Setting-up Cloud HA-VPN

For this lab, you will set up two VPCs and add a cloud HA-VPN gateway in each. You will run two tunnels from each VPN gateway to demonstrate the HA-VPN gateway configuration for 99.99% SLA.

You will create a global VPC network, vpc-demo, with two custom subnets in us-east1 and us-central1. In this VPC, you will add a Compute Engine instance in each region. You will create a second vpc on-prem to simulate customer’s on-prem data center. In this VPC, you will add a subnet in region us-central1 and an instance running in this region. You will then add Cloud HA-VPN and a cloud router in each vpc, and run two tunnels from each cloud HA-VPN gateway.

Cloud VPC Setup

1. From Cloud Shell, create a vpc network called vpc-demo:

   gcloud compute networks create vpc-demo --subnet-mode custom

2. Now create subnet vpc-demo-us-subnet1 in us-central1 region:

   gcloud beta compute networks subnets create vpc-demo-subnet1 \
   --network vpc-demo --range 10.1.1.0/24 --region us-central1

3. Create subnet vpc-demo-subnet2 in us-east1 region:

   gcloud beta compute networks subnets create vpc-demo-subnet2 \
   --network vpc-demo --range 10.2.1.0/24 --region us-east1

4. Create a firewall rule to allow all internal traffic within the network:

   gcloud compute firewall-rules create vpc-demo-allow-internal \
   --network vpc-demo \
   --allow tcp:0-65535,udp:0-65535,icmp \
   --source-ranges 10.0.0.0/8

5. Create a vm instance vpc-demo-instance1 in zone us-central1-b:

   gcloud compute instances create vpc-demo-instance1 --zone us-central1-b --subnet vpc-demo-subnet1

6. Create a vm instance vpc-demo-instance2 in zone us-east1-b:

   gcloud compute instances create vpc-demo-instance2 --zone us-east1-b --subnet vpc-demo-subnet2

Simulate on-premises setup

1. Create a vpc network called on-prem:

   gcloud compute networks create on-prem --subnet-mode custom

2. Create subnet on-prem-subnet1:

   gcloud beta compute networks subnets create on-prem-subnet1 \
   --network on-prem --range 192.168.1.0/24 --region us-central1

3. Create a firewall rule to allow all internal traffic within the network:

   gcloud compute firewall-rules create on-prem-allow-internal \
     --network on-prem \
     --allow tcp:0-65535,udp:0-65535,icmp \
     --source-ranges 192.168.0.0/16

4. Create a firewall rule to allow ssh, rdp, http, icmp to the instances:

   gcloud compute firewall-rules create on-prem-allow-ssh-icmp \
       --network on-prem \
       --allow tcp:22,icmp

5. Create an instance vpc-demo-instance1 in region us-central1:

   gcloud compute instances create on-prem-instance1 --zone us-central1-a --subnet on-prem-subnet1

HA-VPN setup

1. Create a Cloud HA-VPN in network vpc-demo:

   gcloud beta compute vpn-gateways create vpc-demo-vpn-gw1 --network vpc-demo --region us-central1

2. Create a Cloud HA-VPN in network on-prem:

   gcloud beta compute vpn-gateways create on-prem-vpn-gw1 --network on-prem --region us-central1

3. View details of vpn-gateway vpc-demo-vpn-gw1:

   gcloud beta compute vpn-gateways describe vpc-demo-vpn-gw1 --region us-central1

4. View details of vpn-gateway on-prem-vpn-gw1:

   gcloud beta compute vpn-gateways describe on-prem-vpn-gw1 --region us-central1

5. Create a cloud router in network vpc-demo:

   gcloud compute routers create vpc-demo-router1 \
       --region us-central1 \
       --network vpc-demo \
       --asn 65001

6. Create a cloud router in network on-prem:

   gcloud compute routers create on-prem-router1 \
       --region us-central1 \
       --network on-prem \
       --asn 65002

7. Create the first VPN tunnels in network vpc-demo:

   gcloud beta compute vpn-tunnels create vpc-demo-tunnel0 \
       --peer-gcp-gateway on-prem-vpn-gw1 \
       --region us-central1 \
       --ike-version 2 \
       --shared-secret [SHARED_SECRET] \
       --router vpc-demo-router1 \
       --vpn-gateway vpc-demo-vpn-gw1 \
       --interface 0

8. Now create the second tunnel:

   gcloud beta compute vpn-tunnels create vpc-demo-tunnel1 \
       --peer-gcp-gateway on-prem-vpn-gw1 \
       --region us-central1 \
       --ike-version 2 \
       --shared-secret [SHARED_SECRET] \
       --router vpc-demo-router1 \
       --vpn-gateway vpc-demo-vpn-gw1 \
       --interface 1

9. Create on-prem-tunnel0 with the following command:

   gcloud beta compute vpn-tunnels create on-prem-tunnel0 \
       --peer-gcp-gateway vpc-demo-vpn-gw1 \
       --region us-central1 \
       --ike-version 2 \
       --shared-secret [SHARED_SECRET] \
       --router on-prem-router1 \
       --vpn-gateway on-prem-vpn-gw1 \
       --interface 0

10. Create on-prem-tunnel1 with the following command:

    gcloud beta compute vpn-tunnels create on-prem-tunnel1 \
        --peer-gcp-gateway vpc-demo-vpn-gw1 \
        --region us-central1 \
        --ike-version 2 \
        --shared-secret [SHARED_SECRET] \
        --router on-prem-router1 \
        --vpn-gateway on-prem-vpn-gw1 \
        --interface 1

11. Create the router interface for tunnel0 in network vpc-demo:

    gcloud compute routers add-interface vpc-demo-router1 \
        --interface-name if-tunnel0-to-on-prem \
        --ip-address 169.254.0.1 \
        --mask-length 30 \
        --vpn-tunnel vpc-demo-tunnel0 \
        --region us-central1

12. And the bgp peer for tunnel0 in network vpc-demo:

    gcloud compute routers add-bgp-peer vpc-demo-router1 \
        --peer-name bgp-on-prem-tunnel0 \
        --interface if-tunnel0-to-on-prem \
        --peer-ip-address 169.254.0.2 \
        --peer-asn 65002 \
        --region us-central1

13. Create router interface for tunnel1 in network vpc-demo:

    gcloud compute routers add-interface vpc-demo-router1 \
        --interface-name if-tunnel1-to-on-prem \
        --ip-address 169.254.1.1 \
        --mask-length 30 \
        --vpn-tunnel vpc-demo-tunnel1 \
        --region us-central1

14. And the bgp peer for tunnel1 in network vpc-demo:

    gcloud compute routers add-bgp-peer vpc-demo-router1 \
        --peer-name bgp-on-prem-tunnel1 \
        --interface if-tunnel1-to-on-prem \
        --peer-ip-address 169.254.1.2 \
        --peer-asn 65002 \
        --region us-central1

15. Create router interface for tunnel0 in network on-prem:

    gcloud compute routers add-interface on-prem-router1 \
        --interface-name if-tunnel0-to-vpc-demo \
        --ip-address 169.254.0.2 \
        --mask-length 30 \
        --vpn-tunnel on-prem-tunnel0 \
        --region us-central1

16. And the bgp peer for tunnel0 in network on-prem:

    gcloud compute routers add-bgp-peer on-prem-router1 \
        --peer-name bgp-vpc-demo-tunnel0 \
        --interface if-tunnel0-to-vpc-demo \
        --peer-ip-address 169.254.0.1 \
        --peer-asn 65001 \
        --region us-central1

17. Create router interface for tunnel1 in network on-prem:

    gcloud compute routers add-interface  on-prem-router1 \
        --interface-name if-tunnel1-to-vpc-demo \
        --ip-address 169.254.1.2 \
        --mask-length 30 \
        --vpn-tunnel on-prem-tunnel1 \
        --region us-central1

18. And the bgp peer for tunnel1 in network on-prem:

    gcloud compute routers add-bgp-peer  on-prem-router1 \
        --peer-name bgp-vpc-demo-tunnel1 \
        --interface if-tunnel1-to-vpc-demo \
        --peer-ip-address 169.254.1.1 \
        --peer-asn 65001 \
        --region us-central1

19. View details of Cloud Router vpc-demo-router1 to verify its settings:

    gcloud compute routers describe vpc-demo-router1 \
        --region us-central1