Migrate from an IPv4 HA VPN gateway to an IPv6 HA VPN gateway
Stay organized with collectionsSave and categorize content based on your preferences.
This page describes how to migrate your workloads from an
HA VPN with IPv4 interfaces to an
HA VPN with IPv6 interfaces.
To support both IPv4 and IPv6 workloads, you can use dual-stack
HA VPN with external IPv6 interfaces.
To support only IPv6 workloads, you can use an IPv6-only
HA VPN.
This page describes how to migrate a single HA VPN gateway
with two tunnels. If you have more HA VPN gateways and
tunnels, you can migrate them one after the other.
Before you begin
Analyze your existing tunnel load and plan the creation or deletion of
tunnels while making sure that you don't overload any tunnel, which can
result in packet loss.
Use non-critical workloads to test the workflow to avoid unplanned
downtime on production servers due to misconfiguration.
If you use tunnels that allow only IPv6 workloads, IPv4 packets are dropped.
Verify that your organization policies allow IPv6 peer IP
addresses and other hybrid features that you plan to use.
Note that the traffic through any individual tunnel must not exceed the
250,000 packets per second for the sum of inbound and outbound traffic.
Depending on average packet size in the tunnel, 250,000 packets per second
is equivalent to between 1 Gbps and 3 Gbps of bandwidth.
Set up and migrate to IPv6 HA VPN gateway
Create the external IPv6 HA VPN gateways.
Plan for your workloads
If you plan to use IPv4 workloads, use theIPV4_IPV6stack type while creating the VPN gateway.
If you plan to use both IPv4 and IPv6 workloads, use the
multiprotocol BGP sessions.
Plan your BGP sessions
If you want to use IPv4-based BGP sessions, use theIPV4_IPV6stack type while creating the VPN gateway.
If you plan to use IPv6-based BGP sessions, use theIPV4_IPV6orIPV6_ONLYstack types while creating the VPN
gateway.
Make sure the VPN tunnel and BGP session are established, and verify that
the dynamic routes from step 2 are installed for the new external IPv6
tunnel.
Optional:If you have small workloads, consider using a higher base
priority route to test that outbound traffic actually uses the
IPv6 tunnels. Make sure that your throughput limit can accommodateall
trafficto the advertised routes. After verifying that the new tunnels
support traffic successfully, update their base priority to the same as
the other tunnels.
Delete the IPv4 infrastructure: BGP sessions, VPN tunnels, VPN gateways, and
Cloud Routers if you created new instances.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Migrate from an IPv4 HA VPN gateway to an IPv6 HA VPN gateway\n\nThis page describes how to migrate your workloads from an\nHA VPN with IPv4 interfaces to an\nHA VPN with IPv6 interfaces.\n\n- To support both IPv4 and IPv6 workloads, you can use dual-stack HA VPN with external IPv6 interfaces.\n- To support only IPv6 workloads, you can use an IPv6-only HA VPN.\n\nThis page describes how to migrate a single HA VPN gateway\nwith two tunnels. If you have more HA VPN gateways and\ntunnels, you can migrate them one after the other.\n\nBefore you begin\n----------------\n\n- Analyze your existing tunnel load and plan the creation or deletion of tunnels while making sure that you don't overload any tunnel, which can result in packet loss.\n- Use non-critical workloads to test the workflow to avoid unplanned downtime on production servers due to misconfiguration.\n- If you use tunnels that allow only IPv6 workloads, IPv4 packets are dropped.\n- Verify that your organization policies allow IPv6 peer IP addresses and other hybrid features that you plan to use.\n- Note that the traffic through any individual tunnel must not exceed the 250,000 packets per second for the sum of inbound and outbound traffic. Depending on average packet size in the tunnel, 250,000 packets per second is equivalent to between 1 Gbps and 3 Gbps of bandwidth.\n\nSet up and migrate to IPv6 HA VPN gateway\n-----------------------------------------\n\n1. Create the external IPv6 HA VPN gateways.\n\n - Plan for your workloads\n - If you plan to use IPv4 workloads, use the **IPV4_IPV6** stack type while creating the VPN gateway.\n - If you plan to use both IPv4 and IPv6 workloads, use the multiprotocol BGP sessions.\n - Plan your BGP sessions\n - If you want to use IPv4-based BGP sessions, use the **IPV4_IPV6** stack type while creating the VPN gateway.\n - If you plan to use IPv6-based BGP sessions, use the **IPV4_IPV6** or **IPV6_ONLY** stack types while creating the VPN gateway.\n\n Follow the steps in\n [Create HA VPN gateways to connect VPC networks](/network-connectivity/docs/vpn/how-to/creating-ha-vpn2).\n2. Make a note of the existing dynamic routes associated with the tunnels\n that you plan to replace.\n\n 1. In the Google Cloud console, go to the **Routes** page.\n\n [Go to Routes](https://console.cloud.google.com/networking/routes/list)\n 2. On the **Effective routes** tab, do the following:\n\n - Choose a VPC network.\n - Choose a region.\n 3. Click **View**.\n\n 4. In the **Next hop** column, look for the name of your tunnel. Copy\n the destination ranges associated with the routes.\n\n For more information, see\n [Dynamic (BGP) routing](/network-connectivity/docs/vpn/concepts/choosing-networks-routing#dynamic-routing).\n3. [Create a new Cloud Router](/network-connectivity/docs/vpn/how-to/creating-ha-vpn2#create-cloud-routers) for the IPv6 tunnels.\n You can also use an existing Cloud Router.\n\n4. [Create VPN tunnels](/network-connectivity/docs/vpn/how-to/creating-ha-vpn2#create-vpn-tunnels)\n between the HA VPN gateways and the peer gateways.\n\n5. [Create BGP sessions](/network-connectivity/docs/vpn/how-to/creating-ha-vpn2#create-bgp-sessions).\n\n - Make sure the VPN tunnel and BGP session are established, and verify that the dynamic routes from step 2 are installed for the new external IPv6 tunnel.\n - **Optional:** If you have small workloads, consider using a higher base priority route to test that outbound traffic actually uses the IPv6 tunnels. Make sure that your throughput limit can accommodate *all\n traffic* to the advertised routes. After verifying that the new tunnels support traffic successfully, update their base priority to the same as the other tunnels.\n6. Delete the IPv4 infrastructure: BGP sessions, VPN tunnels, VPN gateways, and\n Cloud Routers if you created new instances."]]
