1

I want to setup an IPSec VPN from a remote ISP Datacenter to my server located in Google Cloud through his external IP (Not internal IP of server). Is it possible? All documentation on Google I found is about IPSec VPNs with encryption domain based on Private IPs (local & remote ).

Here is what I want to setup:

    Remote_Server
     "Public IP"
          |
          |
   "Public_IP_peer"
   [Remote_ISP_Peer]
          |
 (IPSEC_VPN_through_Internet)
          |
  "Public_IP_Google_Cloud_VPN"
    [Google_Cloud_Platform]
          |
          |
  "External_IP_Public"
 Local_Server_in_Google_Cloud
Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Gabriel dacko
  • 11
  • 2

3 Answers3

1

Unfortunately it's not possible to use Cloud VPN to connect to external IP of your VM instance.

Have a look at the documentation Cloud VPN:

Cloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection.Traffic traveling between the two networks is encrypted by one VPN gateway, and then decrypted by the other VPN gateway.

and at the section Specifications:

Cloud VPN only supports site-to-site IPsec VPN connectivity, subject to the requirements listed in this section. It does not support client-to-gateway (road warrior) scenarios.

also, at the documentation Networks and tunnel routing section Supported networks:

Cloud VPN supports VPC custom networks, auto-mode networks, and legacy networks;

In addition, at the documentation IP Addresses:

Each VM instance can have one primary internal IP address, one or more secondary IP addresses, and one external IP address. To communicate between instances on the same Virtual Private Cloud (VPC) network, you can use the internal IP address for the instance. To communicate with the internet, you must use the instance's external IP address unless you have configured a proxy of some kind. Similarly, you must use the instance's external IP address to connect to instances outside of the same VPC network unless the networks are connected in some way, like via Cloud VPN.

As a result, you'll be able to connect from your on-premises network to internal IP of your server only while using Cloud VPN.

As a workaround, you can create a firewall rule to allow traffic from remote public IP at GCP Firewall if it's possible in your use case. In some scenarios, you can use Cloud IAP for secure access to GCP VM instance via SSH or RDP.

Serhii Rohoza
  • 1,354
  • 2
  • 4
  • 14
0

GCP IPsec VPN supports accepting the route with both public IP address range(CIDR block) and private IP address range(CIDR block). You are free to use both kinds of IP address range(public and private) to point to your on premises networks. For the detail VPN config please refer to 1

Community
  • 1
Jonsun Zhao
  • 16
  • 2
  • How do i route traffic coming from my premise network through IPSec VPN to public IP of my server inside GCP ? How to send traffic from server inside GCP using his external IP to my premise network ? because when i check server has only one network interface configured on internal IP (private) – Gabriel dacko Apr 16 '19 at 22:37
  • Let me elaborate more . – Gabriel dacko Apr 17 '19 at 10:39
  • @Zhao let me elaborate more. The objective is to use a service provided by an ISP in his DC.For that it recommends following prerequisites: have a border equipment supporting IPSec VPN, have at least 2 public IPs ,only interco with Public IPs is possible (peer & subnets) to avoid IP conflict. My server has 2 IPs (private & public), the Public IP is part of vpn encryption domainwhich is configured & UP. But servers aren't reachable from both side (ISP DC & GCP). any solution? – Gabriel dacko Apr 17 '19 at 10:51
0

GCP can accept the route with Public IP address range from Cloud VPN IPSec tunnel. That means in Google Cloud you can access your servers on premises through Public IP addresses via VPN IPsec tunnel. But if you want to access VM instances in Google Cloud through VPN IPsec tunnel, you can only access the VM instances via the private IP addresses. Yes, for VM instance, only internal IP address attached to its network interface. The External IP address only using for communication with the Internet. Please refer to Google public docs for the different IP address range in Google Cloud.

For your case, I can figure all two solutions: You can get several public IP addresses from you current ISP, and assign the public IP addresses to the VM instances in Google Cloud and advertise the Public IP addresses back to you ISP environment through the VPN IPSec tunnel You just keep using the private IP addresses for your VM instances in Google Cloud, and only advertise the /32 route to your ISP environment, it will have very low risk for getting the IP address conflict.

Jonsun Zhao
  • 16
  • 2
  • @Zhao ,Interesting solution but BGP peering isn't accepted by my ISP for this service. What is the second solution you figured ? – Gabriel dacko Apr 23 '19 at 07:10
  • @Gabrieldacko the second solution is: You just keep using the private IP addresses for your VM instances in Google Cloud, and only advertise the /32 route to your ISP environment, it will have very low risk for getting the IP address conflict. – Jonsun Zhao Apr 23 '19 at 19:45