HA VPN over Cloud Interconnect lets you encrypt
the traffic that traverses your Dedicated Interconnect or
Partner Interconnect connections. Learn how todeploy HA VPN over Cloud Interconnect.
You might need to add HA VPN tunnels to your
HA VPN over Cloud Interconnect deployment after you have increased the capacity
of your VLAN attachments. Another scenario for adding tunnels is when
your Cloud VPN monitoring alerts have detected that your existing VPN tunnels
have exceeded the recommended 50% utilization threshold. This threshold ensures
that you have sufficient capacity for tunnel failover in the event of VLAN attachment
failure.
To increase the capacity in your HA VPN over Cloud Interconnect deployment,
you must add HA VPN tunnels. Use the
same procedures that you would normally use to add an
HA VPN tunnel between an existing
HA VPN gateway and an external peer VPN gateway.
For more information, seeAdd a tunnel from an HA VPN gateway to a peer VPN gateway.
You only need to add one or more HA VPN gateways if all
existing HA VPN gateway interfaces are already connected
to all available peer VPN gateway interfaces. As an alternative,
you can also add one or more peer VPN gateways to your
on-premises network.
You can only associate HA VPN gateways with encrypted
VLAN attachments by using the Google Cloud CLI or the HA VPN API.
You can't perform this action with the Google Cloud console after you complete the initial
deployment of HA VPN over Cloud Interconnect.
To create an HA VPN gateway, perform the following steps.
Permissions required for this task
To perform this task, you must have been granted the following permissionsorthe following IAM roles.
Permissions
compute.vpnGateways.create
compute.vpnGateways.delete
compute.vpnGateways.get
compute.vpnGateways.list
compute.vpnGateways.use
compute.vpnGateways.setLabels
Roles
roles/compute.networkAdmin
gcloud
Create an HA VPN gateway.
For example, the following command creates an HA VPN
gateway and assigns the gateway interfaces to your encrypted VLAN attachments:
For the--interconnect-attachmentsparameter, you can list up to two
VLAN attachments. The first VLAN attachment is assigned
to interface 0 (if0) of the HA VPN gateway. If you
specify the optional second VLAN attachment, it is assigned to
interface 1 (if1).
If you configured the encrypted VLAN attachments to use regional internal IP
addresses for your HA VPN gateways, view the gateway's
details. Two internal IP addresses from your reserved ranges are
automatically assigned to the gateway.
To view the regional internal IP addresses assigned to your
HA VPN gateway's interfaces, use the following command:
To create the full configuration for an HA VPN gateway,
use the API commands in the following sections. All field values used in
these sections are example values.
If you configured the encrypted VLAN attachments to use regional internal IP
addresses for your HA VPN gateways, then internal IP
addresses from your reserved ranges are automatically assigned to the gateway.
To view the regional internal IP addresses assigned to your
HA VPN gateway, use thevpnGateways.getmethod:
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/VPN_GATEWAY_NAME
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Add an HA VPN gateway to HA VPN over Cloud Interconnect\n\nThis page provides instructions for adding HA VPN\ngateways to your existing\n[HA VPN over Cloud Interconnect](/network-connectivity/docs/interconnect/concepts/ha-vpn-interconnect) deployment.\n\nHA VPN over Cloud Interconnect lets you encrypt\nthe traffic that traverses your Dedicated Interconnect or\nPartner Interconnect connections. Learn how to\n[deploy HA VPN over Cloud Interconnect](/network-connectivity/docs/interconnect/how-to/ha-vpn-interconnect-deploy-process).\n\nYou might need to add HA VPN tunnels to your\nHA VPN over Cloud Interconnect deployment after you have increased the capacity\nof your VLAN attachments. Another scenario for adding tunnels is when\nyour Cloud VPN monitoring alerts have detected that your existing VPN tunnels\nhave exceeded the recommended 50% utilization threshold. This threshold ensures\nthat you have sufficient capacity for tunnel failover in the event of VLAN attachment\nfailure.\n\nTo increase the capacity in your HA VPN over Cloud Interconnect deployment,\nyou must add HA VPN tunnels. Use the\nsame procedures that you would normally use to add an\nHA VPN tunnel between an existing\nHA VPN gateway and an external peer VPN gateway.\nFor more information, see\n[Add a tunnel from an HA VPN gateway to a peer VPN gateway](/network-connectivity/docs/vpn/how-to/adding-a-tunnel#add-tunnel-from-ha-vpn-to-peer).\n\nYou only need to add one or more HA VPN gateways if all\nexisting HA VPN gateway interfaces are already connected\nto all available peer VPN gateway interfaces. As an alternative,\nyou can also add one or more peer VPN gateways to your\non-premises network.\n\nYou can only associate HA VPN gateways with encrypted\nVLAN attachments by using the Google Cloud CLI or the HA VPN API.\nYou can't perform this action with the Google Cloud console after you complete the initial\ndeployment of HA VPN over Cloud Interconnect.\n\nTo create an HA VPN gateway, perform the following steps.\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `compute.vpnGateways.create`\n- `compute.vpnGateways.delete`\n- `compute.vpnGateways.get`\n- `compute.vpnGateways.list`\n- `compute.vpnGateways.use`\n- `compute.vpnGateways.setLabels`\n\n**Roles**\n\n- `roles/compute.networkAdmin` \n\n### gcloud\n\n1. Create an HA VPN gateway.\n\n For example, the following command creates an HA VPN\n gateway and assigns the gateway interfaces to your encrypted VLAN attachments: \n\n ```\n gcloud compute vpn-gateways create vpn-gateway-c \\\n --network NETWORK_NAME \\\n --region REGION \\\n --interconnect-attachments \\\n ATTACHMENT_1[,ATTACHMENT_2]\n ```\n\n For the `--interconnect-attachments` parameter, you can list up to two\n VLAN attachments. The first VLAN attachment is assigned\n to interface 0 (`if0`) of the HA VPN gateway. If you\n specify the optional second VLAN attachment, it is assigned to\n interface 1 (`if1`).\n\n An example command might look like the following: \n\n ```\n gcloud compute vpn-gateways create vpn-gateway-c \\\n --network network-a \\\n --region us-central1 \\\n --interconnect-attachments \\\n attachment-a-zone1,attachment-a-zone2\n ```\n2. If you configured the encrypted VLAN attachments to use regional internal IP\n addresses for your HA VPN gateways, view the gateway's\n details. Two internal IP addresses from your reserved ranges are\n automatically assigned to the gateway.\n\n To view the regional internal IP addresses assigned to your\n HA VPN gateway's interfaces, use the following command: \n\n ```\n gcloud compute vpn-gateways describe VPN_GATEWAY_NAME\n ```\n\n The output might look similar to the following: \n\n ```\n creationTimestamp: '2022-10-14T16:22:31.748-07:00'\n id: '678310480370225624'\n kind: compute#vpnGateway\n labelFingerprint: 2345567=\n name: vpn-gateway-c\n network: https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a\n region: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1\n selfLink: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/vpn-gateway-c\n stackType: IPV4_ONLY\n vpnInterfaces:\n – id: 0\n interconnectAttachment: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone1\n ipAddress: 192.168.20.3\n – id: 1\n interconnectAttachment: https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone2\n ipAddress: 192.168.21.3\n ```\n\n### API\n\nTo create the full configuration for an HA VPN gateway,\nuse the API commands in the following sections. All field values used in\nthese sections are example values.\n\nTo create an HA VPN gateway, make a `POST` request\nby using the\n[`vpnGateways.insert` method](/compute/docs/reference/rest/v1/vpnGateways/insert): \n\n```\nPOST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways\n {\n \"name\": \"vpn-gateway-c\",\n \"network\": \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME\",\n \"vpnInterfaces\": [\n {\n interconnectAttachment: \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/attachment-a-zone1\"\n },\n {\n interconnectAttachment: \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/attachment-a-zone2\"\n }\n ]\n }\n```\n\nIf you configured the encrypted VLAN attachments to use regional internal IP\naddresses for your HA VPN gateways, then internal IP\naddresses from your reserved ranges are automatically assigned to the gateway.\n\nTo view the regional internal IP addresses assigned to your\nHA VPN gateway, use the\n[`vpnGateways.get` method](/compute/docs/reference/rest/v1/vpnGateways/get): \n\n```\nGET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/vpnGateways/VPN_GATEWAY_NAME\n```\n\nThe output might look similar to the following: \n\n```\n{\n\"kind\": \"compute#vpnGateway\",\n\"id\": \"678310480370225624\",\n\"creationTimestamp\": \"2022-10-14T16:22:31.748-07:00\",\n\"name\": \"vpn-gateway-c\",\n\"region\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1\",\n\"network\": \"https://www.googleapis.com/compute/v1/projects/project-id/global/networks/network-a\",\n\"selfLink\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/vpnGateways/vpngw-test\",\n\"labelFingerprint\": \"2345567=\",\n\"vpnInterfaces\": [\n {\n \"id\": 0,\n \"ipAddress\": \"192.168.20.3\",\n \"interconnectAttachment\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone1\"\n },\n {\n \"id\": 1,\n \"ipAddress\": \"192.168.21.3\",\n \"interconnectAttachment\": \"https://www.googleapis.com/compute/v1/projects/project-id/regions/us-central1/interconnectAttachments/attachment-a-zone2\"\n }\n ],\n\"stackType\": \"IPV4_ONLY\"\n}\n```\n\n\u003cbr /\u003e\n\nWhat's next?\n------------\n\n- If you need to add more HA VPN tunnels,\n see [Add a VPN tunnel](/network-connectivity/docs/vpn/how-to/adding-a-tunnel).\n\n- To learn about HA VPN monitoring,\n see [View logs and metrics](/network-connectivity/docs/vpn/how-to/viewing-logs-metrics)."]]
