Checkpoints
Create the networks
/ 20
Create the utility VMs
/ 20
Create the firewall rules
/ 20
Create the cloud routers and prepare for VPN gateways
/ 20
Create a new utility VM in the new subnet
/ 20
Dynamic VPN Gateways - Cloud Routers
GSP218
Overview
In this lab, you configure Cloud Routers using the Console. The Cloud Routers will implement VPN gateways configured with BGP. BGP provides dynamic network discovery and eliminates the need to configure or maintain static routes. When successful you will be able to ping the internal IP of the VM in a newly discovered subnetwork via an auto-populated route.
What you'll learn
In this lab, you learn how to perform the following tasks:
-
Create two networks to represent your VPC and on-premises network with a VM in each network to test connectivity.
-
Connect the two networks using Cloud Routers.
-
Add a new subnetwork and verify that dynamic BGP routing is working.
Setup and requirements
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
- Time to complete the lab---remember, once you start, you cannot pause a lab.
How to start your lab and sign in to the Google Cloud Console
-
Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:
- The Open Google Console button
- Time remaining
- The temporary credentials that you must use for this lab
- Other information, if needed, to step through this lab
-
Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Arrange the tabs in separate windows, side-by-side.
Note: If you see the Choose an account dialog, click Use Another Account. -
If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.
-
Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.
Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges. -
Click through the subsequent pages:
- Accept the terms and conditions.
- Do not add recovery options or two-factor authentication (because this is a temporary account).
- Do not sign up for free trials.
After a few moments, the Cloud Console opens in this tab.
Task 1. Create the networks
Create two custom networks with subnetworks and start micro VMs in each.
Create the first network
-
In the Console, navigate to Navigation menu (
) > VPC network > VPC networks.
-
Click Create VPC Network.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name gcp-vpc Description Enter an optional description -
For Subnet creation mode, click Custom.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name subnet-a Region us-east1 IPv4 range 10.5.4.0/24 -
Click Add Subnet.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name subnet-b Region us-central1 IPv4 range 10.2.4.0/24 -
For Dynamic Routing Mode, select Global.
-
Click Create.
Create the second network
For your second network, use a different region than the first network.
-
Still in VPC networks, click Create VPC Network.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name on-prem Description Enter an optional description -
For Subnet creation mode, click Custom.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name subnet-c Region us-east1 IPv4 range 10.2.3.0/24 -
Click Add Subnet.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name subnet-d Region europe-west1 IPv4 range 10.1.3.0/24 -
For Dynamic Routing Mode, select Global.
-
Click Create.
Click Check my progress to verify the objective.
Task 2. Create the utility VMs
Create the first instance
Create the first VM in the same region as gcp-vpc.
-
In the Console, navigate to Navigation menu (
) > Compute Engine > VM instances, and then click Create instance.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name gcp-server Region us-east1 Zone us-east1-b Machine type e2-micro -
Click Advanced options.
-
Click Networking.
-
For Network interfaces, click the dropdown icon to edit.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Network gcp-vpc Subnetwork subnet-a -
Click Done, and then click Create.
Create the second instance
Create the second VM in the same region as on-prem.
-
Still in the VM instances dialog, click Create Instance.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name on-prem-1 Region europe-west1 (Belgium) Zone europe-west1-b Machine type e2-micro -
Click Advanced options.
-
Click Networking.
-
For Network interfaces, click the dropdown icon to edit.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Network on-prem Subnetwork subnet-d -
Click Done, and then click Create.
Click Check my progress to verify the objective.
Task 3. Create the firewall rules
Allow ICMP and SSH into each network.
Allow SSH traffic to gcp-vpc
-
In the Console, navigate to Navigation menu (
) > VPC network > Firewall.
-
Click Create Firewall Rule.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name allow-icmp-ssh-gcp-vpc Network gcp-vpc Targets All instances in the network Source filter IPv4 Ranges Source IPv4 ranges 0.0.0.0/0 Protocols and ports Specified protocols and ports, and then check tcp, type: 22; and check Other protocols, type: icmp.
-
Click Create.
Allow SSH traffic to on-prem
-
Still in the Firewall rules dialog, click Create Firewall Rule.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name allow-icmp-ssh-on-prem Network on-prem Targets All instances in the network Source filter IPv4 Ranges Source IPv4 ranges 0.0.0.0/0 Protocols and ports Specified protocols and ports, and then check tcp, type: 22; and check Other protocols, type: icmp.
- Click Create.
Click Check my progress to verify the objective.
Task 4. Verify network connectivity
Test connectivity from gcp-server to on-prem-1
-
In the Console, navigate to Navigation menu (
) > Compute Engine > VM instances. Note the external and internal IP addresses for on-prem-1 as you will use them in future steps.
-
For gcp-server, click SSH to launch a terminal and connect.
-
To test connectivity to on-prem-1's external IP, run the following command, replacing on-prem-1's external IP with the value noted earlier:
This should work; 3 packets transmitted, 3 received, and 0% packet loss.
-
To test connectivity to on-prem-1's internal IP, run the following command, replacing on-prem-1's internal IP with the value noted earlier:
This should not work. You should see 100% packet loss when pinging the internal IP.
-
Exit the SSH terminal:
Test connectivity from on-prem-1 to gcp-server
-
Note the external and internal IP addresses for gcp-server.
-
For on-prem-1, click SSH to launch a terminal and connect.
-
To test connectivity to gcp-server's external IP, run the following command, replacing gcp-server's external IP with the value noted earlier:
This should work; 3 packets transmitted, 3 received, and 0% packet loss.
-
Test connectivity to gcp-server's internal IP, replacing gcp-server's internal IP with the value noted earlier:
This should not work. You should see 100% packet loss when pinging the internal IP.
-
Exit the SSH terminal:
Task 5. Create two fully configured HA VPN gateways that connect to each other
Create the gcp-vpc Cloud Router
-
In the Console, navigate to Navigation menu (
) > Hybrid Connectivity > Cloud Routers, and then click Create router.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name gcp-vpc-cr Network gcp-vpc Region us-east1 Google ASN 65470 -
Click Create.
Create the on-prem Cloud Router
-
Still in the Cloud Routers dialog, click Create router.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name on-prem-cr Network on-prem Region us-east1 Google ASN 65503 -
Click Create.
Create the first VPN Gateway
-
In the Console, navigate to Navigation menu (
) > Hybrid Connectivity > VPN.
-
Click Create VPN connection.
-
For VPN options, choose High-Availability (HA) VPN.
-
Click Continue.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) VPN gateway name vpn-1 Network gcp-vpc Region us-east1 VPN tunnel inner IP stack type IPv4 -
Click Create & Continue.
Create the second VPN gateway
-
Still in the VPN dialog, click VPN on the side panel.
-
Click Create VPN Gateway.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) VPN gateway name vpn-2 Network on-prem Region us-east1 VPN tunnel inner IP stack type IPv4 -
Click Create.
Create VPN tunnels for first gateway
-
In the VPN page, click on your vpn-1.
-
Click Add VPN Tunnel.
-
For Peer VPN Gateway, select Google Cloud.
-
Click SELECT PROJECT.
-
Choose your unique
qwiklabs
project. -
Select vpn-2 as the VPN gateway name.
-
Ensure Create a pair of VPN tunnels is selected.
-
Under Cloud Router, choose your gcp-vpc-cr.
-
In the VPN Tunnel set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name tunnel1 IKE version IKEv2 IKE pre-shared key gcprocks -
Click Done.
-
Select the VPN Tunnel (not configured yet).
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name tunnel2 IKE version IKEv2 IKE pre-shared key gcprocks -
Click Done.
-
Click Create & Continue.
Configure BGP sessions for first gateway
-
You should see two BGP sessions listed at the Configure BGP Sessions section.
-
Click Configure BGP Session for the first session and add in the following values:
Property Value (type value or select option as specified) Name bgp1to3 Peer ASN 65503 Cloud Router BGP IPv4 Address 169.254.0.1 BGP Peer IPv4 Address 169.254.0.2
-
Click Save and Continue.
-
Click Configure BGP Session for the second session and add in the following values:
Property Value (type value or select option as specified) Name bgp2to4 Peer ASN 65503 Cloud Router BGP IPv4 Address 169.254.1.1 BGP Peer IPv4 Address 169.254.1.2
-
Click Save and Continue.
-
Click Save BGP Configuration.
You will likely see warnings at this point as a tunnel has not been created in the second VPN yet. You will do that in the next section.
Create VPN tunnels for second gateway
-
Click VPN in the side bar or find the page using the Navigation menu (
) > Hybrid Connectivity > VPN.
-
Select Cloud VPN Gateways.
-
Click on vpn-2.
-
Click Add VPN Tunnel.
-
For Peer VPN Gateway, select Google Cloud.
-
Click SELECT PROJECT.
-
Choose your unique
qwiklabs
project. -
Select vpn-1 as the VPN gateway name.
-
Ensure Create a pair of VPN tunnels is selected.
-
Under Cloud Router, choose your on-prem-cr.
-
In the VPN Tunnel set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name tunnel3 IKE version IKEv2 IKE pre-shared key gcprocks -
Click Done.
-
Select the VPN Tunnel (not configured yet).
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name tunnel4 IKE version IKEv2 IKE pre-shared key gcprocks -
Click Done.
-
Click Create & Continue.
Configure BGP sessions for second gateway
-
You should see two BGP sessions listed at the Configure BGP Sessions section.
-
Click Configure BGP Session for the first session and add in the following values:
Property Value (type value or select option as specified) Name bgp3to1 Peer ASN 65470 Cloud Router BGP IPv4 Address 169.254.0.2 BGP Peer IPv4 Address 169.254.0.1
-
Click Save and Continue.
-
Click Configure BGP Session for the second session and add in the following values:
Property Value (type value or select option as specified) Name bgp4to2 Peer ASN 65470 Cloud Router BGP IPv4 Address 169.254.1.2 BGP Peer IPv4 Address 169.254.1.1
-
Click Save and Continue.
-
Click Save BGP Configuration.
Wait until the VPNs show a green check mark when viewed in the VPN page indicating that they are connected. If one is green and the other remains red, there was probably a configuration error. Verify that every value is correct.
Click Check my progress to verify the objective.
Task 6. Verify the connection
-
In the Console, navigate to Navigation menu (
) > Compute Engine > VM instances. Note the internal IP addresses for gcp-server and on-prem-1.
-
For gcp-server, click SSH to launch a terminal and connect.
-
To test connectivity to on-prem-1's internal IP, run the following command, replacing on-prem-1's internal IP with the value noted earlier:
-
Exit the gcp-server SSH terminal:
-
For on-prem-1, click SSH to launch a terminal and connect.
-
To test connectivity to gcp-server's internal IP, replacing gcp-server's internal IP with the value noted earlier:
-
Exit the on-prem-1 SSH terminal:
Task 7. Demonstrate dynamic routing
View the current routes
- In the Console, navigate to Navigation menu (
) > VPC network > Routes.
- Click Dynamic to filter.
Create a new subnet in on-prem
-
In the left pane, click VPC networks.
-
Click on-prem, and then click Add subnet.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name subnet-e Region europe-west1 IPv4 range 10.4.2.0/24 -
This subnet is created in the same region as on-prem. Click Add.
Create a new utility VM in the new subnet
This VM is created in the same region as on-prem.
-
In the Console, navigate to Navigation menu (
) > Compute Engine > VM instances, and then click Create Instance.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Name on-prem-2 Region europe-west1 Zone europe-west1-c Machine type e2-micro -
Click Advanced options.
-
Click Networking.
-
For Network interfaces, click the dropdown icon to edit.
-
Set the following values, leave all other values at their defaults:
Property Value (type value or select option as specified) Network on-prem Subnetwork subnet-e -
Click Done, and then click Create.
Click Check my progress to verify the objective.
Test connectivity
-
In the Console, navigate to Navigation menu (
) > Compute Engine > VM instances. Note the Internal IP for on-prem-2 for later use.
-
For gcp-server, click SSH to launch a terminal and connect.
-
To test connectivity to on-prem-2's internal IP, run the following command, replacing on-prem-2's internal IP with the value noted earlier:
-
Exit the gcp-server SSH terminal:
View the routes
- In the Console, navigate to Navigation menu (
) > VPC network > Routes.
- Click Dynamic to filter.
Congratulations!
You have configured VPN with Cloud Routers to dynamically discover and adapt to remote network topology changes.
Next steps / Learn more
-
For information on the basic concepts of VPC Routing, see Routes Overview.
-
For more information configuring a BGP session, see Establishing BGP Sessions.
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated December 7, 2022
Lab Last Tested December 7, 2022
Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.