Create VPN tunnels and bgp peering for each tunnel
Підтвердити виконання
/ 30
Configure Firewall rules to allow traffic from the remote VPC
Підтвердити виконання
/ 10
Global routing with VPN
Підтвердити виконання
/ 10
Quick tip: Review the prerequisites before you run the lab
Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses
VPC Networking: Cloud HA-VPN
Lab
1 година 15 годин
universal_currency_alt
5 кредитів
show_chart
Середній
info
This lab may incorporate AI tools to support your learning.
Get access to over 700 hands-on labs, skill badges, and courses
GSP619
Overview
HA-VPN is IPSec VPN solution to enable secure connectivity between your on-premise network to your Google Cloud Virtual Private Cloud (VPC) network through an IPSec VPN connection with 99.99% service availability at GA. HA-VPN is a regional per VPC VPN solution. HA-VPN gateways have two interfaces, each with their own public IP address. When you create a HA-VPN gateway, two public IP addresses are automatically chosen from different address pools. When HA-VPN is configured with two tunnels, Cloud VPN offers a 99.99% service availability uptime.
What you'll learn
How to configure high availability ha-vpn gateways
How to configure dynamic routing with vpn tunnels
How to configure global dynamic routing mode
How to verify high availability ha-vpn gateways
Note: This is a Beta release of HA VPN. This feature is not covered by any SLA or deprecation policy and might be subject to backward-incompatible changes.
For this lab, you will set up two VPCs and add a cloud HA-VPN gateway in each. You will run two tunnels from each VPN gateway to demonstrate the HA-VPN gateway configuration for 99.99% SLA.
You will create a global VPC network, vpc-demo, with two custom subnets in and . In this VPC, you will add a Compute Engine instance in each region. You will create a second vpc on-prem to simulate customer's on-prem data center. In this VPC, you will add a subnet in region and an instance running in this region. You will then add Cloud HA-VPN and a cloud router in each vpc, and run two tunnels from each cloud HA-VPN gateway.
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.
This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
Time to complete the lab—remember, once you start, you cannot pause a lab.
Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.
How to start your lab and sign in to the Google Cloud console
Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method.
On the left is the Lab Details pane with the following:
The Open Google Cloud console button
Time remaining
The temporary credentials that you must use for this lab
Other information, if needed, to step through this lab
Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).
The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Arrange the tabs in separate windows, side-by-side.
Note: If you see the Choose an account dialog, click Use Another Account.
If necessary, copy the Username below and paste it into the Sign in dialog.
{{{user_0.username | "Username"}}}
You can also find the Username in the Lab Details pane.
Click Next.
Copy the Password below and paste it into the Welcome dialog.
{{{user_0.password | "Password"}}}
You can also find the Password in the Lab Details pane.
Click Next.
Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials.
Note: Using your own Google Cloud account for this lab may incur extra charges.
Click through the subsequent pages:
Accept the terms and conditions.
Do not add recovery options or two-factor authentication (because this is a temporary account).
Do not sign up for free trials.
After a few moments, the Google Cloud console opens in this tab.
Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.
Activate Cloud Shell
Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
Click Activate Cloud Shell at the top of the Google Cloud console.
Click through the following windows:
Continue through the Cloud Shell information window.
Authorize Cloud Shell to use your credentials to make Google Cloud API calls.
When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:
Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
(Optional) You can list the active account name with this command:
gcloud auth list
Click Authorize.
Output:
ACTIVE: *
ACCOUNT: {{{user_0.username | "ACCOUNT"}}}
To set the active account, run:
$ gcloud config set account `ACCOUNT`
(Optional) You can list the project ID with this command:
gcloud config list project
Output:
[core]
project = {{{project_0.project_id | "PROJECT_ID"}}}
Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.
Task 1. Cloud VPC setup
From Cloud Shell, create a vpc network called vpc-demo:
Click Check my progress to verify the objective.
Create gateway and routers
Create two VPN tunnels
You are now ready to create VPN tunnels between the two gateways. For HA-VPN setup, you need to add two tunnels from each gateway to the remote setup. You will create a tunnel on interface0 and connect to interface0 on remote gateway. You will create another tunnel on interface1 and connect to interface1 on remote gateway.
When you run HA-VPN tunnels between two Google Cloud VPCs, you need to make sure that tunnel on interface0 is connected to interface0 on the remote VPN gateway. Similarly, the tunnel on interface1 must be connected to interface1 on the remote VPN gateway.
Note: In your own environment, if you run HA-VPN to a remote VPN gateway on-premise for a customer, you can connect in one of the following ways:
Two on-premise VPN gateway devices: each of the tunnels from each interface on the Cloud VPN gateway must be connected to its own peer gateway.
A single on-premises VPN gateway device with two interfaces: each of the tunnels from each interface on the Cloud VPN gateway must be connected to its own interface on the peer gateway.
A single on-premises VPN gateway device with a single interface: both of the tunnels from each interface on the Cloud VPN gateway must be connected to the same interface on the peer gateway.
For this setup, you are simulating on-prem setup with both vpn gateways in Google Cloud. Ensure that interface0 of one gateway connects to interface0 of the other and interface1 connects to interface1 of the remote gateway.
Now, from this instance in network on-prem, try to reach instances in network vpc-demo.
On the instance on-prem-instance1, ping 10.1.1.2:
ping 10.1.1.2
Output:
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=62 time=24.4 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=62 time=21.3 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=62 time=21.0 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=62 time=21.0 ms
^C
--- 10.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 21.015/21.963/24.406/1.420 ms
Press CTRL+C to stop the command.
Global routing with VPN
Remember, HA-VPN is a regional resource and cloud router by default only sees the routes in the region it is deployed. To reach instances in a different region than the cloud router, you need to enable global routing mode for the VPC. This allows the cloud router to see and advertise routes from other regions.
Open a new Cloud Shell tab and update the bgp-routing mode from vpc-demo to GLOBAL:
gcloud compute networks update vpc-demo --bgp-routing-mode GLOBAL
Go back to the first Cloud Shell tab and verify pings between the instances in network vpc-demo and network on-prem:
ping 10.1.1.2
Output:
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=62 time=26.1 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=62 time=22.0 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=62 time=21.9 ms
^C
--- 10.1.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 21.935/23.376/26.117/1.942 ms
Press CTRL+C to stop the command.
Pings are still successful as the traffic is now sent over the second tunnel.
You have successfully configured HA-VPN tunnels.
Task 4. Cleanup
Because you are working in Qwiklabs, when you end the lab all your resources and your project will be cleaned up and discarded for you. You should know how to clean up resources yourself to save on cost and to be a good cloud citizen.
Delete VPN tunnels
From Cloud Shell, run the following commands to delete the remaining tunnels, confirming this action when asked:
How to configure high availability HA-VPN gateways
How to configure dynamic routing with vpn tunnels
How to configure global dynamic routing mode
How to verify high availability HA-VPN gateways
Next steps
Try more experiments with HA-VPN active/passive setup!
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual last updated June 25, 2024
Lab last tested June 25, 2024
Copyright 2025 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
Labs create a Google Cloud project and resources for a fixed time
Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
On the top left of your screen, click Start lab to begin
Use private browsing
Copy the provided Username and Password for the lab
Click Open console in private mode
Sign in to the Console
Sign in using your lab credentials. Using other credentials might cause errors or incur charges.
Accept the terms, and skip the recovery resource page
Don't click End lab unless you've finished the lab or want to restart it, as it will clear your work and remove the project
This content is not currently available
We will notify you via email when it becomes available
Great!
We will contact you via email if it becomes available
One lab at a time
Confirm to end all existing labs and start this one
Use private browsing to run the lab
Use an Incognito or private browser window to run this lab. This
prevents any conflicts between your personal account and the Student
account, which may cause extra charges incurred to your personal account.
Set up two VPCs and add a cloud HA-VPN gateway in each, then run two tunnels from each VPN gateway to demonstrate the HA-VPN gateway configuration for 99.99% SLA.
Тривалість:
Час налаштування: 0 хв
·
Доступ протягом 75 хв
·
Час виконання: 75 хв
