Site-to-site VPN Connections to Google Cloud Platform
Last updated December 03, 2024
Table of Contents
Heroku Private Space VPN connections are compatible with Google Cloud VPN, GCP’s managed VPN feature. This makes it easy to establish a secure site-to-site VPN connection between your Private Space and GCP infrastructure.
You can connect your Private Space with GCP manually, or use Terraform to automate the configuration.
VPN connections are not yet available for Fir-generation spaces. Subscribe to our changelog to stay informed of when we add this feature to Fir.
Manual setup
First, check that your Google VPC’s internal network CIDR range doesn’t conflict with that of your Private Space (typically 10.0.0.0/16
).
When creating the Heroku VPN connection, you have to specify both the public IP of the GCP VPN gateway and the CIDR range of the GCP network. For that reason, the simplest order of operations is the following:
- Create your Heroku Private Space and GCP VPC (if you don’t have them already), making sure their respective CIDR ranges don’t overlap.
- Reserve a GCP static external IP address (this is used for the GCP VPN gateway later).
- Using the GCP IP address and internal network CIDR, provision the Heroku VPN connection. When provisioning is complete, get the public IPs for the Heroku VPN gateway, as well as the pre-shared IKEv1 keys.
- Create the GCP VPN gateway and tunnels using the IPs and IKEv1 pre-shared keys returned by the
heroku spaces:vpn:config
command. - After a few minutes, both tunnels should come up.
For example, assume that you’re using the IP 35.237.228.210
for the GCP VPN gateway, and that the GCP subnet is 10.138.0.0/16
. You create the Heroku VPN gateway like this:
$ heroku spaces:vpn:connect -i 35.237.228.210 -c 10.138.0.0/16 -n vpn-connection-name -s your-space
Wait for provisioning to complete and print the connection info:
$ heroku spaces:vpn:wait -n vpn-connection-name -s your-space
Waiting for VPN Connection vpn-connection-name to allocate... done
=== vpn-connection-name VPN Tunnels
VPN Tunnel Customer Gateway VPN Gateway Pre-shared Key Routable Subnets IKE Version
────────── ──────────────── ────────────── ──────────────────────────────── ──────────────── ───────────
Tunnel 1 35.237.228.210 34.195.35.105 sY0sjBWR7YVeJI8x41Go5.ZRq.ohQOLu 10.0.0.0/16 1
Tunnel 2 35.237.228.210 34.224.185.144 MmesiNxUH0OfcghtYrVSrTDhXj48qPmn 10.0.0.0/16 1
Use this information to complete setup on the GCP side. When creating tunnels, choose “Route-based” for “Routing options” (Heroku VPN does not support BGP). The remote IP range is the CIDR range of your Heroku Private Space (typically 10.0.0.0/16
).
See the Google VPN docs for details on tunnel configuration.
Finally, check that both tunnels come up:
$ heroku spaces:vpn:info -s your-space vpn-connection-name
Terraform setup
You may choose to use Terraform to automate this cross-cloud configuration between Heroku and Google Cloud Platform. Get started Using Terraform with Heroku.
The terraform-heroku-vpn-gcp configuration module & examples are available on GitHub. Follow the Usage instructions in the repo’s README.
Once the configuration has been applied by Terraform, you can view the VPN connection status:
$ heroku spaces:vpn:connections -s <space name>
=== space-name VPN Connections
Name Status Tunnels
─────── ────── ─────────
default active DOWN/DOWN