arrow_back

Dynamic VPN Gateways - Cloud Routers

Join Sign in

Dynamic VPN Gateways - Cloud Routers

1 hour 10 minutes 5 Credits

GSP218

Google Cloud self-paced labs logo

Overview

In this lab, you configure Cloud Routers using the Console. The Cloud Routers will implement VPN gateways configured with BGP. BGP provides dynamic network discovery and eliminates the need to configure or maintain static routes. When successful you will be able to ping the internal IP of the VM in a newly discovered subnetwork via an auto-populated route.

What you'll learn

In this lab, you learn how to perform the following tasks:

  • Create two networks to represent your VPC and on-premises network with a VM in each network to test connectivity.

  • Connect the two networks using Cloud Routers.

  • Add a new subnetwork and verify that dynamic BGP routing is working.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Task 1. Create the networks

Create two custom networks with subnetworks and start micro VMs in each.

Create the first network

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > VPC network > VPC networks.

  2. Click Create VPC Network.

  3. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name gcp-vpc
    Description Enter an optional description

  4. For Subnet creation mode, click Custom.

  5. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name subnet-a
    Region us-east1
    IPv4 range 10.5.4.0/24

  6. Click Add Subnet.

  7. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name subnet-b
    Region us-central1
    IPv4 range 10.2.4.0/24

  8. For Dynamic Routing Mode, select Global.

  9. Click Create.

Create the second network

For your second network, use a different region than the first network.

  1. Still in VPC networks, click Create VPC Network.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name on-prem
    Description Enter an optional description

  3. For Subnet creation mode, click Custom.

  4. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name subnet-c
    Region us-east1
    IPv4 range 10.2.3.0/24

  5. Click Add Subnet.

  6. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name subnet-d
    Region europe-west1
    IPv4 range 10.1.3.0/24

  7. For Dynamic Routing Mode, select Global.

  8. Click Create.

Note: In this lab, you are creating the on-prem network as a VPC network to mimic your own on-premises network.

Click Check my progress to verify the objective. Create the networks

Task 2. Create the utility VMs

Create the first instance

Create the first VM in the same region as gcp-vpc.

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Compute Engine > VM instances, and then click Create instance.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name gcp-server
    Region us-east1
    Zone us-east1-b
    Machine type e2-micro

  3. Click Advanced options.

  4. Click Networking.

  5. For Network interfaces, click the dropdown icon to edit.

  6. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Network gcp-vpc
    Subnetwork subnet-a

  7. Click Done, and then click Create.

Create the second instance

Create the second VM in the same region as on-prem.

  1. Still in the VM instances dialog, click Create Instance.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name on-prem-1
    Region europe-west1 (Belgium)
    Zone europe-west1-b
    Machine type e2-micro

  3. Click Advanced options.

  4. Click Networking.

  5. For Network interfaces, click the dropdown icon to edit.

  6. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Network on-prem
    Subnetwork subnet-d

  7. Click Done, and then click Create.

Click Check my progress to verify the objective. Create the utility VMs

Task 3. Create the firewall rules

Allow ICMP and SSH into each network.

Allow SSH traffic to gcp-vpc

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > VPC network > Firewall.

  2. Click Create Firewall Rule.

  3. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name allow-icmp-ssh-gcp-vpc
    Network gcp-vpc
    Targets All instances in the network
    Source filter IPv4 Ranges
    Source IPv4 ranges 0.0.0.0/0
    Protocols and ports Specified protocols and ports, and then check tcp, type: 22; and check Other protocols, type: icmp.
Note: Make sure to include the /0 in the Source IPv4 ranges to specify all networks.

  1. Click Create.

Allow SSH traffic to on-prem

  1. Still in the Firewall rules dialog, click Create Firewall Rule.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name allow-icmp-ssh-on-prem
    Network on-prem
    Targets All instances in the network
    Source filter IPv4 Ranges
    Source IPv4 ranges 0.0.0.0/0
    Protocols and ports Specified protocols and ports, and then check tcp, type: 22; and check Other protocols, type: icmp.
Note: Make sure to include the /0 in the Source IPv4 ranges to specify all networks.
  1. Click Create.

Click Check my progress to verify the objective. Create the firewall rules

Task 4. Verify network connectivity

Test connectivity from gcp-server to on-prem-1

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Compute Engine > VM instances. Note the external and internal IP addresses for on-prem-1 as you will use them in future steps.

  2. For gcp-server, click SSH to launch a terminal and connect.

  3. To test connectivity to on-prem-1's external IP, run the following command, replacing on-prem-1's external IP with the value noted earlier:

ping -c 3 <Enter on-prem-1's external IP here>

This should work; 3 packets transmitted, 3 received, and 0% packet loss.

  1. To test connectivity to on-prem-1's internal IP, run the following command, replacing on-prem-1's internal IP with the value noted earlier:

ping -c 3 <Enter on-prem-1's internal IP here>

This should not work. You should see 100% packet loss when pinging the internal IP.

  1. Exit the SSH terminal:

exit

Test connectivity from on-prem-1 to gcp-server

  1. Note the external and internal IP addresses for gcp-server.

  2. For on-prem-1, click SSH to launch a terminal and connect.

  3. To test connectivity to gcp-server's external IP, run the following command, replacing gcp-server's external IP with the value noted earlier:

ping -c 3 <Enter gcp-server's external IP here>

This should work; 3 packets transmitted, 3 received, and 0% packet loss.

  1. Test connectivity to gcp-server's internal IP, replacing gcp-server's internal IP with the value noted earlier:

ping -c 3 <Enter gcp-server's internal IP here>

This should not work. You should see 100% packet loss when pinging the internal IP.

  1. Exit the SSH terminal:

exit Note: Why are we testing both gcp-server to on-prem-1 and on-prem-1 to gcp-server?

For the purposes of this lab, the path from subnet-a to subnet-b is not the same as the path from subnet-b to subnet-a.

We are using one tunnel to pass traffic in each direction. And if both tunnels are not established you won't be able to ping the remote server on its internal IP. The ping might reach the remote server, but the response can't be returned.

This makes it much easier to debug the lab during class. In practice, a single tunnel could be used with symmetric configuration. However, it is more common to have multiple tunnels or multiple gateways and VPNs for production work because a single tunnel could be a single point of failure.

Task 5. Create two fully configured HA VPN gateways that connect to each other

Create the gcp-vpc Cloud Router

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Hybrid Connectivity > Cloud Routers, and then click Create router.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name gcp-vpc-cr
    Network gcp-vpc
    Region us-east1
    Google ASN 65470

  3. Click Create.

Create the on-prem Cloud Router

  1. Still in the Cloud Routers dialog, click Create router.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name on-prem-cr
    Network on-prem
    Region us-east1
    Google ASN 65503

  3. Click Create.

Create the first VPN Gateway

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Hybrid Connectivity > VPN.

  2. Click Create VPN connection.

  3. For VPN options, choose High-Availability (HA) VPN.

  4. Click Continue.

  5. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    VPN gateway name vpn-1
    Network gcp-vpc
    Region us-east1
    VPN tunnel inner IP stack type IPv4

  6. Click Create & Continue.

Create the second VPN gateway

  1. Still in the VPN dialog, click VPN on the side panel.

  2. Click Create VPN Gateway.

  3. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    VPN gateway name vpn-2
    Network on-prem
    Region us-east1
    VPN tunnel inner IP stack type IPv4

  4. Click Create.

Create VPN tunnels for first gateway

  1. In the VPN page, click on your vpn-1.

  2. Click Add VPN Tunnel.

  3. For Peer VPN Gateway, select Google Cloud.

  4. Click SELECT PROJECT.

  5. Choose your unique qwiklabs project.

  6. Select vpn-2 as the VPN gateway name.

  7. Ensure Create a pair of VPN tunnels is selected.

  8. Under Cloud Router, choose your gcp-vpc-cr.

  9. In the VPN Tunnel set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name tunnel1
    IKE version IKEv2
    IKE pre-shared key gcprocks

  10. Click Done.

  11. Select the VPN Tunnel (not configured yet).

  12. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name tunnel2
    IKE version IKEv2
    IKE pre-shared key gcprocks

  13. Click Done.

  14. Click Create & Continue.

Configure BGP sessions for first gateway

  1. You should see two BGP sessions listed at the Configure BGP Sessions section.

  2. Click Configure BGP Session for the first session and add in the following values:

    Property Value (type value or select option as specified)
    Name bgp1to3
    Peer ASN 65503
    Cloud Router BGP IPv4 Address 169.254.0.1
    BGP Peer IPv4 Address 169.254.0.2
Note: Click Manually for the Allocate BGP IPv4 Address section.

  1. Click Save and Continue.

  2. Click Configure BGP Session for the second session and add in the following values:

    Property Value (type value or select option as specified)
    Name bgp2to4
    Peer ASN 65503
    Cloud Router BGP IPv4 Address 169.254.1.1
    BGP Peer IPv4 Address 169.254.1.2
Note: Click Manually for the Allocate BGP IPv4 Address section.

  1. Click Save and Continue.

  2. Click Save BGP Configuration.

You will likely see warnings at this point as a tunnel has not been created in the second VPN yet. You will do that in the next section.

Create VPN tunnels for second gateway

  1. Click VPN in the side bar or find the page using the Navigation menu (Navigation menu icon) > Hybrid Connectivity > VPN.

  2. Select Cloud VPN Gateways.

  3. Click on vpn-2.

  4. Click Add VPN Tunnel.

  5. For Peer VPN Gateway, select Google Cloud.

  6. Click SELECT PROJECT.

  7. Choose your unique qwiklabs project.

  8. Select vpn-1 as the VPN gateway name.

  9. Ensure Create a pair of VPN tunnels is selected.

  10. Under Cloud Router, choose your on-prem-cr.

  11. In the VPN Tunnel set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name tunnel3
    IKE version IKEv2
    IKE pre-shared key gcprocks

  12. Click Done.

  13. Select the VPN Tunnel (not configured yet).

  14. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name tunnel4
    IKE version IKEv2
    IKE pre-shared key gcprocks

  15. Click Done.

  16. Click Create & Continue.

Configure BGP sessions for second gateway

  1. You should see two BGP sessions listed at the Configure BGP Sessions section.

  2. Click Configure BGP Session for the first session and add in the following values:

    Property Value (type value or select option as specified)
    Name bgp3to1
    Peer ASN 65470
    Cloud Router BGP IPv4 Address 169.254.0.2
    BGP Peer IPv4 Address 169.254.0.1
Note: Click Manually for the Allocate BGP IPv4 Address section.

  1. Click Save and Continue.

  2. Click Configure BGP Session for the second session and add in the following values:

    Property Value (type value or select option as specified)
    Name bgp4to2
    Peer ASN 65470
    Cloud Router BGP IPv4 Address 169.254.1.2
    BGP Peer IPv4 Address 169.254.1.1
Note: Click Manually for the Allocate BGP IPv4 Address section.

  1. Click Save and Continue.

  2. Click Save BGP Configuration.

Note: It might take several minutes for the VPNs to connect.

Wait until the VPNs show a green check mark when viewed in the VPN page indicating that they are connected. If one is green and the other remains red, there was probably a configuration error. Verify that every value is correct.

Click Check my progress to verify the objective. Create the cloud routers and prepare for VPN gateways

Task 6. Verify the connection

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Compute Engine > VM instances. Note the internal IP addresses for gcp-server and on-prem-1.

  2. For gcp-server, click SSH to launch a terminal and connect.

  3. To test connectivity to on-prem-1's internal IP, run the following command, replacing on-prem-1's internal IP with the value noted earlier:

ping -c 3 <Enter on-prem-1's internal IP here> Note: If the ping fails, wait another minute for the VPN tunnels to connect and ping again.

  1. Exit the gcp-server SSH terminal:

exit

  1. For on-prem-1, click SSH to launch a terminal and connect.

  2. To test connectivity to gcp-server's internal IP, replacing gcp-server's internal IP with the value noted earlier:

ping -c 3 <Enter gcp-server's internal IP here> Note: If the ping fails, wait another minute for the VPN tunnels to connect and ping again.

  1. Exit the on-prem-1 SSH terminal:

exit

Task 7. Demonstrate dynamic routing

View the current routes

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > VPC network > Routes.
  2. Click Dynamic to filter.
Note: Notice the six routes that are currently present.

What you do next is create a new subnetwork in the on-prem, subnet-e, with a different IP range. Then you launch a utility VM, on-prem-2 in this new subnet.

If BGP dynamic routing is working, BGP will automatically discover the new subnet and add it to the list of routes. You will be able to ping on-prem-2's Internal IP from gcp-server.

Create a new subnet in on-prem

  1. In the left pane, click VPC networks.

  2. Click on-prem, and then click Add subnet.

  3. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name subnet-e
    Region europe-west1
    IPv4 range 10.4.2.0/24

  4. This subnet is created in the same region as on-prem. Click Add.

Create a new utility VM in the new subnet

This VM is created in the same region as on-prem.

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Compute Engine > VM instances, and then click Create Instance.

  2. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Name on-prem-2
    Region europe-west1
    Zone europe-west1-c
    Machine type e2-micro

  3. Click Advanced options.

  4. Click Networking.

  5. For Network interfaces, click the dropdown icon to edit.

  6. Set the following values, leave all other values at their defaults:

    Property Value (type value or select option as specified)
    Network on-prem
    Subnetwork subnet-e

  7. Click Done, and then click Create.

Click Check my progress to verify the objective. Create a new utility VM in the new subnet

Test connectivity

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > Compute Engine > VM instances. Note the Internal IP for on-prem-2 for later use.

  2. For gcp-server, click SSH to launch a terminal and connect.

  3. To test connectivity to on-prem-2's internal IP, run the following command, replacing on-prem-2's internal IP with the value noted earlier:

ping -c 3 <Enter on-prem-2's internal IP here> Note: If the ping fails, wait another minute for the VPN tunnels to connect and ping again.

  1. Exit the gcp-server SSH terminal:

exit

View the routes

  1. In the Console, navigate to Navigation menu (Navigation menu icon) > VPC network > Routes.
  2. Click Dynamic to filter.
Note: Notice that new routes were dynamically added.

This is the benefit of Cloud Routing. Imagine a complex campus network attached to another complex campus network.

Each location might be adding or removing multiple subnetworks daily. The Cloud Routers will discover the changes in network topology and propagate them to peer routers.

Imagine if there were 10 global campuses, and each added or removed subnet would need to be accounted in each of the other campuses. You can see how such a full-mesh dynamic topology would soon become overwhelming if the connections had to be maintained with static routes.

Congratulations!

You have configured VPN with Cloud Routers to dynamically discover and adapt to remote network topology changes.

Next steps / Learn more

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated December 7, 2022

Lab Last Tested December 7, 2022

Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.