Cloud Interconnect & VPN

Connecting your on-premises network to GCP is a fundamental requirement for hybrid cloud architectures. GCP offers several connectivity options: Cloud VPN for encrypted tunnels over the internet, Dedicated Interconnect for private, high-bandwidth connections, and Partner Interconnect for private connections through a service provider. Choosing the right option depends on bandwidth needs, latency requirements, cost, and how quickly you need the connection.

---

Cloud VPN

Cloud VPN provides encrypted IPsec tunnels between your on-premises network and your GCP VPC over the public internet. It is the quickest and most cost-effective way to establish hybrid connectivity.

HA VPN (Recommended)

HA VPN provides a 99.99% SLA with two interfaces and automatic failover:

• Two VPN interfaces on the GCP side, each with its own external IP.
• You create tunnels from each interface to your on-premises VPN device.
• If one tunnel goes down, traffic fails over to the other.

# Create an HA VPN gateway
gcloud compute vpn-gateways create my-ha-vpn \
  --network=my-vpc \
  --region=europe-west2

# Create a Cloud Router for BGP
gcloud compute routers create my-router \
  --network=my-vpc \
  --region=europe-west2 \
  --asn=65001

# Create VPN tunnels (one per interface)
gcloud compute vpn-tunnels create tunnel-0 \
  --vpn-gateway=my-ha-vpn \
  --interface=0 \
  --peer-gcp-gateway=peer-vpn \
  --region=europe-west2 \
  --ike-version=2 \
  --shared-secret=my-secret \
  --router=my-router

Classic VPN (Legacy)

Classic VPN provides a single interface with a 99.9% SLA. It supports both static and dynamic (BGP) routing. Google recommends migrating to HA VPN for new deployments.

Cloud VPN Characteristics

Feature	HA VPN	Classic VPN
SLA	99.99%	99.9%
Interfaces	2	1
Routing	BGP (dynamic) required	Static or BGP
Bandwidth	Up to 3 Gbps per tunnel (with multiple tunnels for aggregation)	Up to 3 Gbps per tunnel
Encryption	IPsec with IKEv2	IPsec with IKEv1 or IKEv2

---

Dedicated Interconnect

Dedicated Interconnect provides a private, physical connection between your on-premises network and Google's network at a colocation facility (an Interconnect location). Traffic does not traverse the public internet.

Key Features

• Bandwidth: 10 Gbps or 100 Gbps per link (up to 8 links for 200 Gbps or 800 Gbps aggregate).
• Latency: Lower and more predictable than internet-based VPN.
• SLA: 99.99% with recommended topology (four connections across two metro areas).
• No encryption by default: Traffic is private but not encrypted. Use MACsec or IPsec over Interconnect for encryption.
• Cost: Significant monthly cost for the physical connection plus egress charges (which are lower than standard internet egress).