» google_compute_vpn_tunnel

VPN tunnel resource.

To get more information about VpnTunnel, see:

» Example Usage - Vpn Tunnel Basic

resource "google_compute_vpn_tunnel" "tunnel1" {
  name          = "tunnel1"
  peer_ip       = "15.0.0.120"
  shared_secret = "a secret message"

  target_vpn_gateway = google_compute_vpn_gateway.target_gateway.self_link

  depends_on = [
    google_compute_forwarding_rule.fr_esp,
    google_compute_forwarding_rule.fr_udp500,
    google_compute_forwarding_rule.fr_udp4500,
  ]
}

resource "google_compute_vpn_gateway" "target_gateway" {
  name    = "vpn1"
  network = google_compute_network.network1.self_link
}

resource "google_compute_network" "network1" {
  name = "network1"
}

resource "google_compute_address" "vpn_static_ip" {
  name = "vpn-static-ip"
}

resource "google_compute_forwarding_rule" "fr_esp" {
  name        = "fr-esp"
  ip_protocol = "ESP"
  ip_address  = google_compute_address.vpn_static_ip.address
  target      = google_compute_vpn_gateway.target_gateway.self_link
}

resource "google_compute_forwarding_rule" "fr_udp500" {
  name        = "fr-udp500"
  ip_protocol = "UDP"
  port_range  = "500"
  ip_address  = google_compute_address.vpn_static_ip.address
  target      = google_compute_vpn_gateway.target_gateway.self_link
}

resource "google_compute_forwarding_rule" "fr_udp4500" {
  name        = "fr-udp4500"
  ip_protocol = "UDP"
  port_range  = "4500"
  ip_address  = google_compute_address.vpn_static_ip.address
  target      = google_compute_vpn_gateway.target_gateway.self_link
}

resource "google_compute_route" "route1" {
  name       = "route1"
  network    = google_compute_network.network1.name
  dest_range = "15.0.0.0/24"
  priority   = 1000

  next_hop_vpn_tunnel = google_compute_vpn_tunnel.tunnel1.self_link
}

» Example Usage - Vpn Tunnel Beta

resource "google_compute_vpn_tunnel" "tunnel1" {
  provider      = google-beta
  name          = "tunnel1"
  peer_ip       = "15.0.0.120"
  shared_secret = "a secret message"

  target_vpn_gateway = google_compute_vpn_gateway.target_gateway.self_link

  depends_on = [
    google_compute_forwarding_rule.fr_esp,
    google_compute_forwarding_rule.fr_udp500,
    google_compute_forwarding_rule.fr_udp4500,
  ]

  labels = {
    foo = "bar"
  }
}

resource "google_compute_vpn_gateway" "target_gateway" {
  provider = google-beta
  name     = "vpn1"
  network  = google_compute_network.network1.self_link
}

resource "google_compute_network" "network1" {
  provider = google-beta
  name     = "network1"
}

resource "google_compute_address" "vpn_static_ip" {
  provider = google-beta
  name     = "vpn-static-ip"
}

resource "google_compute_forwarding_rule" "fr_esp" {
  provider    = google-beta
  name        = "fr-esp"
  ip_protocol = "ESP"
  ip_address  = google_compute_address.vpn_static_ip.address
  target      = google_compute_vpn_gateway.target_gateway.self_link
}

resource "google_compute_forwarding_rule" "fr_udp500" {
  provider    = google-beta
  name        = "fr-udp500"
  ip_protocol = "UDP"
  port_range  = "500"
  ip_address  = google_compute_address.vpn_static_ip.address
  target      = google_compute_vpn_gateway.target_gateway.self_link
}

resource "google_compute_forwarding_rule" "fr_udp4500" {
  provider    = google-beta
  name        = "fr-udp4500"
  ip_protocol = "UDP"
  port_range  = "4500"
  ip_address  = google_compute_address.vpn_static_ip.address
  target      = google_compute_vpn_gateway.target_gateway.self_link
}

resource "google_compute_route" "route1" {
  provider   = google-beta
  name       = "route1"
  network    = google_compute_network.network1.name
  dest_range = "15.0.0.0/24"
  priority   = 1000

  next_hop_vpn_tunnel = google_compute_vpn_tunnel.tunnel1.self_link
}

provider "google-beta" {
  region = "us-central1"
  zone   = "us-central1-a"
}

» Argument Reference

The following arguments are supported:

  • name - (Required) Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

  • shared_secret - (Required) Shared secret used to set the secure session between the Cloud VPN gateway and the peer VPN gateway.


  • description - (Optional) An optional description of this resource.

  • target_vpn_gateway - (Optional) URL of the Target VPN gateway with which this VPN tunnel is associated.

  • vpn_gateway - (Optional, Beta) URL of the VPN gateway with which this VPN tunnel is associated. This must be used if a High Availability VPN gateway resource is created. This field must reference a google_compute_ha_vpn_gateway resource.

  • vpn_gateway_interface - (Optional, Beta) The interface ID of the VPN gateway with which this VPN tunnel is associated.

  • peer_external_gateway - (Optional, Beta) URL of the peer side external VPN gateway to which this VPN tunnel is connected.

  • peer_external_gateway_interface - (Optional, Beta) The interface ID of the external VPN gateway to which this VPN tunnel is connected.

  • peer_gcp_gateway - (Optional, Beta) URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. If provided, the VPN tunnel will automatically use the same vpn_gateway_interface ID in the peer GCP VPN gateway. This field must reference a google_compute_ha_vpn_gateway resource.

  • router - (Optional) URL of router resource to be used for dynamic routing.

  • peer_ip - (Optional) IP address of the peer VPN gateway. Only IPv4 is supported.

  • ike_version - (Optional) IKE protocol version to use when establishing the VPN tunnel with peer VPN gateway. Acceptable IKE versions are 1 or 2. Default version is 2.

  • local_traffic_selector - (Optional) Local traffic selector to use when establishing the VPN tunnel with peer VPN gateway. The value should be a CIDR formatted string, for example 192.168.0.0/16. The ranges should be disjoint. Only IPv4 is supported.

  • remote_traffic_selector - (Optional) Remote traffic selector to use when establishing the VPN tunnel with peer VPN gateway. The value should be a CIDR formatted string, for example 192.168.0.0/16. The ranges should be disjoint. Only IPv4 is supported.

  • labels - (Optional, Beta) Labels to apply to this VpnTunnel.

  • region - (Optional) The region where the tunnel is located. If unset, is set to the region of target_vpn_gateway.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 4 minutes.
  • update - Default is 4 minutes.
  • delete - Default is 4 minutes.

» Import

VpnTunnel can be imported using any of these accepted formats:

$ terraform import google_compute_vpn_tunnel.default projects/{{project}}/regions/{{region}}/vpnTunnels/{{name}}
$ terraform import google_compute_vpn_tunnel.default {{project}}/{{region}}/{{name}}
$ terraform import google_compute_vpn_tunnel.default {{region}}/{{name}}
$ terraform import google_compute_vpn_tunnel.default {{name}}

» User Project Overrides

This resource supports User Project Overrides.