GCP Hybrid Connectivity

GCP Hybrid Connectivity

Hybrid Connectivity means, Connection between GCP and On-premises data center. There are number of ways to provide this connectivity. All these methods depend on Enterprise reliability, bandwidth, and latency requirements.

VPN (Virtual private Network)

Cloud VPN is GCP regional managed Service, used to connect Enterprise On-premises network to GCP VPC using IPsec tunnel. All traffic travestying through this tunnel will be encrypted.

Cloud VPN supports both IKEv1 and IKEv2 ciphers. For VPN Connection, Enterprise should use , On-premises VPN gateway , once done , Two VPN tunnel will be set up and a connection will be established when both tunnels are created.

Using VPN, MTU of your On-premises gateway should not be higher than 1460 Bytes. VPN supports both static and dynamic routes. Dynamic routes are managed by routers in VPC network and use BGP, while static routes are created manually and support route next hops.

There are two types of VPN gateway, GCP offers.

• HA VPN
• Classic VPN

HA VPN

It is the highly available VPN solution, that allow us to connect our on-premises network to GCP VPC in a single region. HA VPN offers 99.99% SLA because It creates two External IP address – One for each of its fixed interface and each HA VPN gateway interface supports multiple tunnels.

In Order to achieve 99.99% availability, there are some requirements, that must be followed.

Availability is guaranteed only on GCP side of connection, which means end-to-end availability will be dependent on the correct configuration on peer VPN gateway. In order to achieve the 99.99% SLA, Enterprise required to use two HA VPN gateways, and both must be in same region.

Even though both HA VPN gateway are in same region and if your VPC is configured for Global dynamic routing mode, routes to the subnet that the gateway share can be in any region. But if Enterprise configure the VPC with regional dynamic routing mode, then only routes to subnets in the same region will be shared with peer network.

We should also ensure that we configure two VPN tunnel from the perspective of the Cloud VPN gateway. This is due to specific requirement in our design:

Two Peer VPN gateway Device: Each tunnel from each interface of Cloud VPN must be connected to its own Peer gateway.

Single peer VPN gateway device with two interfaces: Each of tunnels from each interface in the Cloud VPN gateway must be connected to its own interface on the Peer Gateway.  

Single Peer VPN gateway device with a single interface: It requires tunnel from each interface on the Cloud VPN gateway must be connected to same interface on the peer gateway.

A Peer VPN device must be configured with appropriate redundancy. If our design required two Peer Gateway, then each peer device should be connected to different HA VPN gateway interface.

Each Peer VPN device must support dynamic Routing (BGP).

Classic VPN

Classic VPN gateway have a single interface and single External IP address. They support tunnels that use BGP or static routing and provide SLA of 99.9% Service Availability. From Q4 2021, GCP no longer be able to use static routing to create classic VPN tunnels to another classic VPN gateway, nor connect a classic VPC network to another Cloud Provider network.

Interconnects:

GCP interconnect is layer-2 connectivity, that incur a monthly cost. When there is a requirement to provide low latency, highly available connectivity between GCP and On-premises network, we use these Interconnects.

Interconnects comes in two flavors:

Dedicated Interconnect: This type of connection provides connectivity with Google Edge. Goggle charges Enterprise using this connection as hourly basis and cost is dependent on the size of the circuit ( 10 Gbps or 100 Gbps). There is also charge for egress traffic from a VPC network through a Dedicated Interconnect connection.

Each Dedicated Inter connection delivers 10 Gig or 100 Gig circuit, and up to Eight 10 Gig connection can be created, giving maximum of 80 Gbps total per Interconnect or 2x100 Gbps circuit.  

Partner Interconnect: The Connection is established with Google partner network. Google also charge Enterprise on an hourly basis for VLAN attachment, depending on their capacity and egress traffic from a VPC network through a Partner Interconnect connection.   

With partner Interconnects connection, bandwidth ranges from 50 mbps to 50 gbps.

Peering

Peering is a layer 3 Connectivity, which provides connectivity to services such as Google Workspace, YouTube, Google API with Public IP address. GCP peering has no maintenance cost, and comes in two flavors:

Direct Peering: Offers 10 Gbps connection per link established with a GCP PoP, from where Google network connects with the rest of Internet.

Carrier Peering: Connection to Google Public Services is achieved and Bandwidth depends upon carrier Provider and peering provides no SLA.