Site-to-site VPN Connections to Google Cloud Platform

Last updated February 12, 2025

Heroku Private Space VPN connections are compatible with Google Cloud VPN, GCP’s managed VPN feature. This makes it easy to establish a secure site-to-site VPN connection between your Private Space and GCP infrastructure.

You can connect your Private Space with GCP manually, or use Terraform to automate the configuration.

VPN connections are not yet available for Fir-generation spaces. Subscribe to our changelog to stay informed of when we add this feature to Fir.

Manual setup

First, check that your Google VPC’s internal network CIDR range doesn’t conflict with that of your Private Space (typically 10.0.0.0/16).

When creating the Heroku VPN connection, you have to specify both the public IP of the GCP VPN gateway and the CIDR range of the GCP network. For that reason, the simplest order of operations is the following:

  1. Create your Heroku Private Space and GCP VPC (if you don’t have them already), making sure their respective CIDR ranges don’t overlap.
  2. Reserve a GCP static external IP address (this is used for the GCP VPN gateway later).
  3. Using the GCP IP address and internal network CIDR, provision the Heroku VPN connection. When provisioning is complete, get the public IPs for the Heroku VPN gateway, as well as the pre-shared IKEv1 keys.
  4. Create the GCP VPN gateway and tunnels using the IPs and IKEv1 pre-shared keys returned by the heroku spaces:vpn:config command.
  5. After a few minutes, both tunnels should come up.

For example, assume that you’re using the IP 35.237.228.210 for the GCP VPN gateway, and that the GCP subnet is 10.138.0.0/16. You create the Heroku VPN gateway like this:

$ heroku spaces:vpn:connect -i 35.237.228.210 -c 10.138.0.0/16 -n vpn-connection-name -s your-space

Wait for provisioning to complete and print the connection info:

$ heroku spaces:vpn:wait  -n vpn-connection-name -s your-space
Waiting for VPN Connection vpn-connection-name to allocate... done

=== vpn-connection-name VPN Tunnels
VPN Tunnel  Customer Gateway  VPN Gateway     Pre-shared Key                    Routable Subnets  IKE Version
──────────  ────────────────  ──────────────  ────────────────────────────────  ────────────────  ───────────
Tunnel 1    35.237.228.210    34.195.35.105   sY0sjBWR7YVeJI8x41Go5.ZRq.ohQOLu  10.0.0.0/16       1
Tunnel 2    35.237.228.210    34.224.185.144  MmesiNxUH0OfcghtYrVSrTDhXj48qPmn  10.0.0.0/16       1

Use this information to complete setup on the GCP side. When creating tunnels, choose “Route-based” for “Routing options” (Heroku VPN does not support BGP). The remote IP range is the CIDR range of your Heroku Private Space (typically 10.0.0.0/16).

See the Google VPN docs for details on tunnel configuration.

Finally, check that both tunnels come up:

$ heroku spaces:vpn:info -s your-space vpn-connection-name

Terraform setup

You may choose to use Terraform to automate this cross-cloud configuration between Heroku and Google Cloud Platform. Get started Using Terraform with Heroku.

The terraform-heroku-vpn-gcp configuration module & examples are available on GitHub. Follow the Usage instructions in the repo’s README.

Once the configuration has been applied by Terraform, you can view the VPN connection status:

$ heroku spaces:vpn:connections -s <space name>
=== space-name VPN Connections
Name     Status  Tunnels
───────  ──────  ─────────
default  active  DOWN/DOWN

Feedback

Log in to submit feedback.