening of your hybrid setup, including VPN best practices, see the network security best practices guide.
FAQ
What is the difference between HA VPN and Classic VPN in GCP?
HA VPN uses two gateway interfaces and requires BGP via Cloud Router, giving it a 99.99% availability SLA when configured with redundant tunnels. Classic VPN uses a single interface, has no HA SLA, and supports static routing. For all new deployments, use HA VPN. Google recommends migrating existing Classic VPN setups to HA VPN.
Does Cloud VPN use the public internet?
Yes. Cloud VPN encrypts your traffic using IPsec and sends it over the public internet between your on-premises gateway and GCP. The encryption protects the data in transit, but the path itself crosses the internet. If you need a dedicated private circuit that never touches the public internet, use Cloud Interconnect instead.
Do I need Cloud Router for HA VPN?
Yes. HA VPN requires dynamic routing via BGP, which means Cloud Router is mandatory. You cannot use HA VPN with static routes. After creating your tunnels, you configure BGP interfaces and peer entries on the Cloud Router, and it handles route exchange with your on-premises router automatically.
When should I choose Cloud Interconnect instead of Cloud VPN?
Choose Cloud Interconnect when you need dedicated bandwidth, stable low-latency connectivity, or a transport path that does not traverse the public internet. Cloud VPN is simpler and cheaper to set up but shares the internet path and caps each tunnel at roughly 3 Gbps. Interconnect is the better fit for production workloads where throughput consistency and private connectivity take priority over cost or provisioning speed.
Can Cloud VPN replace VPC Peering?
No. VPC Peering connects two GCP VPC networks directly using Google’s internal routing, with no internet transit, no encryption overhead, and no VPN gateways. Cloud VPN connects an on-premises or external network to a GCP VPC over the internet using IPsec. They solve completely different connectivity problems and are not interchangeable.
Summary
- Cloud VPN creates encrypted IPsec tunnels between your on-premises network and a GCP VPC over the public internet
- HA VPN is the recommended type: two gateway interfaces, 99.99% SLA with BGP and four tunnels fully configured
- Classic VPN is a single-interface legacy option. Migrate to HA VPN for new deployments
- HA VPN requires BGP via Cloud Router; configure BGP interfaces and peers after creating the tunnels
- Each tunnel supports roughly 3 Gbps; add multiple tunnels and use ECMP for higher aggregate throughput
- Use IKEv2 and a strong unique shared secret per tunnel
- Cloud Interconnect is better when you need dedicated circuits, high throughput, or no internet transit
- VPC Peering is for GCP-to-GCP connectivity and is unrelated to Cloud VPN
Frequently asked questions
What is the difference between HA VPN and Classic VPN in GCP?
HA VPN uses two gateway interfaces and requires BGP via Cloud Router, giving it a 99.99% availability SLA when configured with redundant tunnels. Classic VPN uses a single interface, has no HA SLA, and supports static routing. For all new deployments, use HA VPN. Google recommends migrating existing Classic VPN deployments to HA VPN.
Does Cloud VPN use the public internet?
Yes. Cloud VPN encrypts traffic using IPsec and sends it over the public internet between your on-premises gateway and GCP. The encryption means no one on the path can read the data, but the path traverses the internet. If you need a dedicated private circuit with no internet transit, use Cloud Interconnect instead.
Do I need Cloud Router for HA VPN?
Yes. HA VPN requires dynamic routing via BGP, which means Cloud Router is mandatory. You configure BGP interfaces and peers on Cloud Router after creating the tunnels. Cloud Router then exchanges route information with your on-premises router automatically, so VPC routes stay up to date without manual management.
When should I choose Cloud Interconnect instead of Cloud VPN?
Choose Cloud Interconnect when you need dedicated bandwidth, predictable latency, or high throughput without internet transit. Cloud VPN is simpler and cheaper but caps each tunnel at roughly 3 Gbps and traverses the public internet. Interconnect is better suited to production workloads where stable high throughput and private connectivity matter more than cost or setup speed.
Can Cloud VPN replace VPC Peering?
No. VPC Peering connects two GCP VPC networks directly using Google internal routing with no internet transit, no encryption overhead, and no VPN gateways required. Cloud VPN connects an on-premises or external network to a GCP VPC over the internet using IPsec. They solve completely different problems and are not interchangeable.