Welcome back. In this lesson, we're going to create a classic VPN gateway and a tunnel using static routing. For this exercise, we'll deploy a policy-based VPN. 

So to configure our VPN, what I need to do is browse to the VPN page from my Google Cloud Platform console. I can actually find this page under Hybrid Connectivity. 

Once I'm here, I can begin the deployment process by clicking create. 

Now, from this Create a VPN page, I can create either a HA VPN or a classic VPN. For this particular exercise, I'm going to create a classic VPN. 

From here, I need to configure my VPN gateway. A VPN gateway serves as an endpoint for a VPN tunnel. I need to give it a name, a description, and I need to specify which GCP network to deploy the gateway and tunnel to. And since cloud VPN gateways and tunnels are regional objects, I also need to tell GCP which region the gateway needs to be deployed to. 

I should also point out that for best performance the gateway and tunnel should be located in the same region as the GCP resources that will be accessed over the tunnel. 

What I also need to do here is create a new external IP address for my gateway. I could also select an existing external IP address if I already had one created. 

So let's get started. What I'm going to do here is call my gateway, myvpngateway. 

I'm going to leave the description blank for this exercise. And what I'm going to do is deploy my gateway to the default region here. I'm going to deploy my gateway to my test network, so I need to select it from the Network dropdown. 

Since I don't have an existing external IP address to associate with my gateway, let's go through the process here to create one. 

With this information supplied, I can now create my tunnel. 

To create the tunnel, I need to provide more information. I need to give my tunnel a name and a description. I also need to tell my tunnel what the public IP is for the remote side of my VPN. For IKE version, I need to choose a version that's supported by both the GCP side of the tunnel and the remote side. IKEv2 is the preferred option as long as the remote side supports it. 

The pre-shared key is a text value that's used for authentication. Whatever I provide here for the pre-shared key needs to also be provided on the other side of the VPN connection. 

So what I'll do here is I'll call my tunnel, myvpntunnel. As I did with the gateway, I'll leave the description blank. The remote peer IP address is 40.86.78.94. This was taken from the VPN device on the foreign side of my VPN tunnel. 

Since my Azure VPN, which is what I'm using on the foreign side, supports IKEv2, I'll choose IKEv2 here. And then I need to provide a pre-shared key. What I'd need to do with this pre-shared key is provide it to the admin on the foreign side of the VPN tunnel, so the admin on the foreign side could configure the VPN on that side as well. 

Without matching keys, the VPN wouldn't come up. Now, since I'm creating a policy-based tunnel, I need to select policy-based here. This is my routing option. If we hover over Routing options here, we can see that BGP provides the easiest to configure as well as the most resilient IPsec VPN configuration. However, this won't work if the foreign device doesn't support it. We also have route-based options and policy-based. For this demonstration, we're using policy-based. 

The remote network ranges that I add here are those networks on the remote side of the VPN that I want to access over the VPN. For local IP ranges, I need to select the local subnetworks that I want to grant access to over the VPN. I can either specify local IP ranges or select local subnets. So I'll go ahead and select my default subnet here for my test network. Now, after click done here and with my gateway and tunnel information complete, I just have to create to deploy the VPN. Now, it's important to note here that the process I just followed on the GCP side of the VPN also needs to be followed in some fashion on the remote side as well. That's because both sides of the VPN will have different configuration processes. For example, if the remote side is an Azure VPN gateway, you'd have to follow the Azure VPN setup process to configure that side of the VPN. 

If the remote side is a Cisco ASA, you'd have to follow the Cisco documentation to configure the Cisco ASA device. Since this is a GCP course, I'm not going to get into the configuration of the remote side of the VPN. I just wanted to make sure that you knew how to configure the GCP side, since that's what's covered on the exam.