1

I want to setup an IPSec VPN from a remote ISP Datacenter to my server located in Google Cloud through his external IP (Not internal IP of server). Is it possible? All documentation on Google I found is about IPSec VPNs with encryption domain based on Private IPs (local & remote ).

Here is what I want to setup:

    Remote_Server
     "Public IP"
          |
          |
   "Public_IP_peer"
   [Remote_ISP_Peer]
          |
 (IPSEC_VPN_through_Internet)
          |
  "Public_IP_Google_Cloud_VPN"
    [Google_Cloud_Platform]
          |
          |
  "External_IP_Public"
 Local_Server_in_Google_Cloud
Patrick Mevzek
  • 10,581
  • 7
  • 35
  • 45
Gabriel dacko
  • 11
  • 2

3 Answers3

1

Unfortunately it's not possible to use Cloud VPN to connect to external IP of your VM instance.

Have a look at the documentation Cloud VPN:

Cloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection.Traffic traveling between the two networks is encrypted by one VPN gateway, and then decrypted by the other VPN gateway.

and at the section Specifications:

Cloud VPN only supports site-to-site IPsec VPN connectivity, subject to the requirements listed in this section. It does not support client-to-gateway (road warrior) scenarios.

also, at the documentation Networks and tunnel routing section Supported networks:

Cloud VPN supports VPC custom networks, auto-mode networks, and legacy networks;

In addition, at the documentation IP Addresses:

Each VM instance can have one primary internal IP address, one or more secondary IP addresses, and one external IP address. To communicate between instances on the same Virtual Private Cloud (VPC) network, you can use the internal IP address for the instance. To communicate with the internet, you must use the instance's external IP address unless you have configured a proxy of some kind. Similarly, you must use the instance's external IP address to connect to instances outside of the same VPC network unless the networks are connected in some way, like via Cloud VPN.

As a result, you'll be able to connect from your on-premises network to internal IP of your server only while using Cloud VPN.

As a workaround, you can create a firewall rule to allow traffic from remote public IP at GCP Firewall if it's possible in your use case. In some scenarios, you can use Cloud IAP for secure access to GCP VM instance via SSH or RDP.

Serhii_Rohoza
  • 1,462
0

GCP IPsec VPN supports accepting the route with both public IP address range(CIDR block) and private IP address range(CIDR block). You are free to use both kinds of IP address range(public and private) to point to your on premises networks. For the detail VPN config please refer to 1

Community
  • 1
Jonsun Zhao
  • 16
  • 2
0

GCP can accept the route with Public IP address range from Cloud VPN IPSec tunnel. That means in Google Cloud you can access your servers on premises through Public IP addresses via VPN IPsec tunnel. But if you want to access VM instances in Google Cloud through VPN IPsec tunnel, you can only access the VM instances via the private IP addresses. Yes, for VM instance, only internal IP address attached to its network interface. The External IP address only using for communication with the Internet. Please refer to Google public docs for the different IP address range in Google Cloud.

For your case, I can figure all two solutions: You can get several public IP addresses from you current ISP, and assign the public IP addresses to the VM instances in Google Cloud and advertise the Public IP addresses back to you ISP environment through the VPN IPSec tunnel You just keep using the private IP addresses for your VM instances in Google Cloud, and only advertise the /32 route to your ISP environment, it will have very low risk for getting the IP address conflict.

Jonsun Zhao
  • 16
  • 2