Google Cloud Platform

Topics

18 minute read

Configuring Google Cloud HA VPN

HA VPN is a high-availability (HA) Cloud VPN solution that lets you securely connect your on-premises network to your VPC network through an IPsec VPN connection in a single region. HA VPN provides an SLA of 99.99% service availability.

HA VPN is a regional per VPC, VPN solution. HA VPN gateways have two interfaces, each with its own public IP address. When you create an HA VPN gateway, two public IP addresses are automatically chosen from different address pools. When HA VPN is configured with two tunnels, Cloud VPN offers a 99.99% service availability uptime.

In this lab you create a global VPC called vpc-demo, with two custom subnets in us-east1 and us-central1. In this VPC, you add a Compute Engine instance in each region. You then create a second VPC called on-prem to simulate a customer’s on-premises data center. In this second VPC, you add a subnet in region us-central1 and a Compute Engine instance running in this region. Finally, you add an HA VPN and a cloud router in each VPC and run two tunnels from each HA VPN gateway before testing the configuration to verify the 99.99% SLA.

In this lab, you learn how to perform the following tasks:

  • Create two VPC networks and instances.
  • Configure HA VPN gateways.
  • Configure dynamic routing with VPN tunnels.
  • Configure global dynamic routing mode.
  • Verify and test HA VPN gateway configuration.

Task 1. Set up a Global VPC environment

In this task you set up a Global VPC with two custom subnets and two VM instances running in each zone.

Your Cloud Platform project in this session is set to qwiklabs-gcp-02-e5e62c2e8450.                                                                                                 Welcome to Cloud Shell! Type "help" to get started.
Your Cloud Platform project in this session is set to qwiklabs-gcp-02-e5e62c2e8450.Use “gcloud config set project [PROJECT_ID]” to change to a different project.
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks create vpc-demo --subnet-mode custom
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/vpc-demo].
NAME: vpc-demo
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network vpc-demo --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network vpc-demo --allow tcp:22,tcp:3389,icmp

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$


student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks subnets create vpc-demo-subnet1 \
--network vpc-demo --range 10.1.1.0/24 --region us-central1
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/subnetworks/vpc-demo-subnet1].
NAME: vpc-demo-subnet1
REGION: us-central1
NETWORK: vpc-demo
RANGE: 10.1.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks subnets create vpc-demo-subnet2 \
--network vpc-demo --range 10.2.1.0/24 --region us-east1
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-east1/subnetworks/vpc-demo-subnet2].
NAME: vpc-demo-subnet2
REGION: us-east1
NETWORK: vpc-demo
RANGE: 10.2.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules create vpc-demo-allow-custom \
  --network vpc-demo \
  --allow tcp:0-65535,udp:0-65535,icmp \
  --source-ranges 10.0.0.0/8
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/vpc-demo-allow-custom].
Creating firewall...done.
NAME: vpc-demo-allow-custom
NETWORK: vpc-demo
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:0-65535,udp:0-65535,icmp
DENY:
DISABLED: False
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules create vpc-demo-allow-ssh-icmp \
    --network vpc-demo \
    --allow tcp:22,icmp
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/vpc-demo-allow-ssh-icmp].
Creating firewall...done.
NAME: vpc-demo-allow-ssh-icmp
NETWORK: vpc-demo
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:22,icmp
DENY:
DISABLED: False
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute instances create vpc-demo-instance1 --zone us-central1-b --subnet vpc-demo-subnet1
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/zones/us-central1-b/instances/vpc-demo-instance1].
NAME: vpc-demo-instance1
ZONE: us-central1-b
MACHINE_TYPE: n1-standard-1
PREEMPTIBLE:
INTERNAL_IP: 10.1.1.2
EXTERNAL_IP: 35.222.98.141
STATUS: RUNNING
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute instances create vpc-demo-instance2 --zone us-east1-b --subnet vpc-demo-subnet2
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/zones/us-east1-b/instances/vpc-demo-instance2].
NAME: vpc-demo-instance2
ZONE: us-east1-b
MACHINE_TYPE: n1-standard-1
PREEMPTIBLE:
INTERNAL_IP: 10.2.1.2
EXTERNAL_IP: 34.139.32.48
STATUS: RUNNING
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Task 2. Set up a simulated on-premises environment

In this task you create a VPC called on-prem that simulates an on-premises environment from where a customer connects to the Google cloud environment.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks create on-prem --subnet-mode custom
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/on-prem].
NAME: on-prem
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network on-prem --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network on-prem --allow tcp:22,tcp:3389,icmp

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks subnets create on-prem-subnet1 \
--network on-prem --range 192.168.1.0/24 --region us-central1
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/subnetworks/on-prem-subnet1].
NAME: on-prem-subnet1
REGION: us-central1
NETWORK: on-prem
RANGE: 192.168.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules create on-prem-allow-custom \
  --network on-prem \
  --allow tcp:0-65535,udp:0-65535,icmp \
  --source-ranges 192.168.0.0/16
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/on-prem-allow-custom].
Creating firewall...done.
NAME: on-prem-allow-custom
NETWORK: on-prem
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:0-65535,udp:0-65535,icmp
DENY:
DISABLED: False
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules create on-prem-allow-ssh-icmp \
    --network on-prem \
    --allow tcp:22,icmp
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/on-prem-allow-ssh-icmp].
Creating firewall...done.
NAME: on-prem-allow-ssh-icmp
NETWORK: on-prem
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp:22,icmp
DENY:
DISABLED: False
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute instances create on-prem-instance1 --zone us-central1-a --subnet on-prem-subnet1
Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/zones/us-central1-a/instances/on-prem-instance1].
NAME: on-prem-instance1
ZONE: us-central1-a
MACHINE_TYPE: n1-standard-1
PREEMPTIBLE:
INTERNAL_IP: 192.168.1.2
EXTERNAL_IP: 34.70.222.66
STATUS: RUNNING
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Task 3. Set up an HA VPN gateway

In this task you create an HA VPN gateway in each VPC network and then create HA VPN tunnels on each Cloud VPN gateway.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-gateways create vpc-demo-vpn-gw1 --network vpc-demo --region us-central1
Creating VPN Gateway...done.    
NAME: vpc-demo-vpn-gw1
INTERFACE0: 34.157.103.51
INTERFACE1: 35.220.70.84
NETWORK: vpc-demo
REGION: us-central1
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-gateways create on-prem-vpn-gw1 --network on-prem --region us-central1
Creating VPN Gateway...done.    
NAME: on-prem-vpn-gw1
INTERFACE0: 34.157.97.46
INTERFACE1: 34.157.235.167
NETWORK: on-prem
REGION: us-central1
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-gateways describe vpc-demo-vpn-gw1 --region us-central1
creationTimestamp: '2022-10-07T06:42:12.343-07:00'
id: '6901935868591575643'
kind: compute#vpnGateway
labelFingerprint: 42WmSpB8rSM=
name: vpc-demo-vpn-gw1
network: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/vpc-demo
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/vpc-demo-vpn-gw1
stackType: IPV4_ONLY
vpnInterfaces:
- id: 0
  ipAddress: 34.157.103.51
- id: 1
  ipAddress: 35.220.70.84
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-gateways describe on-prem-vpn-gw1 --region us-central1
creationTimestamp: '2022-10-07T06:42:43.930-07:00'
id: '4238651945699349052'
kind: compute#vpnGateway
labelFingerprint: 42WmSpB8rSM=
name: on-prem-vpn-gw1
network: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/on-prem
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/on-prem-vpn-gw1
stackType: IPV4_ONLY
vpnInterfaces:
- id: 0
  ipAddress: 34.157.97.46
- id: 1
  ipAddress: 34.157.235.167
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Create cloud routers

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers create vpc-demo-router1 \
    --region us-central1 \
    --network vpc-demo \
    --asn 65001
Creating router [vpc-demo-router1]...done.     
NAME: vpc-demo-router1
REGION: us-central1
NETWORK: vpc-demo
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers create on-prem-router1 \
    --region us-central1 \
    --network on-prem \
    --asn 65002
Creating router [on-prem-router1]...done.     
NAME: on-prem-router1
REGION: us-central1
NETWORK: on-prem
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Task 4. Create two VPN tunnels

In this task you create VPN tunnels between the two gateways. For HA VPN setup, you add two tunnels from each gateway to the remote setup. You create a tunnel on interface0 and connect to interface0 on the remote gateway. Next, you create another tunnel on interface1 and connect to interface1 on the remote gateway.

When you run HA VPN tunnels between two Google Cloud VPCs, you need to make sure that the tunnel on interface0 is connected to interface0 on the remote VPN gateway. Similarly, the tunnel on interface1 must be connected to interface1 on the remote VPN gateway.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels create vpc-demo-tunnel0 \
    --peer-gcp-gateway on-prem-vpn-gw1 \
    --region us-central1 \
    --ike-version 2 \
    --shared-secret GCP2022 \
    --router vpc-demo-router1 \
    --vpn-gateway vpc-demo-vpn-gw1 \
    --interface 0
Creating VPN tunnel...done.     
NAME: vpc-demo-tunnel0
REGION: us-central1
GATEWAY: vpc-demo-vpn-gw1
VPN_INTERFACE: 0
PEER_ADDRESS: 34.157.97.46
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels create vpc-demo-tunnel1 \
    --peer-gcp-gateway on-prem-vpn-gw1 \
    --region us-central1 \
    --ike-version 2 \
    --shared-secret GCP2022 \
    --router vpc-demo-router1 \
    --vpn-gateway vpc-demo-vpn-gw1 \
    --interface 1
Creating VPN tunnel...done.     
NAME: vpc-demo-tunnel1
REGION: us-central1
GATEWAY: vpc-demo-vpn-gw1
VPN_INTERFACE: 1
PEER_ADDRESS: 34.157.235.167
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels create on-prem-tunnel0 \
    --peer-gcp-gateway vpc-demo-vpn-gw1 \
    --region us-central1 \
    --ike-version 2 \
    --shared-secret GCP2022 \
    --router on-prem-router1 \
    --vpn-gateway on-prem-vpn-gw1 \
    --interface 0
Creating VPN tunnel...done.     
NAME: on-prem-tunnel0
REGION: us-central1
GATEWAY: on-prem-vpn-gw1
VPN_INTERFACE: 0
PEER_ADDRESS: 34.157.103.51
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels create on-prem-tunnel1 \
    --peer-gcp-gateway vpc-demo-vpn-gw1 \
    --region us-central1 \
    --ike-version 2 \
    --shared-secret GCP2022 \
    --router on-prem-router1 \
    --vpn-gateway on-prem-vpn-gw1 \
    --interface 1
Creating VPN tunnel...done.     
NAME: on-prem-tunnel1
REGION: us-central1
GATEWAY: on-prem-vpn-gw1
VPN_INTERFACE: 1
PEER_ADDRESS: 35.220.70.84
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Task 5. Create Border Gateway Protocol (BGP) peering for each tunnel

In this task you configure BGP peering for each VPN tunnel between vpc-demo and VPC on-prem. HA VPN requires dynamic routing to enable 99.99% availability.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-interface vpc-demo-router1 \
    --interface-name if-tunnel0-to-on-prem \
    --ip-address 169.254.0.1 \
    --mask-length 30 \
    --vpn-tunnel vpc-demo-tunnel0 \
    --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-bgp-peer vpc-demo-router1 \
    --peer-name bgp-on-prem-tunnel0 \
    --interface if-tunnel0-to-on-prem \
    --peer-ip-address 169.254.0.2 \
    --peer-asn 65002 \
    --region us-central1
Creating peer [bgp-on-prem-tunnel0] in router [vpc-demo-router1]...done.     
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-interface vpc-demo-router1 \
    --interface-name if-tunnel1-to-on-prem \
    --ip-address 169.254.1.1 \
    --mask-length 30 \
    --vpn-tunnel vpc-demo-tunnel1 \
    --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-bgp-peer vpc-demo-router1 \
    --peer-name bgp-on-prem-tunnel1 \
    --interface if-tunnel1-to-on-prem \
    --peer-ip-address 169.254.1.2 \
    --peer-asn 65002 \
    --region us-central1
Creating peer [bgp-on-prem-tunnel1] in router [vpc-demo-router1]...done.     
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-interface on-prem-router1 \
    --interface-name if-tunnel0-to-vpc-demo \
    --ip-address 169.254.0.2 \
    --mask-length 30 \
    --vpn-tunnel on-prem-tunnel0 \
    --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-bgp-peer on-prem-router1 \
    --peer-name bgp-vpc-demo-tunnel0 \
    --interface if-tunnel0-to-vpc-demo \
    --peer-ip-address 169.254.0.1 \
    --peer-asn 65001 \
    --region us-central1
Creating peer [bgp-vpc-demo-tunnel0] in router [on-prem-router1]...done.     
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-interface  on-prem-router1 \
    --interface-name if-tunnel1-to-vpc-demo \
    --ip-address 169.254.1.2 \
    --mask-length 30 \
    --vpn-tunnel on-prem-tunnel1 \
    --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers add-bgp-peer  on-prem-router1 \
    --peer-name bgp-vpc-demo-tunnel1 \
    --interface if-tunnel1-to-vpc-demo \
    --peer-ip-address 169.254.1.1 \
    --peer-asn 65001 \
    --region us-central1
Creating peer [bgp-vpc-demo-tunnel1] in router [on-prem-router1]...done.    
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Task 6. Verify router configurations

In this task you verify the router configurations in both VPCs. You configure firewall rules to allow traffic between each VPC and verify the status of the tunnels. You also verify private connectivity over VPN between each VPC and enable global routing mode for the VPC.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers describe vpc-demo-router1 \
    --region us-central1
bgp:
  advertiseMode: DEFAULT
  asn: 65001
  keepaliveInterval: 20
bgpPeers:
- bfd:
    minReceiveInterval: 1000
    minTransmitInterval: 1000
    multiplier: 5
    sessionInitializationMode: DISABLED
  enable: 'TRUE'
  enableIpv6: false
  interfaceName: if-tunnel0-to-on-prem
  ipAddress: 169.254.0.1
  name: bgp-on-prem-tunnel0
  peerAsn: 65002
  peerIpAddress: 169.254.0.2
- bfd:
    minReceiveInterval: 1000
    minTransmitInterval: 1000
    multiplier: 5
    sessionInitializationMode: DISABLED
  enable: 'TRUE'
  enableIpv6: false
  interfaceName: if-tunnel1-to-on-prem
  ipAddress: 169.254.1.1
  name: bgp-on-prem-tunnel1
  peerAsn: 65002
  peerIpAddress: 169.254.1.2
creationTimestamp: '2022-10-07T06:44:27.422-07:00'
id: '5108157148377748436'
interfaces:
- ipRange: 169.254.0.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/vpc-demo-tunnel0
  name: if-tunnel0-to-on-prem
- ipRange: 169.254.1.1/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/vpc-demo-tunnel1
  name: if-tunnel1-to-on-prem
kind: compute#router
name: vpc-demo-router1
network: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/vpc-demo
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers describe on-prem-router1 \
    --region us-central1
bgp:
  advertiseMode: DEFAULT
  asn: 65002
  keepaliveInterval: 20
bgpPeers:
- bfd:
    minReceiveInterval: 1000
    minTransmitInterval: 1000
    multiplier: 5
    sessionInitializationMode: DISABLED
  enable: 'TRUE'
  enableIpv6: false
  interfaceName: if-tunnel0-to-vpc-demo
  ipAddress: 169.254.0.2
  name: bgp-vpc-demo-tunnel0
  peerAsn: 65001
  peerIpAddress: 169.254.0.1
- bfd:
    minReceiveInterval: 1000
    minTransmitInterval: 1000
    multiplier: 5
    sessionInitializationMode: DISABLED
  enable: 'TRUE'
  enableIpv6: false
  interfaceName: if-tunnel1-to-vpc-demo
  ipAddress: 169.254.1.2
  name: bgp-vpc-demo-tunnel1
  peerAsn: 65001
  peerIpAddress: 169.254.1.1
creationTimestamp: '2022-10-07T06:44:58.206-07:00'
id: '8955417195176629173'
interfaces:
- ipRange: 169.254.0.2/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/on-prem-tunnel0
  name: if-tunnel0-to-vpc-demo
- ipRange: 169.254.1.2/30
  linkedVpnTunnel: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/on-prem-tunnel1
  name: if-tunnel1-to-vpc-demo
kind: compute#router
name: on-prem-router1
network: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/on-prem
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Configure firewall rules to allow traffic from the remote VPC

Configure firewall rules to allow traffic from the private IP ranges of peer VPN

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules create vpc-demo-allow-subnets-from-on-prem \
    --network vpc-demo \
    --allow tcp,udp,icmp \
    --source-ranges 192.168.1.0/24
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/vpc-demo-allow-subnets-from-on-prem].
Creating firewall...done.
NAME: vpc-demo-allow-subnets-from-on-prem
NETWORK: vpc-demo
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp,udp,icmp
DENY:
DISABLED: False
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules create on-prem-allow-subnets-from-vpc-demo \
    --network on-prem \
    --allow tcp,udp,icmp \
    --source-ranges 10.1.1.0/24,10.2.1.0/24
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/on-prem-allow-subnets-from-vpc-demo].
Creating firewall...done.
NAME: on-prem-allow-subnets-from-vpc-demo
NETWORK: on-prem
DIRECTION: INGRESS
PRIORITY: 1000
ALLOW: tcp,udp,icmp
DENY:
DISABLED: False
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Verify the status of the tunnels

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels list
NAME: on-prem-tunnel0
REGION: us-central1
GATEWAY: on-prem-vpn-gw1
PEER_ADDRESS: 34.157.103.51

NAME: on-prem-tunnel1
REGION: us-central1
GATEWAY: on-prem-vpn-gw1
PEER_ADDRESS: 35.220.70.84

NAME: vpc-demo-tunnel0
REGION: us-central1
GATEWAY: vpc-demo-vpn-gw1
PEER_ADDRESS: 34.157.97.46

NAME: vpc-demo-tunnel1
REGION: us-central1
GATEWAY: vpc-demo-vpn-gw1
PEER_ADDRESS: 34.157.235.167
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels describe vpc-demo-tunnel0 \
      --region us-central1
creationTimestamp: '2022-10-07T06:46:38.638-07:00'
description: ''
detailedStatus: Tunnel is up and running.
id: '8031153689209967441'
ikeVersion: 2
kind: compute#vpnTunnel
localTrafficSelector:
- 0.0.0.0/0
name: vpc-demo-tunnel0
peerGcpGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/on-prem-vpn-gw1
peerIp: 34.157.97.46
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
remoteTrafficSelector:
- 0.0.0.0/0
router: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/vpc-demo-tunnel0
sharedSecret: '*************'
sharedSecretHash: AC7KM0-srxGd65oTB0K_7tUiMjjP
status: ESTABLISHED
vpnGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/vpc-demo-vpn-gw1
vpnGatewayInterface: 0
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels describe vpc-demo-tunnel1 \
      --region us-central1
creationTimestamp: '2022-10-07T06:47:45.892-07:00'
description: ''
detailedStatus: Tunnel is up and running.
id: '8886605823320363246'
ikeVersion: 2
kind: compute#vpnTunnel
localTrafficSelector:
- 0.0.0.0/0
name: vpc-demo-tunnel1
peerGcpGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/on-prem-vpn-gw1
peerIp: 34.157.235.167
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
remoteTrafficSelector:
- 0.0.0.0/0
router: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/vpc-demo-tunnel1
sharedSecret: '*************'
sharedSecretHash: APKlYNMeOmyucyOB9V_iM3MPfIpu
status: ESTABLISHED
vpnGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/vpc-demo-vpn-gw1
vpnGatewayInterface: 1
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels describe on-prem-tunnel0 \
      --region us-central1
creationTimestamp: '2022-10-07T06:48:32.769-07:00'
description: ''
detailedStatus: Tunnel is up and running.
id: '7564841135603814623'
ikeVersion: 2
kind: compute#vpnTunnel
localTrafficSelector:
- 0.0.0.0/0
name: on-prem-tunnel0
peerGcpGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/vpc-demo-vpn-gw1
peerIp: 34.157.103.51
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
remoteTrafficSelector:
- 0.0.0.0/0
router: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/on-prem-tunnel0
sharedSecret: '*************'
sharedSecretHash: AFyetA1P9BNM6p2IDitloideTKmO
status: ESTABLISHED
vpnGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/on-prem-vpn-gw1
vpnGatewayInterface: 0
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels describe on-prem-tunnel1 \
      --region us-central1
creationTimestamp: '2022-10-07T06:49:19.678-07:00'
description: ''
detailedStatus: Tunnel is up and running.
id: '3211257972783943856'
ikeVersion: 2
kind: compute#vpnTunnel
localTrafficSelector:
- 0.0.0.0/0
name: on-prem-tunnel1
peerGcpGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/vpc-demo-vpn-gw1
peerIp: 35.220.70.84
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
remoteTrafficSelector:
- 0.0.0.0/0
router: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/on-prem-tunnel1
sharedSecret: '*************'
sharedSecretHash: AA-n8nrkY6jGnsyjrUn82BMWk0oX
status: ESTABLISHED
vpnGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/on-prem-vpn-gw1
vpnGatewayInterface: 1
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Verify private connectivity over VPN

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute ssh on-prem-instance1 --zone us-central1-a
WARNING: The private SSH key file for gcloud does not exist.
WARNING: The public SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
This tool needs to create the directory [/home/student_01_da96e1e7e410/.ssh] before being able to generate SSH keys.

Do you want to continue (Y/n)?  y

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/student_01_da96e1e7e410/.ssh/google_compute_engine
Your public key has been saved in /home/student_01_da96e1e7e410/.ssh/google_compute_engine.pub
The key fingerprint is:
SHA256:2qjjI4sDgMejr6VULnZtk4hBC7ijohVNLoVx/ZJPPOc student_01_da96e1e7e410@cs-993619767812-default
The key's randomart image is:
+---[RSA 3072]----+
|  . ..           |
|.  +  .          |
|+o. o  +         |
|=.==  o = .      |
|+=ooo  +S+       |
|+.=oo .+. E      |
|+*o+ =o .        |
|*== +..          |
|=o.+oo           |
+----[SHA256]-----+
Warning: Permanently added 'compute.170883914237055591' (ECDSA) to the list of known hosts.
Linux on-prem-instance1 5.10.0-18-cloud-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/student-01-da96e1e7e410'.
student-01-da96e1e7e410@on-prem-instance1:~$

student-01-da96e1e7e410@on-prem-instance1:~$ ping -c 4 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=62 time=5.77 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=62 time=1.11 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=62 time=0.993 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=62 time=1.17 ms

--- 10.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.993/2.258/5.767/2.026 ms
student-01-da96e1e7e410@on-prem-instance1:~$

Global routing with VPN

HA VPN is a regional resource and cloud router that by default only sees the routes in the region in which it is deployed. To reach instances in a different region than the cloud router, you need to enable global routing mode for the VPC. This allows the cloud router to see and advertise routes from other regions.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks update vpc-demo --bgp-routing-mode GLOBAL
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks describe vpc-demo
autoCreateSubnetworks: false
creationTimestamp: '2022-10-07T06:34:41.232-07:00'
id: '3855523502638339102'
kind: compute#network
name: vpc-demo
networkFirewallPolicyEnforcementOrder: AFTER_CLASSIC_FIREWALL
routingConfig:
  routingMode: GLOBAL
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/vpc-demo
selfLinkWithId: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/3855523502638339102
subnetworks:
- https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-east1/subnetworks/vpc-demo-subnet2
- https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/subnetworks/vpc-demo-subnet1
x_gcloud_bgp_routing_mode: GLOBAL
x_gcloud_subnet_mode: CUSTOM
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute ssh on-prem-instance1 --zone us-central1-a
Linux on-prem-instance1 5.10.0-18-cloud-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  7 14:06:21 2022 from 34.143.139.219
student-01-da96e1e7e410@on-prem-instance1:~$ ping -c 2 10.2.1.2
PING 10.2.1.2 (10.2.1.2) 56(84) bytes of data.
64 bytes from 10.2.1.2: icmp_seq=1 ttl=62 time=36.4 ms
64 bytes from 10.2.1.2: icmp_seq=2 ttl=62 time=31.9 ms

--- 10.2.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 31.924/34.175/36.427/2.251 ms
student-01-da96e1e7e410@on-prem-instance1:~$

Task 7. Verify and test the configuration of HA VPN tunnels

In this task you will test and verify that the high availability configuration of each HA VPN tunnel is successful.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels delete vpc-demo-tunnel0  --region us-central1
The following vpn tunnels will be deleted:
 - [vpc-demo-tunnel0] in [us-central1]

Do you want to continue (Y/n)?  y

Deleting VPN tunnel...done.     
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels describe on-prem-tunnel0  --region us-central1
creationTimestamp: '2022-10-07T06:48:32.769-07:00'
description: ''
detailedStatus: Handshake with peer broken for unknown reason. Trying again soon.
id: '7564841135603814623'
ikeVersion: 2
kind: compute#vpnTunnel
localTrafficSelector:
- 0.0.0.0/0
name: on-prem-tunnel0
peerGcpGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/vpc-demo-vpn-gw1
peerIp: 34.157.103.51
region: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1
remoteTrafficSelector:
- 0.0.0.0/0
router: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1
selfLink: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnTunnels/on-prem-tunnel0
sharedSecret: '*************'
sharedSecretHash: AFyetA1P9BNM6p2IDitloideTKmO
status: FIRST_HANDSHAKE
vpnGateway: https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/vpnGateways/on-prem-vpn-gw1
vpnGatewayInterface: 0
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute ssh on-prem-instance1 --zone us-central1-a
Linux on-prem-instance1 5.10.0-18-cloud-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  7 14:08:59 2022 from 34.143.139.219
student-01-da96e1e7e410@on-prem-instance1:~$ ping -c 3 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=62 time=4.92 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=62 time=0.937 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=62 time=0.995 ms

--- 10.1.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.937/2.285/4.923/1.865 ms

Pings are still successful because the traffic is now sent over the second tunnel. You have successfully configured HA VPN tunnels.

Task 8. Clean up lab environment

In this task you clean up the resources you have used.

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels delete on-prem-tunnel0  --region us-central1
The following vpn tunnels will be deleted:
 - [on-prem-tunnel0] in [us-central1]

Do you want to continue (Y/n)?  y

Deleting VPN tunnel...done.     
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels delete vpc-demo-tunnel1  --region us-central1
The following vpn tunnels will be deleted:
 - [vpc-demo-tunnel1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleting VPN tunnel...done.   
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-tunnels delete on-prem-tunnel1  --region us-central1
The following vpn tunnels will be deleted:
 - [on-prem-tunnel1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleting VPN tunnel...done.     
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers remove-bgp-peer vpc-demo-router1 --peer-name bgp-on-prem-tunnel0 --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers remove-bgp-peer vpc-demo-router1 --peer-name bgp-on-prem-tunnel1 --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers remove-bgp-peer on-prem-router1 --peer-name bgp-vpc-demo-tunnel0 --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute routers remove-bgp-peer on-prem-router1 --peer-name bgp-vpc-demo-tunnel1 --region us-central1
Updated [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute  routers delete on-prem-router1 --region us-central1
The following routers will be deleted:
 - [on-prem-router1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/on-prem-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute  routers delete vpc-demo-router1 --region us-central1
The following routers will be deleted:
 - [vpc-demo-router1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/routers/vpc-demo-router1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-gateways delete vpc-demo-vpn-gw1 --region us-central1
The following vpn gateways will be deleted:
 - [vpc-demo-vpn-gw1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleting VPN Gateway...done.   
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute vpn-gateways delete on-prem-vpn-gw1 --region us-central1
The following vpn gateways will be deleted:
 - [on-prem-vpn-gw1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleting VPN Gateway...done.   
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute instances delete vpc-demo-instance1 --zone us-central1-b
The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag
 is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost.
 - [vpc-demo-instance1] in [us-central1-b]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/zones/us-central1-b/instances/vpc-demo-instance1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag
 is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost.
 - [vpc-demo-instance2] in [us-east1-b]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/zones/us-east1-b/instances/vpc-demo-instance2].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute instances delete on-prem-instance1 --zone us-central1-a
The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag
 is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost.
 - [on-prem-instance1] in [us-central1-a]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/zones/us-central1-a/instances/on-prem-instance1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules delete vpc-demo-allow-custom
The following firewalls will be deleted:
 - [vpc-demo-allow-custom]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/vpc-demo-allow-custom].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules delete on-prem-allow-subnets-from-vpc-demo
The following firewalls will be deleted:
 - [on-prem-allow-subnets-from-vpc-demo]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/on-prem-allow-subnets-from-vpc-demo].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules delete on-prem-allow-ssh-icmp
The following firewalls will be deleted:
 - [on-prem-allow-ssh-icmp]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/on-prem-allow-ssh-icmp].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules delete on-prem-allow-custom
The following firewalls will be deleted:
 - [on-prem-allow-custom]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/on-prem-allow-custom].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules delete vpc-demo-allow-subnets-from-on-prem
The following firewalls will be deleted:
 - [vpc-demo-allow-subnets-from-on-prem]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/vpc-demo-allow-subnets-from-on-prem].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute firewall-rules delete vpc-demo-allow-ssh-icmp
The following firewalls will be deleted:
 - [vpc-demo-allow-ssh-icmp]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/firewalls/vpc-demo-allow-ssh-icmp].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks subnets delete vpc-demo-subnet1 --region us-central1
The following subnetworks will be deleted:
 - [vpc-demo-subnet1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/subnetworks/vpc-demo-subnet1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks subnets delete vpc-demo-subnet2 --region us-east1
The following subnetworks will be deleted:
 - [vpc-demo-subnet2] in [us-east1]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-east1/subnetworks/vpc-demo-subnet2].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks subnets delete on-prem-subnet1 --region us-central1
The following subnetworks will be deleted:
 - [on-prem-subnet1] in [us-central1]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/regions/us-central1/subnetworks/on-prem-subnet1].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks delete vpc-demo
The following networks will be deleted:
 - [vpc-demo]

Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/vpc-demo].
gcloud compute networks delete on-premstudent_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$ gcloud compute networks delete on-prem
The following networks will be deleted:
 - [on-prem]
 Do you want to continue (Y/n)?  y

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-02-e5e62c2e8450/global/networks/on-prem].
student_01_da96e1e7e410@cloudshell:~ (qwiklabs-gcp-02-e5e62c2e8450)$

Task 9: Review

In this lab you configured HA VPN gateways. You also configured dynamic routing with VPN tunnels and configured global dynamic routing mode. Finally you verified that HA VPN is configured and functioning correctly.

Tags:

Categories:

Updated:

Back to Top ↑

You May Also Enjoy