gcloud compute vpn-tunnels create - create a VPN tunnel
gcloud compute vpn-tunnels create NAME --shared-secret=SHARED_SECRET (--peer-address=PEER_ADDRESS | --peer-external-gateway=PEER_EXTERNAL_GATEWAY | --peer-gcp-gateway=PEER_GCP_GATEWAY | --peer-gcp-gateway-region=PEER_GCP_GATEWAY_REGION) (--target-vpn-gateway=TARGET_VPN_GATEWAY | --target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION | --vpn-gateway=VPN_GATEWAY | --vpn-gateway-region=VPN_GATEWAY_REGION) [--description=DESCRIPTION] [--ike-version=IKE_VERSION] [--interface=INTERFACE] [--local-traffic-selector=CIDR,[CIDR,...]] [--peer-external-gateway-interface=PEER_EXTERNAL_GATEWAY_INTERFACE] [--region=REGION] [--remote-traffic-selector=CIDR,[CIDR,...]] [--router=ROUTER] [--router-region=ROUTER_REGION] [GCLOUD_WIDE_FLAG ...]
gcloud compute vpn-tunnels create is used to create a Classic VPN tunnel between a target VPN gateway in Google Cloud Platform and a peer address; or create Highly Available VPN tunnel between HA VPN gateway and another HA VPN gateway, or Highly Available VPN tunnel between HA VPN gateway and an external VPN gateway.
- NAME
Name of the VPN Tunnel to create.
- --shared-secret=SHARED_SECRET
Shared secret consisting of printable characters. Valid arguments match the regular expression [ -~]+
- Exactly one of these must be specified:
- --peer-address=PEER_ADDRESS
Valid IPV4 address representing the remote tunnel endpoint, the peer address must be specified when creating Classic VPN tunnels from Classic Target VPN gateway
- --peer-external-gateway=PEER_EXTERNAL_GATEWAY
Peer side external VPN gateway representing the remote tunnel endpoint, this flag is used when creating HA VPN tunnels from Google Cloud to your external VPN gateway.Either --peer-external-gateway or --peer-gcp-gateway must be specified when creating VPN tunnels from High Available VPN gateway.
- --peer-gcp-gateway=PEER_GCP_GATEWAY
Reference to the peer side Highly Available VPN gateway.
- --peer-gcp-gateway-region=PEER_GCP_GATEWAY_REGION
Region of the VPN Gateway to operate on. Should be the same as region, if not specified, it will be automatically set. Overrides the default compute/region property value for this command invocation.
- Exactly one of these must be specified:
- --target-vpn-gateway=TARGET_VPN_GATEWAY
A reference to a Cloud VPN Classic Target VPN Gateway.
- --target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION
Region of the Target VPN Gateway to operate on. Should be the same as region, if not specified, it will be automatically set. Overrides the default compute/region property value for this command invocation.
- --vpn-gateway=VPN_GATEWAY
Reference to a Highly Available VPN gateway.
- --vpn-gateway-region=VPN_GATEWAY_REGION
Region of the VPN Gateway to operate on. Should be the same as region, if not specified, it will be automatically set. Overrides the default compute/region property value for this command invocation.
- --description=DESCRIPTION
An optional, textual description for the VPN tunnel.
- --ike-version=IKE_VERSION
Internet Key Exchange protocol version number. Default is 2. IKE_VERSION must be one of: 1, 2.
- --interface=INTERFACE
Numeric interface ID of the VPN gateway with which this VPN tunnel is associated. This flag is required if the tunnel is being attached to a Highly Available VPN gateway. This option is only available for use with Highly Available VPN gateway and must be omitted if the tunnel is going to be connected to a Classic VPN gateway. INTERFACE must be one of: 0, 1.
- --local-traffic-selector=CIDR,[CIDR,...]
Traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.
--local-traffic-selector allows to configure the local addresses that are permitted. The value should be a comma separated list of CIDR formatted strings. Example: 192.168.0.0/16,10.0.0.0/24.
Local traffic selector must be specified only for VPN tunnels that do not use dynamic routing with a Cloud Router. Omit this flag when creating a tunnel using dynamic routing, including a tunnel for a Highly Available VPN gateway.
- --peer-external-gateway-interface=PEER_EXTERNAL_GATEWAY_INTERFACE
Interface ID of the external VPN gateway to which this VPN tunnel is connected to. This flag is required if the tunnel is being created from a Highly Available VPN gateway to an External Vpn Gateway. PEER_EXTERNAL_GATEWAY_INTERFACE must be one of: 0, 1, 2, 3.
- --region=REGION
Region of the VPN Tunnel to create. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
- --remote-traffic-selector=CIDR,[CIDR,...]
Traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.
--remote-traffic-selector allows to configure the remote addresses that are permitted. The value should be a comma separated list of CIDR formatted strings. Example: 192.168.0.0/16,10.0.0.0/24.
Remote traffic selector must be specified for VPN tunnels that do not use dynamic routing with a Cloud Router. Omit this flag when creating a tunnel using dynamic routing, including a tunnel for a Highly Available VPN gateway.
- --router=ROUTER
The Router to use for dynamic routing.
- --router-region=ROUTER_REGION
Region of the router to operate on. If not specified, you might be prompted to select a region (interactive mode only).
To avoid prompting when this flag is omitted, you can set the compute/region property:
$ gcloud config set compute/region REGION
A list of regions can be fetched by running:
$ gcloud compute regions list
To unset the property, run:
$ gcloud config unset compute/region
Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
These variants are also available:
$ gcloud alpha compute vpn-tunnels create
$ gcloud beta compute vpn-tunnels create