Setting up a Site-to-Site VPN between two Google Cloud environments allows seamless and secure communication between resources across different Virtual Private Clouds (VPCs). This method enables organizations to extend their network infrastructure, ensuring that all cloud resources interact as if they were within a single private network.
Table of Contents
Understanding Site-to-Site VPN
A Site-to-Site VPN connects two separate networks securely over the internet. In Google Cloud, this involves setting up a Cloud VPN gateway that terminates encrypted tunnels between two independent VPCs.
Prerequisites
Before configuring the VPN, the following requirements must be met:
- Two separate VPC networks in Google Cloud.
- Proper IAM permissions to create VPN gateways and tunnels.
- Interoperability settings for both networks.
- Firewall rules allowing VPN-related traffic.
Steps to Configure Site-to-Site VPN
1. Enable Cloud VPN API
Ensure the Cloud VPN API is enabled in both Google Cloud projects:
gcloud services enable compute.googleapis.com
2. Create a Cloud VPN Gateway
In each Google Cloud environment, create a VPN gateway to handle encrypted connections between networks.
- Go to the Google Cloud Console.
- Navigate to Hybrid Connectivity → VPN.
- Click Create VPN and select the appropriate VPC network.
- Provide a name and select the region.
- Choose the network to associate with the VPN.
- Click Create.
Repeat the process for the other Google Cloud environment.

3. Configure VPN Tunnels
Once the VPN gateways are in place, each environment must establish a VPN tunnel:
- Navigate to the VPN section in the Cloud Console.
- Under the created VPN gateway, click Create Tunnel.
- Specify details such as:
- Tunnel name
- Remote peer IP (public IP of the other VPN gateway)
- IKE version (IKEv2 preferred)
- Pre-shared key (must be the same on both sides)
- Select Route-based or Policy-based routing (Route-based is preferable).
- Enter the CIDR range of the local and remote networks.
- Click Create to finalize the tunnel.
Repeat this setup for the second VPC network.

4. Set Up Firewall Rules
By default, Google Cloud has strict firewall rules. To ensure traffic flows between both environments, create firewall rules to allow:
- Ingress and egress traffic between the networks.
- IPSec (UDP ports 500 and 4500).
- ESP (Encapsulating Security Payload) protocol.
gcloud compute firewall-rules create allow-vpn-traffic \ --direction=INGRESS \ --priority=1000 \ --network=YOUR_NETWORK \ --action=ALLOW \ --rules=esp,udp:500,udp:4500 \ --source-ranges=REMOTE_VPC_CIDR
5. Testing and Verification
Verify that the VPN connection is established and functioning correctly:
- In the Google Cloud Console, navigate to VPN.
- Check the tunnel status (should show as Established).
- Run connectivity tests between resources in both networks.
Troubleshooting
- Ensure that the VPN tunnel is active. If not, verify the peer IP and the IKE version.
- Check that firewall rules allow traffic across both networks.
- Confirm that the correct CIDR ranges were set for each tunnel.
FAQ
What is Site-to-Site VPN used for?
Site-to-Site VPN enables secure connectivity between two different networks, allowing them to communicate as if they were on the same private network.
Can Google Cloud VPN connect to On-Premises networks?
Yes, Google Cloud VPN can connect to on-premises networks using the same IPSec-based approach.
What is the difference between Route-Based and Policy-Based VPN?
Route-Based VPNs use a static or dynamic routing approach inside the tunnel, while Policy-Based VPNs depend on explicitly defined policies for which traffic is sent through the tunnel.
Are there alternatives to Cloud VPN for connecting networks?
Yes, alternatives include Cloud Interconnect or Google’s Network Connectivity Center which allow private, high-performance connections between networks.
What happens if the VPN tunnel goes down?
If a VPN tunnel goes down, the traffic between the networks stops. Google Cloud provides monitoring options to detect and resolve connection issues proactively.
Setting up a Site-to-Site VPN in Google Cloud provides a robust, secure, and flexible solution for connecting isolated environments. By following the right steps, ensuring the network configurations are correct, and implementing proper firewall settings, businesses can achieve reliable interconnectivity between their cloud networks.