If massive amount of data is flowing through, you will need the best possible throughput (even when using a cache solution like Avere), to transfer data between on-premise machines and the cloud.
Let’s see how we can configure Cloud VPN to get the best throughput!
Cloud VPN configuration
Cloud VPN configuration on Google Cloud’s side is pretty easy.
You’ll have to enter:
- the IP addresses of the endpoints,
- a secret key for encrypting the communications,
- the networks both on Google’s side and on-premise
(CIDR: Classless Inter-Domain Routing)
The important other choice is the IKE (Internet Key Exchange) version: version 1 or version 2.
If supported by your on-premise firewall, choose IKEv2 to have the full choice of other settings.
Here is the tip: Choosing the right cipher is critical. Galois / Counter Mode (GCM) is your friend.
With IKEv2, choosing the AES-GCM cipher will bring you highest possible speed. IKEv1 will limit your cipher choice to AES-CBC-128 only, offering only a lower throughput.
Sadly, some firewalls won’t let you choose the AES-GCM cipher (even some expensive ones). In case your on-prem firewall doesn’t support IKEv2 and/or AES-GCM, have a look at the Open Source firewall PfSense.
You’ll have all the possible IPsec choices and even more (like MSS Clamping). On a CPU with the AES-NI instruction set, AES-GCM can use a full gigabit connexion (max for a Cloud VPN is 1.5 Gbps when using regular Internet, 3 Gbps with direct peering.)
Still not enough?
You can scale thoughput by using more VPNs with ECMP routing!