arrow_back

Establish Site to Site Connectivity with HA-VPN using NCC

Sign in Join
Get access to 700+ labs and courses

Establish Site to Site Connectivity with HA-VPN using NCC

Lab 1 hour universal_currency_alt 1 Credit show_chart Introductory
info This lab may incorporate AI tools to support your learning.
Get access to 700+ labs and courses

GSP1316

Overview

Network Connectivity Center lets you use Google's network as part of a wide area network (WAN) that includes your external sites. This feature is known as site-to-site data transfer.

To enable this functionality, you use a supported resource to connect each site to Google Cloud. With Network Connectivity Center you create spokes to represent each connectivity resource. Each spoke is attached to a central hub, which provides full mesh connectivity between all of the spokes.

In this lab you will learn how to use the Network Connectivity Center (NCC) to build a hub and Cloud VPN spokes to set up data transfer between two branch offices.

What you'll learn

In this lab, you learn how to perform the following tasks:

  • Use the Network Connectivity Center to build a hub and spokes
  • Send traffic through a spoke and verify connectivity

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab—remember, once you start, you cannot pause a lab.
Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.

How to start your lab and sign in to the Google Cloud console

  1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details pane.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details pane.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Enable the Network Connectivity API

Before you can perform any tasks using Network Connectivity Center, you must enable the Network Connectivity API.

  1. In the Cloud console search bar, search for "Network Connectivity", then click on the Network Connectivity result.

  2. Go to Network Connectivity Center

  3. Click Enable.

Verify existing Google Cloud resources

Google Cloud resources including a Virtual Private Cloud (VPC) networks, 2 virtual machines, set of firewall rules, HA-VPN connectivity including the gateways and routers have already been created for you.

Configure data transfer connectivity

To set up data transfer connectivity, you'll use NCC to build a hub and spokes to allow data to be transferred from one site to another through Google Cloud.

Task 1. Create a hub

  1. In the console, you should be on the Network Connectivity Center page.
  2. In the console, you should be on the Network Connectivity Center page.
  3. Click Create hub.
  4. Enter a name for your hub.
  5. Enter a name for your hub.
  6. Enter Description if you choose.
  7. Verify the Project ID matches the Project ID set up for this lab. If the project ID is incorrect, select the correct project by using the pull-down menu at the top of the screen.
  8. Next you'll add spokes for each office. Click Next step.

Task 2. Define spokes

Now you'll create spokes for each office, connected to the Hub. Use two HA VPN tunnels as the spoke's underlying resources. Each tunnel should originate from a HA VPN gateway in the region closest to the office.

Spoke for office 1

Create a spoke for Office1. Use two HA VPN tunnels as the spoke's underlying resources. Each tunnel should originate from an HA VPN gateway in the region closest to the office.

  1. Click Add a spoke.
  2. In the New spoke form, set the Spoke type field to VPN tunnel.
  3. Enter a Spoke name, for this lab, use office-1-spoke.
  4. Enter a Description of the spoke if you choose.
  5. Select the Region for the spoke — for this lab, use the spoke is located in .
  6. Under Site-to-site data transfer, select On.
  7. For the VPC network click the dropdown and select routing-vpc.
  8. Click Add tunnel and select the two tunnels from the dropdown. When you are finished adding tunnels, click Done.

Spoke for office 2

Create a spoke for Office2. Use two HA VPN tunnels as the spoke's underlying resources. Each tunnel should originate from a HA VPN gateway in the region closest to the office.

  1. Click Add a spoke.
  2. In the New spoke form, set the Spoke type field to VPN tunnel.
  3. Enter a Spoke name, for this lab, use office-2-spoke.
  4. Enter a Description of the spoke if you choose.
  5. Select the Region for the spoke — for this lab, use the spoke is located in .
  6. Under Site-to-site data transfer, select On.
  7. For the VPC network click the dropdown and select routing-vpc.
  8. Click Add tunnel and select the two tunnels from the dropdown. When you are finished adding tunnels, click Done.
  9. Click Create.

Click Check my progress to verify the objective. Create Hub and Spokes.

Task 3. Verify the configuration

After configuring the hub and its spokes, you should be able to pass traffic from the virtual machine (VM) instance in one office to the VM instance in the other office. To do this, each VM must have access to the VPN tunnel in its region.

  1. Navigate to Compute Engine > VM Instances. Click SSH on onprem-office1-vm and run a ping test from onprem-office1-vm to the internal IP of onprem-office2-vm.
ping -c 5 *[INTERNAL_IP_OF_onprem-office2-vm]*
  1. Click SSH on onprem-office2-vm and run a ping test from onprem-office2-vm to the internal IP of onprem-office1-vm.
ping -c 5 <INTERNAL_IP_OF_onprem-office1-vm>

Task 4. Delete resources

In a production environment, you need to delete resources you're not using to avoid getting charged. Here are the easy steps to remove the spokes and hub:

Delete spokes and hub

  1. On the Network Connectivity page, click on the Spokes tab.
  2. Check the boxes next to the spoke names you want to delete.
  3. Click Delete spokes.
  4. In the confirmation dialog, click Delete.
  5. Now you can click on Delete hub.
  6. In the confirmation dialog, click Delete.

Congratulations!

You have learned how to use the Network Connectivity Center to build a hub and spokes for existing Google Cloud resources and verified that data can transfer through NCC to different sites in your network.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated: June 09, 2025

Lab Last Tested: June 09, 2025

Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

Sorry, access denied to this resource.

close

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Use private browsing to run the lab

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.