๐Ÿš€ Now onboarding early-access teams โ€” launching Q4 2026 ยท Start Free โ†’
ATechsCloud
Book a Demo Start Free

Home / Blog / GCPโ€“AWS HA VPN

Multi-Cloud ยท 9 min read

HA Site-to-Site VPN Between GCP and AWS with Dynamic Routing

Connect Google Cloud and AWS with a highly available, BGP-routed VPN โ€” HA VPN gateway, Cloud Router, dual customer gateways, and the VPC-peering transitivity gotcha that trips most people up.

Real multi-cloud needs a network path between providers that is resilient and self-healing. A static VPN with one tunnel is a single point of failure. This build connects GCP and AWS with a highly available site-to-site VPN using dynamic routing (BGP), so routes propagate and fail over automatically.

The building blocks

  • Cloud Router โ€” provides dynamic BGP routing for your GCP VPC networks
  • HA VPN gateway โ€” a regional gateway with two interfaces, each with its own external IP
  • VPN tunnels โ€” encrypted connections between the GCP and AWS gateways
  • AWS peer gateway โ€” customer gateways + a Virtual Private Gateway on the AWS side

GCP side

  • Two peered VPCs โ€” nw1-vpc (192.168.0.0/16) and nw2-vpc (172.28.0.0/16)
  • Regional subnets with VPC flow logs enabled
  • A Cloud Router with BGP ASN 64514 driving an HA VPN gateway

AWS side

  • Two customer gateways (one per GCP HA VPN interface)
  • A Virtual Private Gateway with ASN 64512
  • Two VPN connections using IKEv2 with pre-shared keys

Tunnel parameters

The two clouds have to agree on the IKE/IPsec settings exactly, and each tunnel gets a link-local BGP interface:

IKE version     : IKEv2
Encryption      : AES-128-CBC
Authentication  : SHA1
Tunnel IPs      : 169.254.x.x/30 (one /30 per tunnel)
GCP Cloud Router ASN : 64514
AWS VGW ASN          : 64512

The VPC-peering gotcha

Here's the part that catches people: VPC peering is not transitive. If nw2-vpc is peered to nw1-vpc, and only nw1-vpc holds the VPN, traffic from nw2-vpc won't reach AWS by default. The fix is to propagate the routes through Cloud Router (custom route advertisement) so the peered VPC's ranges are advertised across the BGP session to AWS โ€” and AWS's ranges are imported back.

Validation

  • AWS instances can ping and SSH GCP VMs across the VPN (and vice-versa)
  • BGP sessions are Established and routes appear dynamically on both sides
  • GCP firewall rules and AWS security groups permit the cross-cloud CIDRs

Why it matters

With two tunnels and dynamic routing, losing a tunnel doesn't take down connectivity โ€” BGP reconverges on the surviving path. That's the foundation for genuinely resilient multi-cloud architectures.

This is the build behind our Multi-Cloud HA VPN case study. Multi-cloud connectivity and inventory are core to what ATechsCloud CloudOps brings into one view.

Originally published by Aslam Parvaiz on LinkedIn (May 2023). This is a condensed write-up of the full step-by-step guide. Read the original on LinkedIn โ†—

โ† All articles Request Early Access โ†’