Introduction: The Hybrid Reality
Few enterprises move to the cloud by simply turning off their datacenter on a Friday and enabling Google Cloud on a Monday. The reality is Hybrid Cloud: a state where your legacy databases sit on-premises (for now), while your modern front-ends run on GKE or Cloud Run.
This architecture introduces a critical new variable: The Network Link.
If that link is slow, your app is slow. If that link drops, your app is down.
Google Cloud offers two primary ways to bridge this gap: HA VPN (over the public internet) and Cloud Interconnect (dedicated physical cables). Choosing the wrong one can lead to performance bottlenecks or massive unnecessary costs.
In this deep dive, we will analyse the technical differences, the SLA implications, and the hidden “Gotchas” like MTU and BGP limits.
The Architecture: Bridging Two Worlds
The fundamental goal is to extend your Google Cloud VPC IP space (e.g., 10.2.0.0/16) to your On-Prem network ( 192.168.0.0/16) so they can talk privately via RFC1918 addresses.
Both solutions rely on Cloud Router, Google’s distributed BGP speaker, to dynamically exchange routes between your datacenter routers and your VPC.
Technical Comparison Table
| Feature | HA VPN | Cloud Interconnect (Dedicated/Partner) |
| :------------------- | :-------------------------- | :------------------------------------------ |
| **Transport Medium** | Public Internet (Encrypted) | Private Fiber (Dedicated) |
| **Throughput** | Up to 3 Gbps per tunnel | 10 Gbps - 100 Gbps per circuit |
| **Latency** | Variable (Jitter is common) | Low, Stable, Deterministic |
| **SLA** | 99.99% (if 2 tunnels used) | 99.9% - 99.99% (topology dependent) |
| **Cost** | Low (~$0.05/hr + Traffic) | High (Port fees + Cross-connect fees) |
| **Setup Time** | Minutes | Weeks or Months (Physical cabling required) |
Deep Dive: HA VPN (The Agile Choice)
High Availability (HA) VPN is not your standard legacy VPN. It uses BGP and two active interfaces to offer a 99.99% SLA.
When to use it:
- Proof of Concept / Dev: You need connectivity today.
- Low Bandwidth: Your application is mostly stateless and doesn’t push TBs of data.
- Backup: You use it as a low-cost failover for your Interconnect.
Configuration Key: You must configure two tunnels connecting to two different interfaces on your on-prem gateway. If you only configure one, Google offers zero SLA.
# Example: Creating an HA VPN Gateway
gcloud compute vpn-gateways create my-ha-vpn \
--network=my-vpc \
--region=us-central1
Deep Dive: Cloud Interconnect (The Enterprise Choice)
There are two flavours here:
- Dedicated: You run a literal fibre optic cable from your rack to Google’s cage in a colocation facility.
- Partner: You use a service provider (like Equinix, Verizon, or Orange) who already has the fibre, and they carve out a VLAN for you.
When to use it:
- Data Migration: You are moving Petabytes of data (Database replication).
- Latency Sensitive: Financial trading or real-time voice apps where “jitter” is unacceptable.
- Regulatory: Data cannot traverse the public internet (even encrypted).
The Concept: VLAN Attachments Interconnect doesn’t just “work.” You must create a VLAN Attachment that connects the physical circuit to a specific Cloud Router in a specific VPC.
Common Roadblocks & Troubleshooting
1. The MTU Mismatch (Packet Loss) This is the #1 silent killer of hybrid connections.
- Google Cloud VPC MTU: Default is 1460 bytes.
- Standard Internet MTU: 1500 bytes.
- Issue: If your on-prem server sends a 1500-byte packet, and VPN encryption adds overhead, the packet exceeds 1460 bytes. It gets dropped or fragmented.
- Fix: TCP MSS Clamping. Configure your on-prem firewall/router to clamp the TCP Maximum Segment Size (MSS) to roughly 1350–1390 bytes to allow room for headers.
2. BGP Route Limits Cloud Router has a quota (defaults vary, usually 100–200 dynamic routes). If your on-prem router tries to advertise every single subnet of your massive corporate WAN individually, the session will drop.
Conclusion
The choice between HA VPN and Cloud Interconnect comes down to the triangle of Speed, Cost, and Quality.
- HA VPN is fast to deploy and cheap, but quality (latency) varies with the weather of the internet.
- Interconnect provides premium quality and speed, but costs money and time to provision.
For most modernisation projects, I recommend a Hybrid-Hybrid approach: Start with HA VPN today to unblock developers. Build the Interconnect in parallel over the next 3 months, and keep the VPN as a backup link forever.
References & Further Reading
- Cloud Network Performance: Dashboard & Metrics
- HA VPN Topology: 99.99% SLA Guide
- MTU Considerations: MTU & MSS Clamping Guide
Originally published at https://lineargs.dev.
Hybrid Cloud Connectivity: Cloud Interconnect vs. HA VPN for Modernisation was originally published in Google Cloud – Community on Medium, where people are continuing the conversation by highlighting and responding to this story.
Source Credit: https://medium.com/google-cloud/hybrid-cloud-connectivity-cloud-interconnect-vs-ha-vpn-for-modernisation-4ed9729c8bb7?source=rss—-e52cf94d98af—4
About the Author
