Deep-dive on the Next Gen Platform. Join the Webinar!

Skip Navigation
Show nav
Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
Hide categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Developer Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Working with Node.js
      • Node.js Behavior in Heroku
      • Troubleshooting Node.js Apps
    • Ruby
      • Rails Support
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • PHP Behavior in Heroku
      • Working with PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Working with AI
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Security
  • Private Spaces
  • Infrastructure Networking
  • Site-to-site VPN Connections to Google Cloud Platform

Site-to-site VPN Connections to Google Cloud Platform

English — 日本語に切り替える

Last updated February 12, 2025

Table of Contents

  • Manual setup
  • Terraform setup

Heroku Private Space VPN connections are compatible with Google Cloud VPN, GCP’s managed VPN feature. This makes it easy to establish a secure site-to-site VPN connection between your Private Space and GCP infrastructure.

You can connect your Private Space with GCP manually, or use Terraform to automate the configuration.

VPN connections are not yet available for Fir-generation spaces. Subscribe to our changelog to stay informed of when we add this feature to Fir.

Manual setup

First, check that your Google VPC’s internal network CIDR range doesn’t conflict with that of your Private Space (typically 10.0.0.0/16).

When creating the Heroku VPN connection, you have to specify both the public IP of the GCP VPN gateway and the CIDR range of the GCP network. For that reason, the simplest order of operations is the following:

  1. Create your Heroku Private Space and GCP VPC (if you don’t have them already), making sure their respective CIDR ranges don’t overlap.
  2. Reserve a GCP static external IP address (this is used for the GCP VPN gateway later).
  3. Using the GCP IP address and internal network CIDR, provision the Heroku VPN connection. When provisioning is complete, get the public IPs for the Heroku VPN gateway, as well as the pre-shared IKEv1 keys.
  4. Create the GCP VPN gateway and tunnels using the IPs and IKEv1 pre-shared keys returned by the heroku spaces:vpn:config command.
  5. After a few minutes, both tunnels should come up.

For example, assume that you’re using the IP 35.237.228.210 for the GCP VPN gateway, and that the GCP subnet is 10.138.0.0/16. You create the Heroku VPN gateway like this:

$ heroku spaces:vpn:connect -i 35.237.228.210 -c 10.138.0.0/16 -n vpn-connection-name -s your-space

Wait for provisioning to complete and print the connection info:

$ heroku spaces:vpn:wait  -n vpn-connection-name -s your-space
Waiting for VPN Connection vpn-connection-name to allocate... done

=== vpn-connection-name VPN Tunnels
VPN Tunnel  Customer Gateway  VPN Gateway     Pre-shared Key                    Routable Subnets  IKE Version
──────────  ────────────────  ──────────────  ────────────────────────────────  ────────────────  ───────────
Tunnel 1    35.237.228.210    34.195.35.105   sY0sjBWR7YVeJI8x41Go5.ZRq.ohQOLu  10.0.0.0/16       1
Tunnel 2    35.237.228.210    34.224.185.144  MmesiNxUH0OfcghtYrVSrTDhXj48qPmn  10.0.0.0/16       1

Use this information to complete setup on the GCP side. When creating tunnels, choose “Route-based” for “Routing options” (Heroku VPN does not support BGP). The remote IP range is the CIDR range of your Heroku Private Space (typically 10.0.0.0/16).

See the Google VPN docs for details on tunnel configuration.

Finally, check that both tunnels come up:

$ heroku spaces:vpn:info -s your-space vpn-connection-name

Terraform setup

You may choose to use Terraform to automate this cross-cloud configuration between Heroku and Google Cloud Platform. Get started Using Terraform with Heroku.

The terraform-heroku-vpn-gcp configuration module & examples are available on GitHub. Follow the Usage instructions in the repo’s README.

Once the configuration has been applied by Terraform, you can view the VPN connection status:

$ heroku spaces:vpn:connections -s <space name>
=== space-name VPN Connections
Name     Status  Tunnels
───────  ──────  ─────────
default  active  DOWN/DOWN

Keep reading

  • Infrastructure Networking

Feedback

Log in to submit feedback.

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2025 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices