GCP Interconnect and Hybrid Connectivity

Hybrid connectivity services connect on-premises data centers, office networks, or other cloud providers to GCP's VPC network. Instead of routing all traffic over the public internet, hybrid connections use private, dedicated, or encrypted channels for better performance, security, and reliability.

Think of public internet traffic as a shared highway — lanes are congested, speeds vary, and other vehicles (traffic from other organizations) share the road. Hybrid connectivity options are private toll roads — fewer vehicles, consistent speed, and direct routes between a company's premises and Google's data centers.

Connectivity Options Overview

On-Premises Data Center / Office
        │
        │ Connection Options:
        ├─── Cloud VPN (encrypted tunnel over internet)
        ├─── Dedicated Interconnect (private physical fiber)
        ├─── Partner Interconnect (via telecom partner)
        └─── Cloud Router (dynamic routing, used with VPN/Interconnect)
        │
        ▼
GCP VPC Network
OptionBandwidthSLAUse Case
Cloud VPN (HA)1.5–3 Gbps per tunnel99.99%Encrypted connection over internet, small/medium workloads
Dedicated Interconnect10 Gbps or 100 Gbps per circuit99.99%Large data transfers, latency-sensitive, direct fiber to Google
Partner Interconnect50 Mbps – 50 Gbps99.9% – 99.99%Locations without Dedicated Interconnect access
Cross-Cloud Interconnect10 Gbps or 100 Gbps99.99%Direct private connection between GCP and AWS/Azure

Cloud VPN

Cloud VPN creates an encrypted IPsec tunnel between an on-premises VPN gateway and a GCP Cloud VPN gateway. All traffic travels over the public internet, but it is fully encrypted. HA VPN (High Availability VPN) uses two tunnels for 99.99% SLA.

On-Premises Network (10.100.0.0/16)
    │
    │ IPsec encrypted tunnel (over internet)
    ▼
GCP Cloud VPN Gateway
    │
    ▼
GCP VPC (10.0.0.0/16)

VM in GCP can connect to on-premises server using private IPs:
ping 10.100.0.50   # Reaches on-premises server privately

Creating an HA VPN Gateway

# Step 1 — Create the HA VPN gateway (two interfaces for redundancy)
gcloud compute vpn-gateways create on-prem-vpn-gw \
  --network=my-app-vpc \
  --region=us-central1

# Step 2 — Create a Cloud Router (for dynamic routing via BGP)
gcloud compute routers create vpn-router \
  --network=my-app-vpc \
  --region=us-central1 \
  --asn=65001  # GCP side ASN

# Step 3 — Create VPN tunnels (2 tunnels for HA)
gcloud compute vpn-tunnels create tunnel-1 \
  --vpn-gateway=on-prem-vpn-gw \
  --interface=0 \
  --peer-external-gateway=peer-gw \
  --peer-external-gateway-interface=0 \
  --ike-version=2 \
  --shared-secret=my-shared-secret \
  --router=vpn-router \
  --region=us-central1

# Step 4 — Configure BGP sessions on the Cloud Router
# (Automatically exchanges route information with on-premises router)

Dedicated Interconnect

Dedicated Interconnect provides a direct physical fiber connection between an on-premises data center and Google's colocation facility. Traffic never traverses the public internet — it flows over Google's private network with consistent low latency and high bandwidth.

On-Premises Data Center
        │  Physical fiber cable
        ▼
Google Colocation Facility (peering point)
        │  Google's private backbone network
        ▼
GCP VPC Network

To use Dedicated Interconnect, the on-premises router must be physically co-located in one of Google's colocation facilities, or connected via a carrier to reach one. A VLAN attachment connects the interconnect circuit to the GCP VPC through a Cloud Router.

# Create a VLAN attachment on an existing Dedicated Interconnect
gcloud compute interconnects attachments dedicated create my-attachment \
  --interconnect=my-dedicated-interconnect \
  --router=interconnect-router \
  --region=us-central1 \
  --bandwidth=BPS_10G \
  --vlan=100

Cloud Router

Cloud Router is a virtual router that enables dynamic routing between GCP VPC networks and on-premises networks using BGP (Border Gateway Protocol). Instead of manually configuring static routes for every subnet, Cloud Router automatically exchanges route information when network topology changes.

Manual Static Routes:
On-premises adds subnet 10.100.5.0/24
→ Admin must manually add route in GCP VPC
→ Time-consuming, error-prone

With Cloud Router (BGP):
On-premises adds subnet 10.100.5.0/24
→ On-premises router advertises new route via BGP
→ Cloud Router receives the advertisement automatically
→ GCP VPC route table updated in seconds ✓

# Create a Cloud Router
gcloud compute routers create my-cloud-router \
  --network=my-app-vpc \
  --region=us-central1 \
  --asn=65001

# List BGP sessions (after VPN/Interconnect is connected)
gcloud compute routers get-status my-cloud-router \
  --region=us-central1

Cross-Cloud Interconnect (GCP ↔ AWS / Azure)

Cross-Cloud Interconnect provides a dedicated private connection between GCP and another cloud provider (AWS or Azure). This is used by organizations running a multi-cloud strategy who need fast, private data transfers between clouds without routing through the public internet.

AWS VPC (10.200.0.0/16)
        │
        │ Cross-Cloud Interconnect (10 Gbps dedicated fiber)
        ▼
GCP VPC (10.0.0.0/16)

Latency: ~2ms (private)
vs
Public Internet: ~50ms + variable + unencrypted

Choosing the Right Connectivity Option

Scenario Decision Tree:
Need hybrid connectivity?
        │
        ├── Small workload OR just testing?
        │   └── Cloud VPN HA (encrypted over internet)
        │
        ├── Large data volumes (>5 Gbps) OR strict latency requirements?
        │   ├── Direct physical fiber available to Google PoP?
        │   │   └── Dedicated Interconnect (10G or 100G)
        │   └── No direct access to Google PoP?
        │       └── Partner Interconnect (via telecom partner)
        │
        └── Multi-cloud (GCP + AWS or Azure)?
            └── Cross-Cloud Interconnect

Network Topology: Hub-and-Spoke with Shared VPC

Large organizations use a hub-and-spoke topology to centralize network management:

On-Premises
    │
    │ Dedicated Interconnect / VPN
    ▼
Hub VPC (Network Hub Project)
    │  VPC Peering or Network Connectivity Center
    ├──▶ Spoke VPC 1 (Project: production-app)
    ├──▶ Spoke VPC 2 (Project: data-analytics)
    └──▶ Spoke VPC 3 (Project: development)

(On-premises traffic enters through the hub, distributes to spokes)
(Spoke-to-spoke communication goes through the hub)

Key Takeaways

  • Cloud VPN creates encrypted IPsec tunnels over the public internet — simple and cost-effective for smaller workloads.
  • HA VPN uses two tunnels for 99.99% SLA and automatic failover.
  • Dedicated Interconnect provides a private physical fiber connection to Google's network for large, latency-sensitive workloads.
  • Partner Interconnect connects through a third-party telecom partner when direct colocation is not possible.
  • Cloud Router enables dynamic BGP routing — automatically exchanging route updates without manual configuration.
  • Cross-Cloud Interconnect connects GCP directly to AWS or Azure for multi-cloud architectures.
Previous lessons
Back to courses
Next lessons

Leave a Comment