GCP Redundant Tunnels
  • 15 Aug 2023
  • 4 Minutes to read
  • Contributors

    GCP Redundant Tunnels

      Article Summary


      In this guide, you'll learn how to set up redundant tunnels between your Perimeter 81 network and Google Cloud Platform (GCP).

      Implementing redundancy ensures consistent connectivity, minimizing potential downtime, and maintaining secure access to your cloud resources at all times.

      Breakdown of topics

      1. Pre-requisites
      2. Configuration Steps
      3. Verifying the Setup
      4. Troubleshooting
      5. Support Contacts


      To successfully follow this guide, you should have:

      1. An active Perimeter 81 account and network.
      2. The Perimeter 81 app is installed on your devices.
      3. An active GCP account with admin permissions.

      Configuration Steps

      Create Perimeter81  Gateways

      1. Your Perimeter81 Network will need to have at least two different gateways in the same network, as listed below.
      Important notes
      • These gateways can be deployed in two separate Regions for comprehensive ISP redundancy.
      • The network can be scaled up and adding another region should not affect the connection.

       Configuring a VPN Gateway in GCP

      You will need to create a VPN Gateway in your Google Cloud Platform, configure a GCP Cloud router, and add a High Availability tunnel matching the Perimeter81 Gateways above. 

      1. In your GCP portal under Hybrid Connectivity Click VPN.
      2. Click Cloud VPN Gateways -> Create VPN Gateway.
      3. Configure the VPN Gateway and click Create.
        • Name: Select a name that will represent the Perimeter81 gateway you are connecting to.
        • Network: Select the GCP Network you would like to access remotely via Perimeter 81.
        • Region: Make sure you select the correct region where your resources are.
      4. Two interfaces are created (Interface 0/Interface 1)
        • Click"Add VPN Tunnel".

      Add a redundant VPN tunnel in GCP

      1. Peer VPN gateway: Select On-prem or Non-Google Cloud.
      2. Click the drop-down menu next to "Peer VPN gateway name" and select "Create new peer VPN Gateway".
        • Name the peer VPN gateway: This represents the Perimeter 81 side of the setup.
        • Under "Peer VPN gateway interfaces", select "two interfaces"
        • Under Interface 0 IP address, paste the first Perimeter81 gateway IP.
        • Under Interface 1 IP address, paste the second Perimeter81 gateway IP.
        • Click "Create"
      3. Under High availability, make sure "Create a pair of VPN tunnels" is selected.
      4. Under "Routing options"; click the "Cloud Router" drop-down menu, and select "Create a new router".
        • Name your Cloud router- This component in GCP will manage your BGP ASN routes.
        • Set "Google ASN" to 65111 (This can be any value, please make note of this as it will be added to the Perimeter81 side later).
        • **Optional- Complete the following steps only if you have a peered VPC you need to reach through the tunnel:
          • Under “Advertised routes” select Create custom routes.
          • Select Advertise all subnets visible to the Cloud Router.
          • Under “Custom ranges” click on ADD CUSTOM ROUTE.
          • Under “New custom route” insert the network CIDR for the peered VPC and click DONE.
          • Repeat the last two steps for each range you need to route through the tunnel.
        • Click create.
      5. Under VPN tunnel, select the first VPN tunnel and name it according to the gateway you created on perimeter81.
        • Under IKE pre-shared key, click generate and copy IKE pre-shared key.
        • Special characters are not permitted and should be removed from this field (with the exception of dots ".", and underscores "_").
      6. Select the second VPN tunnel and name it according to the secondary gateway on Perimeter81 
        • Under IKE pre-shared key, paste the IKE pre-shared key you copied before
        • Note: We will use this IKE Pre-shared key later to establish a handshake between the sites.
        • Click Done.
      7. Click "Create and continue".

      Configure BGP routes

      1. Click Configure next to the relevant tunnel.
      2. Set BGP routes for Tunnel 1 according to the image below and click Save and Continue.
        • Peer ASN is set to 65000 and represents the BGP route for Perimeter81.
        • For Cloud Router BGP IP and BGP Peer IP select a unique Link-local address.
      3. Set BGP routes for Tunnel 2 according to the image below and click Save and Continue:
        • Make sure that the Cloud Router BGP IP and BGP Peer IP use a different Link-local address than Tunnel1.
        • The Peer ASN is the same 65000 since it represents the BGP route for Perimeter81.
      4. Click Save BGP Configuration.
      5. Wait until done. When complete you will see "waiting for peer" next to each tunnel until the Perimeter81 setup is complete.

      Creating the High Availability Perimeter81 Tunnel

      1. In Your Perimeter 81 Admin console, Navigate to your network.
      2. Click "..." next to one of the gateways and select Add Tunnel.
      3. Choose IPSEC Site-2-Site Tunnel > Continue.
      4. Select Redundant Tunnels > Continue.
      5. Select a logical name for your tunnel longer than 4 characters, 
        • For example, "GCPtunnel".
      6.  In your GCP portal under Hybrid Connectivity -> VPN, Copy and Paste the values for Tunnel 1 and Tunnel 2 according to the image below. ASN - should be 65111 for both tunnels.
        Tunnel 1 Example: Tunnel 2 Example:
      7. Under Shared Settings:
        • AS Number is set to 65000 and represents the BGP route for Perimeter81.
        • Warning: The Perimeter81 AS Number cannot be edited after the tunnel's creation.
      8. Under Advanced Settings:
      9. Click Add Tunnel and wait until the tunnel deployment is complete to add routes.
      10. Select "..." next to your network and then Routes Table.
      11. Once that has been completed be sure to select "Apply Configuration" and let the route changes propagate on our side.

      Verifying the Setup

      Once both sides have completed the handshake, BGP routes should come UP on GCP:

      1. Navigate back to your GCP portal under Hybrid Connectivity -> VPN, and review the BGP Connection status:

        Both VPN tunnel Status and BGP Established should show a green checkmark.

      After following the above steps, your tunnel should be active.
      To verify, go to your Perimeter 81 dashboard, locate the tunnel you just created, and check the tunnel status.
      It should indicate that the tunnel is "Up", signifying a successful connection.
      Next, connect to your network using the Perimeter 81 agent and attempt to access one of the resources in your environment.


      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Perimeter 81's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at support@perimeter81.com. We're here to assist you and ensure your VPN tunnel setup is a success

      Was this article helpful?

      What's Next