Stay organized with collectionsSave and categorize content based on your preferences.
When configuring an HA VPN external VPN gateway to Amazon Web
Services (AWS), you can use either a transit gateway or a virtual private
gateway. Only the transit gateway supports equal-cost multipath (ECMP) routing.
When enabled, ECMP equally distributes traffic across active tunnels. The
supported topology requires two AWS Site-to-Site VPN connections,AandB,
each with two external IP addresses. This topology yields four external IP
addresses in AWS:A1,A2,B1, andB2.
Known issue:When configuring VPN tunnels to AWS, use the IKEv2 encryption
protocol and select fewer transform sets on the AWS side; otherwise, the
Cloud VPN tunnel can fail to rekey. For example, select a combination
of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and
DH group numbers. This rekeying issue is caused by a large SA payload size for
the default set of AWS transform sets. This large payload size results in IP
fragmentation of IKE packets on the AWS side, which Cloud VPN does not
support.
Create HA VPN to AWS peer gateways
Configure the four AWS IP addresses as a single external HA VPN
gateway withFOUR_IPS_REDUNDANCY, where:
AWS IP0=A1
AWS IP1=A2
AWS IP2=B1
AWS IP3=B2
Create four tunnels on the HA VPN gateway to meet the 99.99% SLA by
using the following configuration:
HA VPNinterface 0to AWSinterface 0
HA VPNinterface 0to AWSinterface 1
HA VPNinterface 1to AWSinterface 2
HA VPNinterface 1to AWSinterface 3
Set up HA VPN with AWS:
In Google Cloud, create an HA VPN gateway and a Cloud Router in
the region that you want. This action creates two external IP addresses, one for each gateway
interface. Record the external IP addresses for use in the next step.
In AWS, create two customer gateways by using the following:
TheDynamicrouting option
The Google ASN of the Cloud Router
The external IP addresses of the Google Cloud HA VPN gatewayinterfaces 0and1
Complete the steps that correspond to the AWS VPN option that you are using:
Repeat the previous step for the second customer gateway (interface 1).
Download the AWS configuration files for both connections that you created. The files contain
information that you need during the next steps in this procedure, including pre-shared
authentication keys, outside tunnel IP addresses, and inside tunnel IP addresses.
In Google Cloud, do the following:
Create a new peer VPN gateway with four interfaces by using the
AWS external IP addresses from the files that you downloaded in the previous step.
Create four VPN tunnels on the HA VPN gateway that
you created in step 1. For each tunnel, configure the HA VPN
gateway interface with the appropriate peer VPN gateway interface and pre-shared keys
by using the information in the AWS configuration files that you downloaded.
Configure BGP sessions on the Cloud Router by using the BGP IP addresses from the
downloaded AWS configuration files.
Configure the external HA VPN gateway
Configure the four AWS IP addresses as a single external
HA VPN gateway withFOUR_IPS_REDUNDANCY, where:
AWS IP0=A1
AWS IP1=A2
AWS IP2=B1
AWS IP3=B2
Create four tunnels on the HA VPN gateway to meet the 99.99%
SLA by using the following configuration:
HA VPNinterface 0to AWSinterface 0
HA VPNinterface 0to AWSinterface 1
HA VPNinterface 1to AWSinterface 2
HA VPNinterface 1to AWSinterface 3
Set up HA VPN with AWS
In Google Cloud, create an HA VPN gateway and a
Cloud Router in the region that you want. This action creates two
external IP addresses, one for each gateway interface. Record the external
IP addresses for use in the next step.
In AWS, create two customer gateways by using the following:
TheDynamicrouting option
The Google ASN of the Cloud Router
The external IP addresses of the Google Cloud HA VPN
gatewayinterfaces 0and1
Complete the steps that correspond to the AWS VPN option that you are using:
Repeat the previous step for the second customer gateway (interface
1).
Download the AWS configuration files for both connections that you created.
The files contain information that you need during the next steps in this
procedure, including pre-shared authentication keys, outside tunnel IP
addresses, and inside tunnel IP addresses.
In Google Cloud, do the following:
Create a new peer VPN gateway with four interfaces by using the AWS
external IP addresses from the files that you downloaded in the previous
step.
Create four VPN tunnels on the HA VPN gateway that you
created in step 1. For each tunnel, configure the HA VPN
gateway interface with the appropriate peer VPN gateway interface and
pre-shared keys by using the information in the AWS configuration files
that you downloaded.
Configure BGP sessions on the Cloud Router by using the BGP IP
addresses from the downloaded AWS configuration files.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Connect HA VPN to AWS peer gateways\n\nWhen configuring an HA VPN external VPN gateway to Amazon Web\nServices (AWS), you can use either a transit gateway or a virtual private\ngateway. Only the transit gateway supports equal-cost multipath (ECMP) routing.\nWhen enabled, ECMP equally distributes traffic across active tunnels. The\nsupported topology requires two AWS Site-to-Site VPN connections, `A` and `B`,\neach with two external IP addresses. This topology yields four external IP\naddresses in AWS: `A1`, `A2`, `B1`, and `B2`.\n\n**Known issue:** When configuring VPN tunnels to AWS, use the IKEv2 encryption\nprotocol and select fewer transform sets on the AWS side; otherwise, the\nCloud VPN tunnel can fail to rekey. For example, select a combination\nof single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and\nDH group numbers. This rekeying issue is caused by a large SA payload size for\nthe default set of AWS transform sets. This large payload size results in IP\nfragmentation of IKE packets on the AWS side, which Cloud VPN does not\nsupport.\n\nCreate HA VPN to AWS peer gateways\n----------------------------------\n\n1. Configure the four AWS IP addresses as a single external HA VPN gateway with `FOUR_IPS_REDUNDANCY`, where:\n - AWS IP `0`=`A1`\n - AWS IP `1`=`A2`\n - AWS IP `2`=`B1`\n - AWS IP `3`=`B2`\n2. Create four tunnels on the HA VPN gateway to meet the 99.99% SLA by using the following configuration:\n - HA VPN `interface 0` to AWS `interface 0`\n - HA VPN `interface 0` to AWS `interface 1`\n - HA VPN `interface 1` to AWS `interface 2`\n - HA VPN `interface 1` to AWS `interface 3`\n\nSet up HA VPN with AWS:\n\n1. In Google Cloud, create an HA VPN gateway and a Cloud Router in the region that you want. This action creates two external IP addresses, one for each gateway interface. Record the external IP addresses for use in the next step.\n2. In AWS, create two customer gateways by using the following:\n - The **Dynamic** routing option\n - The Google ASN of the Cloud Router\n - The external IP addresses of the Google Cloud HA VPN gateway `interfaces 0` and `1`\n3. Complete the steps that correspond to the AWS VPN option that you are using:\n - **Transit Gateway**\n 1. Create a [transit gateway VPN attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html#create-vpn-attachment) for the first customer gateway (`interface 0`), and use the **Dynamic** routing option.\n 2. Repeat the previous step for the second customer gateway (`interface 1`).\n - **Virtual Private Gateway**\n 1. [Create a Site-to-Site VPN connection](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection) for the first customer gateway (`interface 0`) by using the following:\n - A **Target Gateway Type** of **Virtual Private Gateway**\n - The **Dynamic** routing option\n 2. Repeat the previous step for the second customer gateway (`interface 1`).\n4. Download the AWS configuration files for both connections that you created. The files contain information that you need during the next steps in this procedure, including pre-shared authentication keys, outside tunnel IP addresses, and inside tunnel IP addresses.\n5. In Google Cloud, do the following:\n 1. Create a new peer VPN gateway with four interfaces by using the AWS external IP addresses from the files that you downloaded in the previous step.\n 2. Create four VPN tunnels on the HA VPN gateway that you created in step 1. For each tunnel, configure the HA VPN gateway interface with the appropriate peer VPN gateway interface and pre-shared keys by using the information in the AWS configuration files that you downloaded.\n 3. Configure BGP sessions on the Cloud Router by using the BGP IP addresses from the downloaded AWS configuration files.\n\nConfigure the external HA VPN gateway\n-------------------------------------\n\n1. Configure the four AWS IP addresses as a single external HA VPN gateway with `FOUR_IPS_REDUNDANCY`, where:\n - AWS IP `0`=`A1`\n - AWS IP `1`=`A2`\n - AWS IP `2`=`B1`\n - AWS IP `3`=`B2`\n2. Create four tunnels on the HA VPN gateway to meet the 99.99% SLA by using the following configuration:\n - HA VPN `interface 0` to AWS `interface 0`\n - HA VPN `interface 0` to AWS `interface 1`\n - HA VPN `interface 1` to AWS `interface 2`\n - HA VPN `interface 1` to AWS `interface 3`\n\nSet up HA VPN with AWS\n----------------------\n\n1. In Google Cloud, create an HA VPN gateway and a Cloud Router in the region that you want. This action creates two external IP addresses, one for each gateway interface. Record the external IP addresses for use in the next step.\n2. In AWS, create two customer gateways by using the following:\n 1. The **Dynamic** routing option\n 2. The Google ASN of the Cloud Router\n 3. The external IP addresses of the Google Cloud HA VPN gateway `interfaces 0` and `1`\n3. Complete the steps that correspond to the AWS VPN option that you are using:\n\n 1. **Transit Gateway**\n 1. Create a [transit gateway VPN\n attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html#create-vpn-attachment) for the first customer gateway (`interface 0`), and use the **Dynamic** routing option.\n 2. Repeat the previous step for the second customer gateway (`interface\n 1`).\n 2. **Virtual Private Gateway**\n 1. [Create a Site-to-Site VPN\n connection](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection) for the first customer gateway (`interface 0`) by using the following:\n - A **Target Gateway Type** of **Virtual Private Gateway**\n - The **Dynamic** routing option\n 2. Repeat the previous step for the second customer gateway (`interface\n 1`).\n4. Download the AWS configuration files for both connections that you created.\n The files contain information that you need during the next steps in this\n procedure, including pre-shared authentication keys, outside tunnel IP\n addresses, and inside tunnel IP addresses.\n\n5. In Google Cloud, do the following:\n\n 1. Create a new peer VPN gateway with four interfaces by using the AWS external IP addresses from the files that you downloaded in the previous step.\n 2. Create four VPN tunnels on the HA VPN gateway that you created in step 1. For each tunnel, configure the HA VPN gateway interface with the appropriate peer VPN gateway interface and pre-shared keys by using the information in the AWS configuration files that you downloaded.\n 3. Configure BGP sessions on the Cloud Router by using the BGP IP addresses from the downloaded AWS configuration files.\n\nWhat's next\n-----------\n\n- To control which IP addresses are allowed for peer VPN gateways, see [Restrict IP addresses for peer VPN gateways](/network-connectivity/docs/vpn/how-to/restrict-peer-ip-addresses)."]]
