Creating a VPN Connection
Start course
1h 21m

*** NOTICE: This course is outdated and has been deprecated ***




This course has been designed to teach you how to deploy network and compute resources on Google Cloud Platform. The content in this course will help prepare you for the Associate Cloud Engineer exam.

Learning Objectives

  • To understand key networking and compute resources on Google Cloud Platform
  • Be able to explain different networking and compute features commonly used on GCP
  • Be able to deploy key networking and compute resources on Google Cloud Platform

Intended Audience

  • Those who are preparing for the Associate Cloud Engineer exam
  • Those looking to learn more about GCP networking and compute features


To get the most from this course then you should have some exposure to GCP resources, such as VPCs and Compute Instances. However, this is not essential.


In Google Cloud Platform, Cloud VPN supports several types of networks. These supported networks include VPC custom networks, auto-mode networks, and legacy networks. 

When creating a VPN in GCP, you should be sure to adhere to Google's best practices. These best practices include using VPC networks instead of legacy networks and using custom mode VPC networks instead of auto-mode networks. 

Because legacy networks do not support subnets, when you provision a legacy network, the entire network will use a single range of IP addresses. Legacy networks also cannot be converted into VPC networks if needed. 

When it comes to custom mode VPC networks, these networks provide you with full control over the range of IP addresses that are used by their subnets. It's also important to note that when you connect two VPC networks using Cloud VPN, at least one of the networks needs to be a custom mode network. This is because auto-mode networks use the same range of internal IP addresses for their subnets. This would cause an overlap problem if you didn't use at least one custom mode network when creating the VPN. 

When configuring a VPN, you'll have a few different routing options. While classic VPN supports dynamic and static routing options from VPN tunnels, HA VPN requires dynamic routing. 

Dynamic routing, by the way, uses the Border Gateway routing Protocol, otherwise known as BGP, and it uses a Cloud Router to automatically manage the exchange of routes using the BGP protocol. 

The dynamic routing mode of a VPC network controls the behavior of all its Cloud Routers and it determines whether or not the routes learned from peer networks are only applied to GCP resources in the same region as the VPN tunnel or if they're applied in all regions. 

Static routing comes in two flavors: policy-based and route-based. If you can't use BGP or dynamic routing or HA VPN, you should consider the static routing option. When using policy-based routing, the local IP ranges and remote IP ranges are both defined as part of the tunnel creation process. However, when you create a route-based VPN, you only need to specify the list of remote IP ranges. 

In the next lesson, I'll show you how to create a VPN between a Google VPC and an external network, using Cloud VPN.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.

Covered Topics