Site-to-site VPN Connections to Google Cloud Platform
Last updated 30 May 2019
Heroku Private Space VPN connections are compatible with Google Cloud VPN, GCP’s managed VPN feature. This makes it easy to establish a secure site-to-site VPN connection between your Private Space and GCP infrastructure.
You can connect your Private Space with GCP manually, or use Terraform to automate the configuration.
First, check that your Google VPC’s internal network CIDR range doesn’t conflict with that of your Private Space (typically
When creating the Heroku VPN connection, you have to specify both the public IP of the GCP VPN gateway and the CIDR range of the GCP network. For that reason, the simplest order of operations is the following:
- Create your Heroku Private Space and GCP VPC (if you don’t have them already), making sure their respective CIDR ranges don’t overlap.
- Reserve a GCP static external IP address (this is used for the GCP VPN gateway later).
- Using the GCP IP address and internal network CIDR, provision the Heroku VPN connection. When provisioning is complete, get the public IPs for the Heroku VPN gateway, as well as the pre-shared IKEv1 keys.
- Create the GCP VPN gateway and tunnels using the IPs and IKEv1 pre-shared keys returned by the
- After a few minutes, both tunnels should come up.
For example, assume that you’re using the IP
18.104.22.168 for the GCP VPN gateway, and that the GCP subnet is
10.138.0.0/16. You create the Heroku VPN gateway like this:
$ heroku spaces:vpn:connect -i 22.214.171.124 -c 10.138.0.0/16 -n vpn-connection-name -s your-space
Wait for provisioning to complete and print the connection info:
$ heroku spaces:vpn:wait -n vpn-connection-name -s your-space Waiting for VPN Connection vpn-connection-name to allocate... done === vpn-connection-name VPN Tunnels VPN Tunnel Customer Gateway VPN Gateway Pre-shared Key Routable Subnets IKE Version ────────── ──────────────── ────────────── ──────────────────────────────── ──────────────── ─────────── Tunnel 1 126.96.36.199 188.8.131.52 sY0sjBWR7YVeJI8x41Go5.ZRq.ohQOLu 10.0.0.0/16 1 Tunnel 2 184.108.40.206 220.127.116.11 MmesiNxUH0OfcghtYrVSrTDhXj48qPmn 10.0.0.0/16 1
Use this information to complete setup on the GCP side. When creating tunnels, choose “Route-based” for “Routing options” (Heroku VPN does not support BGP). The remote IP range is the CIDR range of your Heroku Private Space (typically
Finally, check that both tunnels come up:
$ heroku spaces:vpn:info -s your-space vpn-connection-name
You may choose to use Terraform to automate this cross-cloud configuration between Heroku and Google Cloud Platform. Get started Using Terraform with Heroku.
The terraform-heroku-vpn-gcp configuration module & examples are available on GitHub. Follow the Usage instructions in the repo’s README.
Once the configuration has been applied by Terraform, you can view the VPN connection status:
$ heroku spaces:vpn:connections -s <space name> === space-name VPN Connections Name Status Tunnels ─────── ────── ───────── default active DOWN/DOWN