Upgrade to Google’s HA VPN to get industry-leading availability for mission-critical workloads

[ Music] hi everyone my specify is NIC de Christopher oh I’m a customer designer and system consultant with Google cloud and I’ll be your presenter today in this video if you started your pilgrimage towards Google cloud from a hybrid onpremises model it’s likely that you’re already working some hybrid connectivity pieces one of them being gloom VPN historically shadowed VPN offered you an SLA of 99.9 percent and with the introduction of our H a VPN solution we now offer an SLA of 99.99% you’re able to benefit from higher availability as well as ease of migration between classic VPN and havvn in this video I goes to show you how easy it is to migrate an existing classic VPN tunnel to an H a solution firstly let’s look at two migrations route we will look at today the first one is migrate an existing classic VPN solution to hav p.m.Using BGP as the route protocol to onpremises network or any nongoogle networks and the second largest is migrate an existing classic VPN utilizing policy located VPN to hav p.m. implementing bgp between two projects or v pcs within Google cloud scaffold now let’s begin by looking at the first lesson movement footpath as you can see here I’m in the hybrid connectivity slouse of the Google cloud console here’s a tab for VPN and this is where I would like to have a look at the VPN tunnels and the vapour VPN gateways that are available here you can see that I have two classic VPN tunnels that are already established if I move to the right you can see that I have dynamic bgp VPN tunnel and I have a policy located VPN tunnel for the first part of this video we will focus on the demo VPN tunnel that’s already established over BGP the first thing you want to do is to create a new shadow VPN gateway if I click the cloud VPN tab gateway now you can see that I have a classic VPN gateway with associated IP address and I have an H a VPN gateway once composed if I click create brand-new VPN gateway this is where you would create your brand-new VPN gateway for hav PN you would throw it a refer under the VPN gateway specify and select an appropriate VP C Network for the VPN gateway and these would be the same VP C Network in region that equal your current classic VPN my current classic VPN gateway is configured in USD store so I would select US East for I will not click organize because I’ve already initiated one but in your client you would click cause so next if I go back to the cloud VPN tunnels invoice I’m asked to select a VPN gateway and I will select the H a VPN high availability gateway I time created and click continue I’m presented next with two options in the first lesson we will look at an onpremises or non Google cloud peer gateway I’ve already caused a new demo non VPN gateway however in your example you would need to click create pure VPN gateway and then stipulate a list in such cases it would be the onprem VPN gateway and then specify the IP address of the interfaces of your onpremise VPN gateway now you may have 1 2 or 4 boundaries and this depends on your marketers configuration and my evaluation environment I’m going to use two boundaries with the same IP address I’m not going to enter these right now and sounds create because I’ve already is doing so I will click cancel instead instead I will click peer VPN gateway figure and shoot the VPN gateway I’ve already made the next step is to ask me what I would like to do with high accessibility constituent now high accessibility or hav pn stipulates a 99.99% SLA and therefore it’s required to create a pair of VPN tunnels to achieve that SLA next the only routing option we have for hav pn is dynamic via bgp next we want to select a cloud router you can reuse the same vapour router that “youre gonna” use previously for the classic VPN bgp passageways if you’d like to create a brand-new shadow itinerary or nonetheless it’s not necessary here I will select the existing cloud router and next I are generating the passages as I select added on the VPN tunnels you can see that it automatically colonizes the Associated boundaries from my H a VPN gateway that was created earlier and an identifies show gateway boundaries for me if you recollect I mentioned that I have two interfaces for my peer gateway and these boundaries have the same IP address with the implementation of this demo for the first passage I will accompany interface 0 of the HIV pn gateway with boundary 0 of the peer gateway I’ll demonstrate it a name let’s call it h a VPN tunnel 0 next you can select the ike foreign more modern VPN gateway approval ike v2 so i’ ll leave it at that next penetrate a preshared key now for my precedent the pre shared key is going to be demo VPN h a VPN nonetheless please note the best practice is to create a strong like pre shared key watch links to our documentation below for more information the generate and copy button here is generated by one for you now sounds done next I’ll configure the second tunnel as you can see this is associated with boundary one on both the hav P and Gateway and peer gateway following the same naming convention we will call this H a VPN tunnel one I’ll open the same pre shared key and sounded up now once you’ve configured everything you can click create and continue hey the next screen we have to configure the bgp sessions let’s configure the bgp conference for the first shadow VPN tunnel clink configure now I will give it a honour let’s call it h a VPN BGP zero now fill in your unadulterated autonomous organization figure that’s what’s actually configured on your onpremises environment in my environment it’s sixty five five zero six next let’s look at the multi depart discriminator evaluate or advertiser direction priority because we would like to minimize a downtime and the recommended configuration as an active active tunnel I know that I’ve configured my default street priority for my classic VPN tunnel to 100 so I will configure the superhighway priority now to 1000 for the hav pn passage what this symbolizes is that when these passages come up traffic will not automatically switch over to these interfaces because the other tunnel has better priority this effectively means that we do not need to move traffic to the brand-new passages until we’re ready to do so now for all configuration deepens that you are able to do in the vapour we would recommend them to be done during upkeep windows next configure the shadow router bgp IP and pure bgp IP the IPS depend on what is configured in your own propositions environment in my dispute the local gloom router bgp IP is 169.254 scatter 4.1 and the BGP pure IP is 169 250 4.4.2 next you can configure the advertised superhighways so you may decide to advertise only particular itineraries across this passage for the purpose of this demonstration we’re not going to change the defaults and then we’ll click Save and continue next configure the second BGP session with the desired parameters here I’ll configure with a same identify agreement so here I will mention it H a VPN BGP one the peer ASN is going to be the same 6 5 5 0 6 next under the route priority we’ll be putting the same med quality so that the passages are in an active active territory so they’re basically able to load matched traffic I will enroll value 1000 the same I enter in the other tunnel and again for gloom router vgp IP and bgp unadulterated IP this depends on your configuration for me it’s 169 to 50 for 5.1 and the pure IP is 169 254 5.2 now again let’s sound Save and continue lastly let’s sound the button to save the BGP configuration now here on pace three we’re actually given a summary page with a current status of our VPN tunnels you can see that right now they’re establishing so it may take approximately 20 to 30 seconds to bring up the tunnels so we’ll click OK and return to the previous page now again on this page “youre seeing” a epitome of my vapour VPN tunnels as “youre seeing” my right two tunnels “il be waiting” the BGP peer to be established you may click refresh now at the priorities in the page and I’ll actually refresh the screen so we’ll be interested to know whether the BGP have been established so let’s click refresh and now you can see that the BGP are established so next if we select the hamburger menu at the top left hand side and we scroll down to VPC network and on under the networking section we will select street now in the streets tab I’m interested in the dynamic tab to look at the new directions that were learned across havvn if I click dynamic invoice here I can see that I’m learning a new IP prefix from both tunnels with priority 1000 based on the other VDP routing priority which is set to 100 this means that the existing classic VPN tunnel that I had previously procreated would still take precedence recall that a lower evaluate is better here meaning that 100 wins over 1,000 traffic is still going to spurt across the existing VPN tunnel and not across the new H a VPN tunnel so next as you can see here I have a demo virtual machine that I’m going to establish a ping between it and my onpremises environment across that VPN tunnel so here I’m going to initiate a hurting to 192.168.1 25.1 and as you can see I’m receiving containers from that onpremises machine which is located in all the regions of the VPN tunnel on my own premises system so next to have seamless traffic failover let’s conversion around in priorities so that the classic VPN tunnel has lower priority or a higher med appraise than the HIV 10 passageways so if you click on the hamburger menu at the top left hand side going to go to networking click composite connectivity and then VPN select the existing classic VPN tunnel scroll down to the routing& Security section and the line item BGP session click modify BGP session when the brand-new window opens up change the advertised route priority to a importance larger than what was configured for hav PN tunnels for example my environment my H a VPN tunnels have a value of 1000 so I’ll configure the routing priority for the classic VPN tunnel with the best interests of the 1200 now before I sound Save and continue I actually have a onpremises router where I need to impel the configuration changes as well so that traffic is symmetrical between my H a VPN tunnel duo and my onpremises router and Google so I’ll configure that in the background and then I’m going to click Save and continue here so now that it’s configured if we return to that hamburger prohibit menu at the top left hand side scroll down to V PC Network and adopt the superhighways tab click the dynamic tab and now we can see that I’m receiving a route from the onpremises network with priority 1200 now this was a priority that I configured towards the onprem network as well so traffic is now preferring my hav p.m.Tunnel pair if I look below here and I returned to my Pig running in the background if I stop it I be noted that traffic is now effectively switched over to my brand-new hav PN tunnel without any stops we can see here that we have zero packet loss between my pings sent from the GCP environment to my on premises router now if I restart the ping I can return to my VPN configuration under the hybrid connectivity section if I adopt the already existing classic VPN tunnel I is to be able to delete it is now time sound delete are you sure you want to delete this passage sound remove now since the traffic is safely exiting across the hav pn tunnel pair erase the passage will have no effect on my transaction so if i return to the v pc networks tab sound the roadways button clink the dynamic tab now I can see that I’m receiving the prefix 192.168.1 25.0 trounce 24 merely from my H a VPN tunnel pair so if we go back to the panes your being direct and I stop the pings you can see effectively I’ve had zero container loss now that I’ve removed my classic VPN tunnel and with that we have now a successful migration from classic VPN over to H a VPN that concludes the first movement track from classic VPN utilizing bgp to h a VPN section to migrate an existing classic VPN utilizing policy based VPN to hav pn between two projects or v pcs within google vapour now in this section we will look at configuring hav TM tunnels between two projects in GCP this migration path is used to migrate classic VPN tunnels between two projects in GC p2h a VPN tunnels let’s sound the hamburger menu at the top left hand side let’s scroll down to networking select hybrid connectivity click the VPN tab and here as you can see I have established a classic VPN policy located tunnel if I scroll to the right you can see here that there’s no dynamic directions configured in is completely policy located meaning I’ve manually configured my congestion selectors and traffic is going between this V PC and project to another activity in V PC within gtp now if I open this new window I is demonstrating you I have another project and in this project I will go to the same hybrid connectivity part and the VPN tab and establish you the passages that I have created you can see here I have a existing classic VPN tunnel which is program based if I move to the right you can see that it’s established you can also see here that I have existing tunnels made because we’re going to do B configuration only in one project so I’ve already configured my hav PN’s here in this project we will now create hav pn passages to the new projection instead of to an onpremises network going back to the original urging I’ll create a brand-new duo of hav PN tunnels by selecting develop VPN tunnel I will then select the hav PN demo gateway that I’ve created before and clink continue so in this case we’ll select a pure VPN gateway type of Google Cloud and now I’ll be presented with a roll of projects that I have access to and I will select development projects that I’m in attempting to create a connection to by selecting the VPN gateway list now as you recall since I’ve already procreated an H a VPN gateway in the other project this is something that you would have had to do prior to this step so you simply follow same gradations that I’ve picture you earlier in this report how to create an hav pn gateway and you would do that in one project before the other now once I select the gateway name now I’m came forward with the high availability options again very similar from the previous section here we will create a pair of VPN tunnels again to provide high-pitched availability with a four nines of SLA next I will select my existing mas routers again you can create a brand-new one but it’s not necessary and now once I sounds the VPN tunnels you can see that they’ve already been pre accompanied onetoone with the interfaces of my peer VPN gateway now this is done automatically for you within Google Cloud now again similar to before let’s make it a call I’m going to call it H a VPN peer project 0 next the same configuration for Ike version if you want you can change that next register a pre shared key now again a strong pre shared key is recommended ceilings to our documentation below for more information but for this demo I’m going to select a simple pre shared key recruited I click done next I’m going to configure my second passageway by choosing this passageway let’s give it a reputation I’m going to list it H a VPN Pierre project one next I’m going to enter the same pre shared key again clink them then create and continue on this page will create the bgp sessions I’ve already composed accurately the same thing here in my other assignment so I’m only going to do it here let’s sound configure and afford it a word so in my instance it’s hav p.m. Pierre hero Pierre ASN in my lawsuit is sixty five five zero seven and now for the roadway priorities it’ll be a little bit different than the previous sample because policybased superhighway have a default priority in google gloom of 1000 so let’s create a route priority that’s higher than the policybased route so in lower numerical value as you recall so I will open 100 which is lower than the 1000 and then I’ll enter the related cloud router and bgp router unadulterated eyepiece my shadow router IP is 169.254 dot 7.1 and my peers is 169.254 speck 7.2 please note once again that all changes should be done during upkeep openings click Save and continue let’s configure the second bgp session click configure again enter refer I’m going to honour it H a VPN Pierre 1 and again enter your ASM in my contingency that’s sixty five five zero seven the multi departure discriminator will be the same as before so for me it’s 100 then configure the appropriate vapour router and BGP peer IPS in my environment it’s one six nine two five four 8.1 and one six nine two five 48.2 again click Save and continue now I won’t sounds Save bgp configuration just yet and that’s because I’d like to show traffic is currently going across the existing classic VPN tunnel and now I’m gonna originate a ping from my VM the IP address of my peers projects VM is 10.30 32 so I’m going to leave the ping ranging I can now click save bgp configuration now here on this page we get the BGP summary page that you’ve seen previously we can click OK at the bottom here “youre seeing” the newly created tunnels and you can see the pure VPN gateway and the project that is associated with if we move to the realization of the rights we can see the current BGP time status if we click refresh we can see the BTB peers are established click on the hamburger menu at the top left hand side and scroll down to VPC network and select the roads tab next select the dynamic tab and now we can see a end series of 10 30 30 0/24 which is a new route that was created across the UK VPN peers if I sounds the all tab I can see a plan located street passageway with priority 1004 the same prefix 10.30 dot 30.0/ 24 now traffic has automatically moved over to the hav PN pair across these two priority 100 associate so if we return to the dynamic tab again “youre seeing” these two priority 100 tie and traffic can actually moved over to the hav PN tunnels if I return to my VM window down below I can now stop the pings and you can see that traffic has seamlessly swapped over without any packet loss I can then reestablish the panes going to go to my VPN section and simply select the VPN policy located routing passageway and delete it so again let’s go back to the hamburger bar menu let’s scroll down to hybrid connectivity and VPN select the classic VPN policy based routing passageway click remove are you sure you want to delete this tunnel click delete and there you have it we only have h a VPN tunnel left so the last thing to do is to the existing classic VPN gateways unless you’re using them for any other passages but if you’re not you can safely delete them if we go back to my VM ping passing now below you can see that if I stop it there’s been no container loss when the passage was deleted so I can return to my shadow console scroll down to the V PC structure sections and superhighway and you can see here in the all tab I no longer picture the policybased route to the VPN tunnel for prefix 10.30 30 0/24 and they’re only currently there learned via the dynamics roadway in the dynamic tab and with that this concludes this video I’ve announced some helpful is linked to our documentation below which explained numerous topologies and configurations with hav PN thank you and have a great day

You May Also Like