In this codelab you will work within a Google Cloud Project to build basic VPN connectivity, establish a Cloud Router, build Dedicated Interconnect attachments, and seamlessly migrate traffic from the VPN to the Dedicated Interconnect.

These exercises are ordered to reflect a common cloud developer experience as follows:

  1. Set up your lab environment and learn how to work with your GCP environment.
  2. Establish reachability across Networks by leveraging Cloud VPN and Cloud Router.
  3. Establish reachability across Networks by leveraging Dedicated Interconnect and Cloud Router.
  4. Verifying migration of traffic from the VPN to the Dedicated Interconnect.
  5. Cleanup.

What you'll learn

What you'll need

Self-paced environment setup

Training environment setup for ‘' Org

Because of certain limitations on the Dedicated Interconnect service, we will work in groups of two to complete this code lab. Each group was assigned a group number which will be used to locate your groups assigned project. Nominate one member of the group to lead the team through the lab, and use that person's identity to interact with your groups pre-determined project in the organization. IAM and billing have already been configured for you.

After signing into the cloud console (, click on the project selector dropdown at the top of the page:

Select the Org in the project selector drop down.

You should see a project available to you in the format vpcuserXXproject. (If you do not see a project, please let the instructor know). For this codelab, whenever you see XX referenced, you should replace XX with the project number you are working under. For example, if working in vpcuser01project would replace all XX references in the codelab with 01.

Click ‘OPEN' to navigate to your reserved project.

To interact with the Google Cloud Platform we will use the Google Cloud Shell throughout this code lab along with the Cloud Console.

Google Cloud Shell is a Debian-based virtual machine pre-loaded with all the development tools you'll need that can be automatically provisioned from the Cloud Console. This means that all you will need for this codelab is a browser (yes, it works on a Chromebook).

To activate Google Cloud Shell, from the Cloud console simply click the button on the top right-hand side (it should only take a few moments to provision and connect to the environment):

Once connected to the cloud shell, you should see that you are already authenticated and that the project is already set to your PROJECT_ID. Run the following command and you should see the following output:

gcloud auth list

Command output

Credentialed accounts:
 - <myaccount>@<mydomain>.com ACTIVE
gcloud config list project

Command output

project = <PROJECT_ID>

If for some reason the project is not set, simply issue the following command :

gcloud config set project <PROJECT_ID>

Looking for you PROJECT_ID? It's the ID you used in the setup steps. You can find it in the console dashboard any time:

For the purposes of this connectivity lab, the environment has already been set up for you. When looking at your project, you should see the following VPC already configured for your use:

Under most circumstances customers will reserve static IPs as part of VPN GW creation. Static IPs have been reserved for the VPN gateways within each project as the 3rd party device needed to be pre-configured for the VPN tunnels that will be turned up during Exercise 1. Handouts containing the static IPs corresponding to each project number are found throughout the room, please consult one of these charts and copy the IP address that has been assigned to your specific project, you will need this as part of Exercise 1.

Google Cloud VPN and Cloud Router are both managed services on Google Cloud. You do not need to build VMs to terminate IPsec or to advertise routes.

There are two fundamental components in building a Cloud VPN:

For this lab, the site-to-site IPsec VPN consists of two endpoints, one in the GCP network, the other on a 3rd party router which represents the customer on prem environment. The 3rd party router has been pre-configured with the information needed to complete the VPN turn up and this lab will focus on configuring the VPN Gateway and necessary components within the GCP environment. The third party device is a BGP speaking router providing IPSec termination and dynamic routing capabilities, mimicking a real world customer architecture.

The Cloud Router is used to form a BGP peering relationship over the IPSec VPN tunnel. BGP creates a relationship between two endpoints where they can dynamically advertise routing information to each other. Dynamic routing is often preferred over static routing because it eliminates the need for manual re-configuration when network changes occur. Cloud VPN supports both Static and Dynamic Routing, but a best practice is to use Dynamic Routing when possible.

Below is a visual of the topology we will be creating in Exercise 1 and Exercise 2:

We will start our VPN configuration with the connectivity-vpc network.

Navigate to Networking>Hybrid Connectivity>VPN

And select Create VPN Connection.

Once in the Create a VPN Connection page, you'll notice the configuration is broken down into two sections, Google Compute Engine VPN Gateway and Tunnels. In this exercise, we will be creating a single VPN Gateway and Tunnel in the connectivity-vpc network. You will configure the VPN tunnel to terminate on the 3rd party routing device that has been preconfigured as part of this process.

You will walk through each step of the configuration, the following table provides all the information you will need to complete the information needed.





Name of VPN gateway. This needs to be unique per project



(optional) to describe VPN gateway

[leave blank]


Network to which the gateway belongs



The region where the VPN gateway lives.


IP address

The IP address of your VPN gateway. This can be for one or more tunnels and requires a reserved static address.

Use the previously reserved IP address for your project that will appear in the dropdown.

Populate the following data fields in the Google Compute Engine VPN Gateway window as shown. When finished your VPN Gateway configuration should look like the following:

NOTE: Your IP address will be different and will appear in place of XXX.XXX.XXX.XXX. This is the IP address that was assigned to your particular project and was provided to you.

After configuring the appropriate settings for the VPN Gateway, it's now time to configure our VPN tunnel. These are the settings right below the VPN Gateway configuration.

We will be creating a single VPN tunnel that will use the Cloud VPN gateway just configured. This will be used to connect to our 3rd party routing device. The third party routing device would be configured by our customers as an additional step, for the purposes of this lab, we have setup these configurations for you. Configure the connectivity-vpc tunnel with the following settings.





Name of your tunnel


Remote Peer Address

This is the remote IP address that will be terminating the VPN connection on the 3rd party device

(this is the IP address of the 3rd party device)

IKE version

Cloud VPN supports IKEv1 and IKEv2.


Shared secret

Cloud VPN authenticates peers with pre-shared-keys. These need to match between site-to-site peers.


Routing Options

Cloud VPN supports Static and Dynamic Routing.


Cloud Router

The VPN Gateway will connect to an interface on the Cloud Router. The Cloud Router uses a "private ASN" which is a privately routable BGP domain. (Not publicly routable over internet)

Create Cloud Router

Name: connectivity-vpc-cr

Description: leave blank

Google ASN: 650XX
(XX are the two digits in your project name)

BGP Session

Local and peer information to establish a bgp peer. In this you will specify the Peer information.

Advertised route priority is equivalent to BGP MED or metric. In GCP, metric is learned as route priority in the VPC routing table.

Click the Pencil Icon to Add BGP Session.

Name: connectivity-vpc-bgpsession

Peer ASN: 65500

Advertised Route Priority: 500

Google Cloud Router BGP IP address: 169.254.XX.1

Peer BGP IP address: 169.254.XX.2

(XX are the two digits in your project name. If your project # is less than 10, XX would be a single digit e.g. use 4)

First, double check to ensure you have the Dynamic Routing tab selected (selected by default):

Configure the options as shown below, then select the dropdown under Cloud router to create the cloud router.

Use the following settings for the Cloud Router and select SAVE AND CONTINUE once complete. Note: The Cloud Router will exist in the same region as your Cloud VPN Gateway.

Now it's time to configure our BGP Session by adding our BGP Peer. Click the pencil icon to configure this as shown below:

Your BGP session should look as follows. Once you have configured everything, please click SAVE AND CONTINUE

Before creating our connectivity-vpc VPN Gateway and tunnel, take a look at the equivalent command line syntax by clicking the command line link at the bottom of the screen. You'll notice the Cloud Console has automated some of the configuration, including the programming of forwarding rules to the VPN gateway.

Now click CREATE.

You'll now have to wait a few minutes (be patient) for the newly created VPN Gateway and tunnel to be setup and established, along with the handshaking with the 3rd party device to complete the tunnel setup. Once this is complete, you should be able to click on the Google VPN Tunnels tab and see the following:

You can also check that your BGP session is up and running by checking the Cloud Router under Networking>Hybrid Connectivity>Cloud Routers.

You should see the following if your BGP session is established and running:

Once you have a green checkmark next to your BGP session, you have now successfully built a VPN Gateway, established the VPN Tunnel, connected the tunnel to a Cloud Router you've built, and established a BGP session between the Cloud Router and the 3rd party routing device! It's now time to verify the VPN tunnel is passing traffic as this is a very useful step before moving to Exercise 2.

Verification of Traffic Traversing Cloud VPN

In order to show how the traffic is flowing, via your VPN or Dedicated Interconnect, we've setup a web server that you can curl to. The web server will detect whether it is receiving traffic via the VPN you've setup in Exercise 1, or the Dedicated Interconnect you will setup in Exercise 2.

To verify traffic is hitting the web server via your VPN, perform the following.

Navigate to Compute>Compute Engine>VM Instances

You should see a VM that has been created for your use, the VM we will use is called config-gen-vm. Click on the SSH button as shown below.

Once the SSH session is established and you have a command prompt in a new window, type the following:


You should see a return message as follows:

<html><body><h1>You are using Cloud VPN</h1></body></html>

If you are returning the above, congratulations, you have successfully setup a Cloud VPN connection to GCP and are able to hit an external web server!

Now that we have a VPN Gateway built, a VPN tunnel setup, and a functioning Cloud Router with an active BGP session, we will now configure the Interconnect Attachments on a Dedicated Interconnect port and establish a secondary BGP connection over the Dedicated Interconnect. As part of the turn up process, we will swing traffic from the VPN tunnel, over to the Dedicated Interconnect in a seamless manner. This is a powerful function that enables our customers to start getting up and running with Cloud VPN, and then moving traffic to a Dedicated Interconnect port at a future point in time.

Turning up a Dedicated Interconnect connection is a two step process. First is the physical cabling and configuration of the port, followed by configuring Interconnect Attachments that logically connect the physical port to a Cloud Router. For this exercise the Dedicated Interconnect port has already been turned up for you. We will start by configuring the Interconnect Attachments that are used to connect this Dedicated Interconnect port to the Cloud Router in your project.

The first step is to navigate to the Interconnect menu under Networking>Hybrid Connectivity>Interconnect as shown below.

Next step is to add a VLAN attachment, to do this, click on the Add VLAN attachment button, highlighted in blue.

For the purposes of this exercise, the actual Dedicated Interconnect port has already been turned up and configured. What we will do in this step is to associate that port with our Cloud Router that we configured in the first exercise. In order to use the Dedicated Interconnect that has been created, we will have to point your current project to the project where the Dedicated Interconnect port was established. We do this by selecting the option In another project, and defining the Project ID and Interconnect Name.

The project ID where the interconnect is located is: gcpnetworking-hostproject

The interconnect name is: ic-1. Please configure your workspace as shown below, then click Continue.

Once complete, hit continue and you should see screen like this:

Click the +Add VLAN attachment button which should bring up a box that looks like the below:

Populate the information as shown below:


Name of the Interconnect Attachment


Cloud Router

Cloud Router that you would like the Interconnect Attachment to connect to. This is what logically connects the physical port to the associated cloud router.

Select the Cloud Router you have already created in exercise 1


Once all the information has been entered, click the Create button.

Once creation has completed, you should see a screen like the below:

Note the VLAN ID number as you will need this as part of configuring the 3rd party router.

Now click Configure under BGP session to configure the BGP session.

Configure your VPN session as shown below. Note, the cloud router BGP IP and BGP peer IP will be different and are automatically set during creation. Note the BGP peer IP as you will need this at a later step in the process as part of configuring the 3rd party router. Please copy the BGP peer IP on a scratch pad for easy reference later.

Once your BGP session has been configured as shown, click Save and continue

This will now take you back to the previous screen where you can finalize the configuration by clicking Save configuration.

Finally, click on Finish Setup.

WIth everything configured in the cloud environment, we will now have to configure the 3rd party routing device. Your Dedicated Interconnect will not show a status of up (green) until the next steps are completed. We will use Config Gen Python code that was specifically built to allow us to easily configure the 3rd party router being used in this lab. In a real world environment, the customer would configure their router via different means.

Configure on-premise hardware using config_gen script

Dedicated interconnect requires on-premise devices to meet the following requirements:

In this lab you will be connecting to a Juniper QFX router located in labspace at 60 Hudson St in NYC. Google doesn't qualify or mandate specific hardware. Any device that meets these requirements should work.

Since syntax across routing hardware varies, we will be using a Config Gen python script that will SSH to the Juniper QFX and configure the device according to inputs provided by you. This script is hosted on the VM that has been created for you called config-gen-vm.

To get started, navigate to Compute>Compute Engine>VM intances.

From there, you should see the following, and click on the SSH button next to the config-gen-vm:

Once you SSH into the VM, run config gen script by typing the following:

python /DI_Config_Gen/

Once run successfully, you should see a menu of options that looks like the following:

In this lab we will be configuring option 2, the customer side of the Interconnect Attachment and advertising subnets to GCP.

Enter option 2

You will be prompted to provide the following information:




Local Router Interface IP

This is the IP address that will be placed on the customer router. This is the IP address you were instructed to copy to a scratch pad earlier in the process. Please use that IP address here.


Cloud Router AS (BGP Autonomous System) Number

This is the GCP Cloud Routers assigned AS Number.


Local Router AS (BGP Autonomous System) Number

This is the BGP AS number for the Juniper QFX (on prem)


Google user ID

This is your Google LDAP, used to track usage and pull your configuration later.

<your LDAP>

For eg - mcolumbus

Interconnect Attachment VLAN ID / Number

This is the VLAN ID you were allocated when creating the attachment

This was noted by you during Interconnect Attachment creation.

(should be of format 10YY)

Here is an example of how your screen should look (do not use these inputs, they are examples only)

At this point the config gen script will validate inputs. If errors occur, please correct and re-run the script.

Upon successful validation of inputs, you'll then be asked to choose which subnets you want to advertise from on premise back to the Cloud Router.

Select option 2.

You should then see confirmation that BGP is up and running along with a summary of what was configured. It should look similar to the following, but with your specific inputs.

In order to verify that traffic is now using the Dedicated Interconnect to reach the web server, we will again use the VM to curl to the web server and look at the return message. If desired, you can navigate back to Networking>Hybrid Connectivity>Interconnect and verify the status of the interconnect has changed to Up (green) before using the VM to curl traffic to the web server. To verify traffic is hitting the web server via your Dedicated Interconnect, perform the following.

Navigate to Compute>Compute Engine>VM Instances

The VM we will use is called config-gen-vm. Click on the SSH button as shown below.

Once the SSH session is established and you have a command prompt in a new window, type the following:


You should see a return message as follows:

<html><body><h1>You are using Dedicated Interconnect</h1></body></html>

If you are returning the above, congratulations, you have successfully setup a Dedicated Interconnect connection to GCP, and the preferred route has migrated from the VPN to the Dedicated Interconnect you have established!

Because we are using production devices for this codelab, it is important that we clean up the configurations that we have setup. The first step will be to remove the configuration on the Juniper QFX. To do this, please perform the following steps:

Navigate to Compute>Compute Engine>VM Instances

SSH to your config-gen-vm again if you don't still have the window open.

Once the SSH session is established and you have a command prompt in a new window, type the following:

python /DI_Config_Gen/

You should see the following:

To cleanup the configuration, enter 3

Enter the VLAN ID and ldap used to create the configuration earlier in the process. If successfully deleted, you should see a screen like this (note your VLAN ID will be different, this is for example purposes only):

Next we will delete the Interconnect Attachment used to associate the Dedicated Interconnect with your cloud router. Navigate to Networking>Hybrid Connectivity>Interconnect

Click on the Interconnect Attachment name as shown below:

Click on the delete button to delete the Interconnect Attachment

Now we will delete the VPN Gateway that was created. Navigate to Networking>Hybrid Connectivity>VPN

First we must delete the tunnel. Click on the tunnel name as shown below:

Delete the tunnel as shown below:

Next we must delete the VPN Gateway. Select the Google VPN Gateway tab as shown below:

Select the VPN Gateway as shown below:

Click the delete button as shown below:

Lastly, we will delete our cloud router.

Navigate to Networking>Hybrid Connectivity>Cloud Routers

Click on your Cloud Router as shown below:

Finally click on the Delete button to delete the Cloud Router as shown below:

You have now successfully deleted everything that you created during the lab within the connectivity-vpc.

Congratulations, you have now successfully completed the Connectivity Codelab!

What we've covered

You should cleanup the resources you created now that you have completed the lab module(s).

[If you had an initial deployment setup]

Finally, cleanup the initial resources that were created in our setup script. It usually takes <30s for the deployment cleanup to complete successfully. When you list the deployments, you no longer see the vpcuser##deployment. The vpcuser##netdeployment does, however, remain. It was used to pre-prepare the network environment with mynetwork and privatenet.

gcloud deployment-manager deployments delete [vpcuser##deployment] \
    --project [vpcuser##project]

gcloud deployment-manager deployments list
vpcuser##netdeployment  insert               DONE                 manifest-1498770525339  []

And, finally, you can remove the deployment files you copied.

cd ~

rm -rf ~/vpclab

[You have completed the XXX Lab!]

What you covered

Next Steps

Learn More

©Google, Inc. or its affiliates. All rights reserved. Do not distribute.