Skip to Content

Getting the best Cloud VPN throughput

Posted on 2 mins read

When adopting a hybrid cloud setup, you will certainly use Cloud VPN (IPsec: “Internet Protocol Security”) as a secure private link between on-premise infrastructure and your Google Cloud projects.

If massive amount of data is flowing through, you will need the best possible throughput (even when using a cache solution like Avere), to transfer data between on-premise machines and the cloud.

Let’s see how we can configure Cloud VPN to get the best throughput!

Cloud VPN configuration

Cloud VPN configuration on Google Cloud’s side is pretty easy.

You’ll have to enter:

  • the IP addresses of the endpoints,
  • a secret key for encrypting the communications,
  • the networks both on Google’s side and on-premise
    (CIDR: Classless Inter-Domain Routing)

The important other choice is the IKE (Internet Key Exchange) version: version 1 or version 2.

If supported by your on-premise firewall, choose IKEv2 to have the full choice of other settings.

Configuration on-premise

Here is the tip: Choosing the right cipher is critical. Galois / Counter Mode (GCM) is your friend.

With IKEv2, choosing the AES-GCM cipher will bring you highest possible speed. IKEv1 will limit your cipher choice to AES-CBC-128 only, offering only a lower throughput.

Other settings

Please refer to the advanced configuration reference for other settings, around integrity, Diffie-Hellman key exchange, and phase lifetime.

Firewall

Sadly, some firewalls won’t let you choose the AES-GCM cipher (even some expensive ones). In case your on-prem firewall doesn’t support IKEv2 and/or AES-GCM, have a look at the Open Source firewall PfSense.

You’ll have all the possible IPsec choices and even more (like MSS Clamping). On a CPU with the AES-NI instruction set, AES-GCM can use a full gigabit connexion (max for a Cloud VPN is 1.5 Gbps when using regular Internet, 3 Gbps with direct peering.)

Still not enough?

You can scale thoughput by using more VPNs with ECMP routing!

comments powered by Disqus