What you need

To complete this lab, you need:

Internet access

Access to a supported Internet browser:

What you do

What you learn

In Part 1 of this lab, you create two networks in separate regions and establish VPN tunnels between them such that a VM in one network can ping a VM in the other network over its internal IP.

In Part 2 of this lab, you will configure Cloud Routers that will dynamically discover subnetworks and establish connectivity with a peer VPN network.

In this lab you will learn to:

Step 1 Create a Project

To make cleanup easier, create a new google cloud project.

Remember the project ID, a unique name across all Google Cloud projects. It will be referred to later in this codelab as PROJECT_ID.

Create three custom networks, with subnetworks, and start micro VMs

Step 1 Headquarters network

Console: Products and Services > Networking > Networks

Click on the plus symbol to Create a Network.

Property

Value

Name:

ohio

Description:

Eastern network, headquarters

Under Subnetworks, click on the [Custom] tab.

Use the dialog to add the following subnetwork:

Property

Value

Name:

satellite

Region:

us-east1 --or-- (instructor provided Region)

IP address range:

10.5.4.0/24

Click the [Create] button.

Step 2 Satellite office network

Console: Products and Services > Networking > Networks

Click on the plus symbol to Create a Network.

Property

Value

Name:

california

Description:

Western network, satellite sales office

Under Subnetworks, click on the [Custom] tab.

Use the dialog to add the following subnetwork:

Property

Value

Name:

satellite

Region:

us-west1 --or-- (instructor provided Region)

IP address range:

10.4.2.0/24

Click the [Create] button.

Step 3 Warehouse network

Console: Products and Services > Networking > Networks

Click on the plus symbol to Create a Network.

Property

Value

Name:

texas

Description:

Central network, warehouse and fulfilment

Under Subnetworks, click on the [Custom] tab.

Use the dialog to add the following subnetwork:

Property

Value

Name:

warehouse

Region:

us-central1 --or-- (instructor provided Region)

IP address range:

10.1.3.0/24

Click the [Create] button.

Start micro VMs in each subnet.

Step 1 Headquarters VM

Console: Products and Services > Compute Engine > VM Instances

Click on [Create Instance].

Property

Value

Name:

ohio-server

Zone::

us-east1-b

This zone must be in us-east1.

Machine type:

micro

Leave the rest of the settings unchanged.

Click on the extended menu at the bottom to access advanced features.

Click on the Networking tab to get advanced options

Change the network and subnetwork:

Property

Value

Network:

ohio

Subnetwork:

hq

Click the [Create] button.

Step 2 Satellite VM

Console: Products and Services > Compute Engine > VM Instances

Click on [Create Instance].

Property

Value

Name:

california-server

Zone::

us-west1-a

This zone must be in us-west1.

Machine type:

micro

Leave the rest of the settings unchanged.

Click on the extended menu at the bottom to access advanced features.

Click on the Networking tab to get advanced options

Change the network and subnetwork:

Property

Value

Network:

california

Subnetwork:

satellite

Click the [Create] button.

Step 3 Warehouse VM

Console: Products and Services > Compute Engine > VM Instances

Click on [Create Instance].

Property

Value

Name:

texas-server

Zone::

us-central1-a

This zone must be in us-central1.

Machine type:

micro

Leave the rest of the settings unchanged.

Click on the extended menu at the bottom to access advanced features.

Click on the Networking tab to get advanced options

Change the network and subnetwork:

Property

Value

Network:

texas

Subnetwork:

warehouse

Click the [Create] button.

Allow ICMP and SSH from each network.

Step 1 Allow traffic to Headquarters

Console: Products and Services > Networking > Firewall rules

Click on [Create Firewall Rule].

Property

Value

Name:

allow-icmp-ssh-ohio

Network

ohio

Source filter:

Allow from any source (0.0.0.0)

Allowed protocols and ports:

icmp; tcp:22

Target tags:

leave blank

Click on [Create].

Step 2 Allow traffic to Satellite office

Console: Products and Services > Networking > Firewall rules

Click on [Create Firewall Rule].

Property

Value

Name:

allow-icmp-ssh-california

Network

california

Source filter:

Allow from any source (0.0.0.0)

Allowed protocols and ports:

icmp; tcp:22

Target tags:

leave blank

Click on [Create].

Step 3 Allow traffic to Warehouse

Console: Products and Services > Networking > Firewall rules

Click on [Create Firewall Rule].

Property

Value

Name:

allow-icmp-ssh-texas

Network

texas

Source filter:

Allow from any source (0.0.0.0)

Allowed protocols and ports:

icmp; tcp:22

Target tags:

leave blank

Click on [Create].

Step 4 Verification

SSH to ohio-server. You should be able to ping the External IP for both california-server and texas-server but not their internal IP.

Create the VPN gateways and do all the setup work to prepare to establish the VPN tunnels. You will be doing this from the command line using Cloud Shell. Cloud Shell is used instead of console so you can learn about the options available and how they fit together. The console conceals much of the complexity.

Create three VPN gateways, one in each region. Create forwarding rules for EPS, UDP:500, and UDP:4500 for each gateway.

Step 1 Project ID

You will need the Project ID for many of the following commands. This is the unique GCP-generated ID, not the project's name.

Click on the Products and Services > Home.

Note the Project ID.

In Cloud Shell you can set the default project ID:

$ gcloud config set project [PROJECT_ID]

Step 2 Setup VPN for Headquarters in Ohio

Create the EAST VPN gateway:

gcloud compute target-vpn-gateways \
create evpn \
--network ohio  \
--region us-east1

Reserve a Static IP for the EAST VPN gateway:

gcloud compute --project [project-id] \
addresses create \ 
--region us-east1 evpn-static-ip

Note: the static IP address for EAST. You will be using them in the next commands.

The forwarding rules forward traffic arriving on the external IP to the VPN gateway. It connects them together. Create three forwarding rules for the protocols necessary for VPN.

gcloud compute --project [project-id] \
forwarding-rules create e-fr-esp \
--region us-east1  \
--ip-protocol ESP  \
--address [static IP for EAST]  \
--target-vpn-gateway evpn
gcloud compute --project [project-id] \
forwarding-rules create e-fr-udp500  \
--region us-east1 \
--ip-protocol UDP \
--ports 500 \
--address [static IP for EAST] \
--target-vpn-gateway evpn
gcloud compute --project [project-id] \
forwarding-rules create e-fr-udp4500  \
--region us-east1 \
--ip-protocol UDP --ports 4500 \
--address [static IP for EAST] \
--target-vpn-gateway evpn

Step 3 Setup VPN for Warehouse in Texas

Create the CENTRAL VPN gateway:

gcloud compute target-vpn-gateways \
create cvpn \
--network texas  \
--region us-central1

Reserve a Static IP for the CENTRAL VPN gateway:

gcloud compute --project [project-id] \
addresses create \ 
--region us-central1 cvpn-static-ip

Note: the static IP address for CENTRAL. You will be using them in the next commands.

The forwarding rules forward traffic arriving on the external IP to the VPN gateway. It connects them together. Create three forwarding rules for the protocols necessary for VPN.

gcloud compute --project [project-id] \
forwarding-rules create c-fr-esp \
--region us-central1  \
--ip-protocol ESP  \
--address [static IP for CENTRAL]  \
--target-vpn-gateway cvpn
gcloud compute --project [project-id] \
forwarding-rules create c-fr-udp500  \
--region us-central1 \
--ip-protocol UDP \
--ports 500 \
--address [static IP for CENTRAL] \
--target-vpn-gateway cvpn
gcloud compute --project [project-id] \
forwarding-rules create c-fr-udp4500  \
--region us-central1 \
--ip-protocol UDP --ports 4500 \
--address [static IP for CENTRAL] \
--target-vpn-gateway cvpn

Step 4 Setup VPN for Satellite office in California

Create the WEST VPN gateway:

gcloud compute target-vpn-gateways \
create wvpn \
--network california  \
--region us-west1

Reserve a Static IP for the WEST VPN gateway:

gcloud compute --project [project-id] \
addresses create \ 
--region us-west1 wvpn-static-ip

Note: the static IP address for WEST. You will be using them in the next commands.

The forwarding rules forward traffic arriving on the external IP to the VPN gateway. It connects them together. Create three forwarding rules for the protocols necessary for VPN.

gcloud compute --project [project-id] \
forwarding-rules create w-fr-esp \
--region us-west1  \
--ip-protocol ESP  \
--address [static IP for WEST]  \
--target-vpn-gateway wvpn
gcloud compute --project [project-id] \
forwarding-rules create w-fr-udp500  \
--region us-west1 \
--ip-protocol UDP \
--ports 500 \
--address [static IP for WEST] \
--target-vpn-gateway wvpn
gcloud compute --project [project-id] \
forwarding-rules create w-fr-udp4500  \
--region us-west1 \
--ip-protocol UDP --ports 4500 \
--address [static IP for WEST] \
--target-vpn-gateway wvpn

Step 5 Verification of external IP configuration

Console: Products and Services > Networking > External IP Addresses

You should see that the east, central, and west static IPs exist. And each one is in use by three forwarding rules.

Step 6 Verification of VPN configuration

Console: Products and Services > Networking > VPN

You should see the VPN gateways.

Create the tunnels between the VPN gateways. After the tunnels exist, you will create a static route to enable traffic to be forwarded into the tunnel. If this is successful, you will be able to ping a local VM in one location on its internal IP from a VM in a different location.

Create tunnels and static routes between EAST and WEST and EAST and CENTRAL, but not between CENTRAL and WEST.

Step 1 Create the tunnel for traffic from EAST to WEST

gcloud compute --project [project-id] \
vpn-tunnels create tunnele2w  \
--peer-address [static IP for WEST] \
--region us-east1 \
--ike-version 2 \
--shared-secret gcprocks \ --target-vpn-gateway evpn \ --local-traffic-selector 0.0.0.0/0 \
--remote-traffic-selector 0.0.0.0/0

Step 2 Create the tunnel for traffic from WEST to EAST

gcloud compute --project [project-id] \
vpn-tunnels create tunnelw2e  \
--peer-address [static IP for EAST] \
--region us-west1 \
--ike-version 2 \
--shared-secret gcprocks \ --target-vpn-gateway wvpn \ --local-traffic-selector 0.0.0.0/0 \
--remote-traffic-selector 0.0.0.0/0

Step 3 Create a static route to forward local traffic to the VPN for EAST

gcloud compute --project [project-id] \
routes create ew-route  \
--network ohio \
--next-hop-vpn-tunnel tunnele2w \
--next-hop-vpn-tunnel-region us-east1 \
--destination-range 10.3.2.0/24

Step 4 Create a static route to forward local traffic to the VPN for WEST

gcloud compute --project [project-id] \
routes create we-route  \
--network california \
--next-hop-vpn-tunnel tunnelw2e \
--next-hop-vpn-tunnel-region us-west1 \
--destination-range 10.5.4.0/24

Step 5 Verification

Verify that the VPN configuration was successful.

Launch an SSH session on the ohio-server VM. You should now be able to ping the california-server on its internal IP address, but not the texas-server on its internal IP.

Now create the tunnel between EAST and CENTRAL.

Step 6 Create the tunnel for traffic from EAST to CENTRAL

gcloud compute --project [project-id] 
vpn-tunnels create tunnele2c  \
--peer-address [static IP for CENTRAL]  \
--region us-east1  --ike-version 2  \
--shared-secret gcprocks \
--target-vpn-gateway evpn \
--local-traffic-selector 0.0.0.0/0 \
--remote-traffic-selector 0.0.0.0/0

Step 7 Create the tunnel for traffic from CENTRAL to EAST

gcloud compute --project [project-id] \
vpn-tunnels create tunnelc2e  \
--peer-address [static IP for EAST]  \
--region us-central1 \
--ike-version 2  \
--shared-secret gcprocks  \
--target-vpn-gateway cvpn \
--local-traffic-selector 0.0.0.0/0  \
--remote-traffic-selector 0.0.0.0/0

Now create the static routes.

Step 8 Create a static route to forward local traffic to the VPN for EAST

gcloud compute --project [project-id] \
routes create ec-route  \
--network ohio \
--next-hop-vpn-tunnel tunnele2c \
--next-hop-vpn-tunnel-region us-east1 \
--destination-range 10.1.3.0/24

Step 9 Create a static route to forward local traffic to the VPN for CENTRAL

gcloud compute --project [project-id] \
routes create ce-route  \
--network texas \
--next-hop-vpn-tunnel tunnelc2e \
--next-hop-vpn-tunnel-region us-central1 \
--destination-range 10.5.4.0/24

Step 10 Verification

Verify that the VPN configuration was successful.

Launch an SSH session on the texas-server VM. You should now be able to ping the ohio-server on its internal IP address, but not the california-server on its internal IP.

Up to this point in the lab, you've created a VPN connection between the Headquarters office in Ohio and each of the remote offices, the Satellite office in California and the Warehouse in Texas. However, California and Texas are not connected.

In this next section, you will configure Cloud Routers using the console. The Cloud Routers will implement additional VPN gateways in California and Texas configured with BGP. BGP provides dynamic network discovery and eliminates the need to configure or maintain static routes. When successful you will be able to ping the internal IP of the VM in California from the VM in Texas because BGP dynamically discovered the subnetwork in California and auto-populated the route in the Texas VPN Cloud Router with that information.

Step 1 Create the California Cloud Router

Console: Products and Services > Networking > Cloud Router

Click on [Create Router].

Property

Value

Name:

california-cr

Network

california

Region:

us-west1

Google ASN:

65470

Click the [Create] button.

Step 2 Create the Texas Cloud Router

Console: Products and Services > Networking > Cloud Router

Click on [Create Router].

Property

Value

Name:

texas-cr

Network

texas

Region:

us-central1

Google ASN:

65503

Click the [Create] button.

Step 3 Prepare for two-window dialogs

CAREFUL: This is where it gets tricky!

In the Cloud Routers panel, you should see rows labeled california-cr and texas-cr. In the column labeled VPN Gateway there are links that say "Configure". Don't click them yet.

You are going to be configuring two more VPN Gateways on the fly. Each one will get a new Static IP. However, the Cloud Router dialogue requires entering the Static IP from the peer before it can complete. This means you are going to have to go through both dialogues at the same time in different windows and switch back and forth between them.

You are also going to need the Google ASN numbers for the peer, which won't be visible during the VPN dialogues.

Property

Value

california-cr ASN:

65470

texas-cr ASN:

65503

Use [Alt-click] (on chrome) or [Ctrl-click] or [Right-click] to open one of the Configure links in a separate window.

Then click on the other Configure link in the main window.

Step 4 california-cr dialog

Property

Value

Name:

california-vpn-cr

Network:

california

Region:

us-west1

IP address:

select "New static IP address..."

It will return with the new IP address, however you can't copy it from the console. So you will have to manually type this address when it is needed.

Note the address: california-vpn-cr-static-ip

Switch windows to the other dialogue for texas-cr.

Step 5 texas-cr dialog

Property

Value

Name:

texas-vpn-cr

Network:

texas

Region:

us-central1

IP address:

select "New static IP address..."

It will return with the new IP address, however you can't copy it from the console. So you will have to manually type this address when it is needed.

Note the address: texas-vpn-cr-static-ip

Step 6 Enter the remote peer

Under Tunnels, in the field that says "Remote peer IP address", enter the static IP from the california-cr

Property

Value

Remote peer IP address:

california-vpn-static-ip

IKE version:

IKEv2

Routing options:

Dynamic BGP

Cloud router:

select the texas-cr router

Step 7 Create a BGP session

BGP session: Click on the pencil icon at the left of the line to add a new BGP session.

Property

Value

Name:

texas-bgp

Peer ASN:

65470

Advertised route priority:

(leave it blank)

Google BGP IP address:

169.254.0.1

Peer BGP IP address:

169.254.0.2

Click "Save and Continue"

Don't click Create yet! Switch to the california-cr dialog.

Step 8 california-cr dialogue continues

Under Tunnels, in the field that says "Remote peer IP address", enter the static IP from the texas-cr

Property

Value

Remote peer IP address:

texas-vpn-static-ip

IKE version:

IKEv2

Routing options:

Dynamic BGP

Cloud router:

select the california-cr router

Step 9 Create the other BGP session

BGP session: Click on the pencil icon at the left of the line to add a new BGP session.

Property

Value

Name:

california-bgp

Peer ASN:

65503

Advertised route priority:

(leave it blank)

Google BGP IP address:

169.254.0.2

Peer BGP IP address:

169.254.0.1

Click "Save and Continue"

Click the [Create] button.

Switch to the texas-cr dialog.

Step 10 texas-cr dialogue continues

Click the [Create] button.

Step 11 Verification of VPNs

Console: Products and Services > Networking > VPN

In a few minutes you will see the new VPNs connect.

Step 12 Verification of Cloud Routers

Console: Products and Services > Networking > Cloud Router

In a few minutes you'll see the BGP sessions connect.

Step 13 Verify that Texas and California are connected

Verify that the Cloud Router configuration was successful.

Launch an SSH session on the texas-server VM. You should now be able to ping the california-server on its internal IP address. This is possible because BGP dynamically discovered the subnetwork in California and communicated the route to it's peer BGP session in Texas.

Step 1 Summary

In this lab you experimented with VPN and Cloud Routing.

Step 2 Shutting down

If you are done experimenting with Cloud Routing and VPN you will want to delete all the resources to avoid being charged for the resources.

┬ęGoogle, Inc. or its affiliates. All rights reserved. Do not distribute.