Cloud VPN securely connects your on-premises network to your GCP VPC Network through an ipsec VPN tunnel. Traffic traveling between the two networks is encrypted by one VPN Gateway and then decrypted by the other VPN Gateway. This protects your data as it travels over the internet and that's why Cloud VPN is useful for low volume data connections. As a managed service, Cloud VPN provides an SLA of 99.9% service availability and supports the following. A site-to-site VPN. It does not support client to Gateway scenarios. In other words Cloud VPN does not support use cases where a client computers need to dial in to a VPN using a client VPN software. Both static routes and dynamic routes to manage traffic between your VM instances and your existing infrastructure. Dynamic routes are configured with Cloud Router which we will cover briefly. Both IKE version 1 and IKE version 2 ciphers. Let's work through an example of Cloud VPN. This diagram shows a simple VPN connection between your VPC and on-premises network. Your VPC network has subnets in US east one and uswest one, with GCP resources in each of these regions. These resources are able to communicate using their internal IP addresses because routing within the network is automatically configured assuming that firewall rules are allowing the connection. Now in order to connect your on-premise network to its resources, you need to configure your Cloud VPN Gateway, on-premises VPN Gateway, and two VPN tunnels. The cloud VPN Gateway is a regional resource that uses a regional external IP address. Your on-premises VPN Gateway can be a physical device in your data center or a physical or software-based VPN offering in another cloud provider's network. This VPN Gateway also has an external IP address. A VPN tunnel then connects your VPN gateways and serves as a virtual medium through which encrypted traffic is passed. In order to create a connection between two VPN gateways, you must establish two VPN tunnels. Each tunnel defines the connection from the perspective of its gateway and traffic can only pass when the pair of tunnels is established. One thing to remember when using a VPN is that maximum transmission unit for your on-premises VPN Gateway cannot be greater than 1460 bytes. This is because of the encryption and encapsulation of packets. For more information on this empty you consideration, see the documentation attached to this video. We mentioned earlier that Cloud VPN supports both static and dynamic routes. In order to use dynamic routes, you need to configure Cloud Router. Cloud Router can manage routes for a cloud VPN tunnel using Border Gateway Protocol or BGP. This routing methods allows for routes to be updated and exchanged without changing the tunnel configuration. For example, this diagram shows two different regional subnets in a VPC Network, test and prod, and 29 subnets in the on-premises network. The two networks are connected through a cloud VPN tunnel. How would you handle adding new subnets? For example a new staging subnet in the GCP network, or a new on-premises 10.0.30.0/24 subnet to handle growing traffic in your data center. To automatically propagate network configuration changes, the VPN tunnel uses Cloud router to establish a BGP session between the on-premises VPN Gateway which must support BGP. The new subnets are then seamlessly advertised between the network. This means that instances in the new subnets can start sending and receiving traffic immediately as you will explore in the upcoming lab. To set up BGP, an additional IP address has to be assigned to each end of the VPN tunnel. These two IP addresses must be linked local IP addresses belonging to the IP address range of 169.254.0.0/16. These addresses are not part of the IP address space of either networks and are used exclusively for establishing a BPG session.