You want to deploy a VPN Gateway to connect your on-premises network to GCP.
You are using a non BGP-capable on-premises VPN device.
You want to minimize downtime and operational overhead when your network grows.
The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
https://cloud.google.com/vpn/docs/concepts/choosing-networks-routingSure, I'd be happy to help you understand the options for deploying a VPN Gateway to connect your on-premises network to GCP, given the specific constraints you've outlined.
Option A involves creating a Cloud VPN instance and then creating a policy-based VPN tunnel per subnet. This approach requires you to configure the appropriate local and remote traffic selectors to match your local and remote networks and create the appropriate static routes. Policy-based VPNs use access-lists (also called security policies or traffic selectors) to determine which traffic should be sent over the VPN. This approach may be suitable if you have a small number of subnets and a relatively simple network topology, as it simplifies the configuration of routing policies. However, it does not support dynamic routing protocols, such as BGP, and may not scale well as your network grows.
Option B is similar to Option A, but it involves creating a single policy-based VPN tunnel instead of multiple tunnels per subnet. This may be more appropriate if you have a smaller network with only a few subnets to connect. However, like Option A, it does not support dynamic routing protocols and may not be scalable as your network grows.
Option C involves creating a route-based VPN tunnel, which is recommended by Google. This approach requires you to configure the appropriate local and remote traffic selectors to match your local and remote networks and create the appropriate static routes. Route-based VPNs use the routing table to determine which traffic should be sent over the VPN, which allows for more complex routing configurations and dynamic routing protocols such as BGP. This approach may be more suitable if you have a larger or more complex network topology or anticipate that your network will grow over time.
Option D is similar to Option C, but it involves configuring the appropriate local and remote traffic selectors to 0.0.0.0/0, which means that all traffic will be sent over the VPN. While this approach may be suitable in some situations, it is generally not recommended as it can introduce security risks and may not be efficient for large amounts of traffic.
In summary, Option C (creating a route-based VPN tunnel) is the recommended approach by Google for connecting a non BGP-capable on-premises VPN device to GCP. This approach allows for more complex routing configurations and dynamic routing protocols such as BGP, which can help minimize downtime and operational overhead as your network grows.