About
Posts
Projects
Tags

Securing Cloud VPN with BGP Routing: Building Resilient, High-Throughput Connections

GCP Networking Security VPN BGP
Published on
Securing Cloud VPN with BGP Routing: Building Resilient, High-Throughput Connections

Securing Cloud VPN with BGP Routing: Building Resilient, High-Throughput Connections

Introduction

Static VPN tunnels can work for simple use cases, but they don’t scale or heal themselves when links fail. By combining Cloud VPN with BGP dynamic routing, you get:

  • Automatic failover between multiple tunnels
  • Route advertisement of on-prem and cloud prefixes
  • Simplified management as your network grows

In this post you’ll learn how to deploy a high-availability Cloud VPN with a Cloud Router, configure BGP sessions, and apply security best practices to keep your traffic safe.

Why BGP + Cloud VPN?

Static vs. Dynamic

  • Static routes require manual updates for every prefix change
  • BGP advertises routes dynamically and fails over automatically

Benefits of Dynamic Routing

  1. Resilience: Traffic shifts to standby tunnel on failure
  2. Scalability: Add new on-prem prefixes without redeploying VPN
  3. Visibility: Monitor route advertisements in Cloud Monitoring

Prerequisites

  • GCP project with Compute Engine API and Cloud Router API enabled
  • Service account or user with roles/compute.networkAdmin
  • On-prem BGP-capable router (e.g. Cisco, Juniper) or virtual appliance

1. Create the Cloud Router

gcloud compute routers create cloud-router \
  --network=my-vpc \
  --region=us-central1 \
  --asn=64514
  • --asn must be a unique Autonomous System Number (different from on-prem ASN)

2. Provision VPN Gateways & Tunnels

# Create the VPN gateway
gcloud compute vpn-gateways create vpn-gw \
  --network=my-vpc \
  --region=us-central1

# Create two tunnels for HA
for TUNNEL in 1 2; do
  gcloud compute vpn-tunnels create vpn-tunnel-$TUNNEL \
    --peer-address=ON_PREM_IP \
    --ike-version=2 \
    --shared-secret="YOUR_SECRET" \
    --router=cloud-router \
    --region=us-central1
done

Two tunnels (active/standby) ensure uninterrupted connectivity.

3. Configure BGP Peers

gcloud compute routers add-bgp-peer cloud-router \
  --peer-name=onprem-peer \
  --peer-asn=65000 \
  --interface=vpn-tunnel-1 \
  --ip-address=169.254.1.2 \
  --peer-ip-address=169.254.1.1 \
  --region=us-central1

Repeat for vpn-tunnel-2 using a distinct link-local IP pair (e.g. 169.254.2.x).

4. Secure Your IKE & BGP Sessions

  1. IKE v2 for stronger key derivation and rekey support
  2. Rotate shared secrets regularly (use Cloud KMS + automation)
  3. Restrict BGP to your ASN and valid IP ranges
  4. Firewall rules: allow only UDP/500, UDP/4500, and TCP/179 (BGP)
resource "google_compute_firewall" "allow_vpn_bgp" {
  name       = "allow-vpn-bgp"
  network    = var.network
  direction  = "INGRESS"
  allows {
    protocol = "udp"
    ports    = ["500", "4500"]
  }
  allows {
    protocol = "tcp"
    ports    = ["179"]
  }
  source_ranges = ["ON_PREM_PUBLIC_CIDR"]
  target_tags   = ["vpn-gw"]
}

5. Verify & Monitor

  • Check BGP status:

    gcloud compute routers get-status cloud-router \
  --region=us-central1

  • Cloud Monitoring: chart BGP peer status and VPN tunnel metrics

  • Connectivity Tests: run reachability checks between on-prem and GCE VMs

Best Practices

  • Use separate ASNs for on-prem and cloud to avoid conflicts
  • Enable logging on VPN tunnels for audit and troubleshooting
  • Tag resources (env=prod, team=network) to apply granular IAM policies
  • Automate with Terraform: manage VPN, router, and firewall as code

References & Further Reading