Here we will establish VPN tunnels between two networks in separate regions such that a VM in one network can ping a VM in the other network over its internal IP address.
Explore the networks and instances
Verify that vpn-network-1 and vpn-network-2 have been created with subnets in separate regions.
- In the Cloud Console, on the Navigation menu (), click VPC network > VPC networks.
Explore the firewall rules
- In the navigation pane, click Firewall.
- Note the network-1-allow-ssh and network-1-allow-icmp rules for vpn-network-1.
- Note the network-2-allow-ssh and network-2-allow-icmp rules for vpn-network-2.
These firewall rules allow SSH and ICMP traffic from anywhere.
Explore the instances and their connectivity
Currently, the VPN connection between the two networks is not established. Explore the connectivity options between the instances in the networks.
- In the Cloud Console, on the Navigation menu (), click Compute Engine > VM instances.
- Click Columns, and select Network.
From server-1, you should be able to ping the following IP addresses of server-2:Internal IP addresscheckExternal IP addressSubmit
- Note the external and internal IP addresses for server-2.
- For server-1, click SSH to launch a terminal and connect.
- To test connectivity to server-2’s external IP address, run the following command, replacing server-2’s external IP address with the value noted earlier:
ping -c 3 <Enter server-2's external IP address here>
content_copy
This works because the VM instances can communicate over the internet.
- To test connectivity to server-2’s internal IP address, run the following command, replacing server-2’s internal IP address with the value noted earlier:
ping -c 3 <Enter server-2's internal IP address here>
content_copy
You should see 100% packet loss when pinging the internal IP address because you don’t have VPN connectivity yet.
- Exit the SSH terminal.
Let’s try the same from server-2.
- Note the external and internal IP addresses for server-1.
- For server-2, click SSH to launch a terminal and connect.
- To test connectivity to server-1’s external IP address, run the following command, replacing server-1’s external IP address with the value noted earlier:
ping -c 3 <Enter server-1's external IP address here>
content_copy
- To test connectivity to server-1’s internal IP address, run the following command, replacing server-1’s internal IP address with the value noted earlier:
ping -c 3 <Enter server-1's internal IP address here>
content_copy
See similar results.
- Exit the SSH terminal.
Why are we testing both server-1 to server-2 and server-2 to server-1?
For the purposes of this lab, the path from subnet-a to subnet-b is not the same as the path from subnet-b to subnet-a. You are using one tunnel to pass traffic in each direction. And if both tunnels are not established, you won’t be able to ping the remote server on its internal IP address. The ping might reach the remote server, but the response can’t be returned.
This makes it much easier to debug the lab during class. In practice, a single tunnel could be used with symmetric configuration. However, it is more common to have multiple tunnels or multiple gateways and VPNs for production work, because a single tunnel could be a single point of failure.
Task 2: Create the VPN gateways and tunnels
Establish private communication between the two VM instances by creating VPN gateways and tunnels between the two networks.
Reserve two static IP addresses
Reserve one static IP address for each VPN gateway.
- In the Cloud Console, on the Navigation menu (), click VPC network > External IP addresses.
- Click Reserve static address.
- Specify the following, and leave the remaining settings as their defaults:PropertyValue (type value or select option as specified)Namevpn-1-static-ipIP versionIPv4Regionus-central1
- Click Reserve.
Repeat the same for vpn-2-static-ip.
- Click Reserve static address.
- Specify the following, and leave the remaining settings as their defaults:PropertyValue (type value or select option as specified)Namevpn-2-static-ipIP versionIPv4Regioneurope-west1
- Click Reserve.
Note both IP addresses for the next step. They will be referred to us [VPN-1-STATIC-IP]
and [VPN-2-STATIC-IP]
.
Create the vpn-1 gateway and tunnel1to2
- In the Cloud Console, on the Navigation menu (), click Hybrid Connectivity > VPN.
- Click Create VPN Connection.
- If asked, select Classic VPN, and then click Continue.
- Specify the following in the VPN gateway section, and leave the remaining settings as their defaults:PropertyValue (type value or select option as specified)Namevpn-1Networkvpn-network-1Regionus-central1IP addressvpn-1-static-ip
- Specify the following in the Tunnels section, and leave the remaining settings as their defaults:PropertyValue (type value or select option as specified)Nametunnel1to2Remote peer IP address[VPN-2-STATIC-IP]IKE pre-shared keygcprocksRouting optionsRoute-basedRemote network IP ranges10.1.3.0/24
Make sure to replace [VPN-2-STATIC-IP]
with your reserved IP address for europe-west1.
- Click command line.
The gcloud command line window shows the gcloud commands to create the VPN gateway and VPN tunnels and it illustrates that three forwarding rules are also created.
- Click Close.
- Click Create.
Click Check my progress to verify the objective.
Create the ‘vpn-1’ gateway and tunnelCheck my progress
Create the vpn-2 gateway and tunnel2to1
- Click VPN setup wizard.
- If asked, select Classic VPN, and then click Continue.
- Specify the following in the VPN gateway section, and leave the remaining settings as their defaults:PropertyValue (type value or select option as specified)Namevpn-2Networkvpn-network-2Regioneurope-west1IP addressvpn-2-static-ip
- Specify the following in the Tunnels section, and leave the remaining settings as their defaults:PropertyValue (type value or select option as specified)Nametunnel2to1Remote peer IP address[VPN-1-STATIC-IP]IKE pre-shared keygcprocksRouting optionsRoute-basedRemote network IP ranges10.5.4.0/24
Make sure to replace [VPN-1-STATIC-IP]
with your reserved IP address for us-central1.
- Click Create.
- Click Cloud VPN Tunnels.
Click Check my progress to verify the objective.
Create the ‘vpn-2’ gateway and tunnelCheck my progress
Wait for the VPN tunnels status to change to Established for both tunnels before continuing.
Click Check my progress to verify the objective.
Tunnel establishmentCheck my progress
Task 3: Verify VPN connectivity
From server-1, you should be able to ping the following IP addresses of server-2:checkExternal IP addresscheckInternal IP addressSubmit
Verify server-1 to server-2 connectivity
- In the Cloud Console, on the Navigation menu, click Compute Engine > VM instances.
- For server-1, click SSH to launch a terminal and connect.
- To test connectivity to server-2‘s internal IP address, run the following command:
ping -c 3 <insert server-2's internal IP address here>
content_copy
- Exit the server-1 SSH terminal.
- For server-2, click SSH to launch a terminal and connect.
- To test connectivity to server-1‘s internal IP address, run the following command:
ping -c 3 <insert server-1's internal IP address here>
content_copy
Remove the external IP addresses
Now that you verified VPN connectivity, you can remove the instances’ external IP addresses. For demonstration purposes, just do this for the server-1 instance.
- On the Navigation menu, click Compute Engine > VM instances.
- Select the server-1 instance and click Stop. Wait for the instance to stop.
Instances need to be stopped before you can make changes to their network interfaces.
- Click on the name of the server-1 instance to open the VM instance details page.
- Click Edit.
- For Network interfaces, click the Edit icon ().
- Change External IP to None.
- Click Done.
- Click Save and wait for the instance details to update.
- Click Start.
- Click Start again to confirm that you want to start the VM instance.
- Return to the VM instances page and wait for the instance to start.
- Notice that External IP is set to None for the server-1 instance.
Feel free to SSH to server-2 and verify that you can still ping the server-1 instance’s internal IP address. You won’t be able to SSH to server-1 from the Cloud Console but you can do so from Cloud Shell using Cloud IAP as described here.External IP addresses that don’t fall under the Free Tier will incur a small cost. Also, as a general security best practice, it’s a good idea to use internal IP addresses where applicable and since you configured Cloud VPN you no longer need to communicate between instances using their external IP address.
The VPN communication between two subnetwork networks in separate regions has been configured here. Then we tested the VPN link by pinching VMs to various networks using their internal IP addresses.
We also set up the Cloud Console for the VPN gateways and tunnels. This process, however, obscured the development of transmission rules that are discussed in the console using the command line button. This will help to resolve a setup problem.