Cloud Router

Cloud Router enables dynamic Border Gateway Protocol (BGP) route updates between your VPC network and your non-Google network.

Google Cloud Router – Dynamic BGP Routing

~ Last updated on : ~ jayendrapatil ~ 1 Comment

Google Cloud Router

  • Cloud Router is a fully distributed and managed service that programs custom dynamic routes and scales with the network traffic.
  • Cloud Router works with both legacy networks and VPC networks.
  • Cloud Router isn’t a connectivity option, but a service that works over Cloud VPN or Interconnect connections to provide dynamic routing by using the Border Gateway Protocol (BGP) for the VPC networks.
  • Cloud Router isn’t supported for Direct Peering or Carrier Peering connections.
  • Cloud Router isn’t a physical device that might cause a bottleneck, and it can’t be used by itself.
  • Cloud Routers don’t provide packet routing or forwarding capability.
  • Cloud Router is required or recommended in the following cases:
    • Required for Cloud NAT
    • Required for Cloud Interconnect (Dedicated, Partner, and Cross-Cloud Interconnect)
    • Required for HA VPN
    • Required for Router appliances (Network Connectivity Center)
    • A recommended configuration option for Classic VPN
  • Cloud Router helps dynamically exchange routes between the Google Cloud network and the on-premises network.
  • Cloud Router peers with the on-premises VPN gateway or router to provide dynamic routing and exchanges topology information through BGP.
  • Cloud Router frees you from maintaining static routes.
  • Google Cloud recommends creating two Cloud Routers in each region for a Cloud Interconnect for 99.99% availability.
  • Cloud Router supports following dynamic routing mode:
    • Regional routing mode – provides visibility to resources only in the defined region.
    • Global routing mode – provides visibility to resources in all regions.

Google Cloud Router - Global Dynamic Routing

Cloud Router Key Features

  • BGP Session Management – Manages BGP sessions with support for Bidirectional Forwarding Detection (BFD) and MD5 authentication.
  • Advertised Routes – Advertises IP ranges to the peer network, including subnet routes and custom route advertisements.
  • Learned Routes – Uses routes received from BGP peers and custom learned routes to create dynamic routes in VPC networks.
  • BGP Route Policies – Allows setting rules to filter BGP routes or modify BGP route attributes (GA since March 2025).
  • IPv6 Support – Supports IPv6 route exchange through BGP over IPv6 or BGP over IPv4 using multiprotocol BGP (MP-BGP).

BGP Route Policies

  • BGP route policies let you set rules to filter BGP routes or modify BGP route attributes.
  • BGP route policies can be applied to both inbound (learned) and outbound (advertised) BGP routes.
  • A particular BGP route policy can be applied only in one direction (inbound OR outbound), but not both simultaneously.
  • BGP route policies can be applied to multiple BGP peers on Cloud Router.
  • Route policies use the Common Expression Language (CEL) to define conditions and actions.
  • Each policy is defined as an ordered list of terms, evaluated in sequence, with conditions and corresponding actions.
  • Use cases include:
    • Modifying the best-preferred BGP route to influence traffic paths
    • Filtering routes based on prefixes or communities
    • Modifying route attributes (MED, AS path, communities) before advertisement or import
  • Named Sets (Preview, March 2026) – Group together expressions of communities or BGP prefixes, allowing them to be managed or referenced as a single entity within route policies.
  • BGP route policies are not supported for custom learned routes.

Custom Learned Routes

  • Custom learned routes let you configure a BGP session to include learned routes that you manually specify.
  • Cloud Router behaves as if it learned these routes from the BGP peer.
  • Custom learned routes are useful when you don’t have administrator control to configure a remote peer router.
  • Advantages over static routes:
    • Can detect a loss of reachability in the next hop and react accordingly to avoid dropping traffic.
    • Support using HA VPN tunnels or Cloud Interconnect VLAN attachments as next hops.
  • Custom learned routes can be created along with a BGP session or added to an existing BGP session.
  • Custom learned routes became GA in July 2023.

Best Path Selection Modes

  • Cloud Router supports two best path selection modes for learned routes:
    • Legacy mode (default) – The default mode. Recommended for critical workloads.
    • Standard mode – Offers support for consistent AS path-based routing and more control over how BGP prefixes are ranked in VPC networks. GA since December 2024.
  • Standard mode provides more predictable path selection behavior, aligned with standard BGP best path selection algorithms.
  • The best path selection mode is configured at the VPC network level.

Bidirectional Forwarding Detection (BFD)

  • BFD is a UDP-based detection protocol that provides a low-overhead method of detecting failures in the forwarding path between two adjacent routers.
  • With BFD enabled on Cloud Router, end-to-end failure detection time can be as short as 5 seconds.
  • BFD helps quickly detect forwarding path outages such as BGP up or down events, allowing for more resilient hybrid networks.
  • BFD for Cloud Router is GA since February 2022.

BGP MD5 Authentication

  • Cloud Router supports MD5 authentication for BGP sessions to verify the authenticity of BGP messages.
  • MD5 authentication helps protect BGP sessions from spoofed TCP segments.
  • Both the Cloud Router and the peer router must use the same authentication key.
  • MD5 authentication for Cloud Router is GA since November 2022.

IPv6 Support and Multiprotocol BGP (MP-BGP)

  • Cloud Router supports IPv6 BGP sessions (GA since May 2024), allowing exchange of IPv6 prefixes over IPv6 BGP sessions.
  • With MP-BGP, you can exchange IPv6 routes over an IPv4 BGP session or IPv4 routes over an IPv6 BGP session.
  • To exchange both IPv4 and IPv6 traffic in a single BGP session, select the IPv4 and IPv6 (dual stack) stack type in the network connectivity product (e.g., HA VPN or Dedicated Interconnect).
  • You can enable or disable IPv4 or IPv6 route exchange in a specific BGP session by modifying the BGP peer configuration.
  • MP-BGP for exchanging IPv6 prefixes over IPv4 BGP sessions has been GA since December 2022.

Graceful Restart

  • Cloud Router supports graceful restart to minimize traffic disruption during Cloud Router task restarts or maintenance.
  • With graceful restart, traffic between networks isn’t disrupted as long as the BGP session is re-established within the graceful restart period.
  • Google Cloud recommends enabling graceful restart on the on-premises BGP device.
  • The default graceful restart timer and stalepath timer should be configured based on the specific deployment requirements.

Route Advertisements

  • Cloud Router advertises the IP ranges of subnets in the VPC network to on-premises peers by default.
  • Custom route advertisements allow you to control which routes are advertised:
    • Advertise all subnets (default behavior)
    • Advertise custom IP ranges
    • Advertise specific subnets
  • Custom route advertisements can be configured at the Cloud Router level or per BGP peer.

Cloud Router with Network Connectivity Center

  • Network Connectivity Center (NCC) is a hub-and-spoke orchestration framework for network connectivity.
  • Cloud Router is required for Router appliance instances, which are NCC features for using third-party network virtual appliances.
  • Router appliance instances use Cloud Router for BGP peering to exchange routes between the virtual appliance and the VPC network.
  • NCC supports site-to-site data transfer between on-premises sites using Google’s network.

GCP Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.

Question 1: You need to detect forwarding path failures between your on-premises router and Google Cloud as quickly as possible. What feature should you enable on Cloud Router?

  1. MD5 Authentication
  2. Graceful Restart
  3. Bidirectional Forwarding Detection (BFD)
  4. Custom Learned Routes

Answer: c. Bidirectional Forwarding Detection (BFD)

BFD provides sub-5-second failure detection for forwarding path outages between adjacent routers.

Question 2: Your organization wants to filter specific BGP routes learned from an on-premises peer and modify route attributes before importing them into your VPC routing table. Which Cloud Router feature should you use?

  1. Custom Route Advertisements
  2. Custom Learned Routes
  3. BGP Route Policies
  4. Best Path Selection Mode

Answer: c. BGP Route Policies

BGP route policies let you set rules to filter BGP routes or modify BGP route attributes for both inbound (learned) and outbound (advertised) routes.

Question 3: You want to exchange IPv6 routes with your on-premises network over an existing IPv4 BGP session. What feature should you configure?

  1. IPv6 BGP Session
  2. Multiprotocol BGP (MP-BGP)
  3. Dual-stack Cloud Router
  4. IPv6 Route Advertisements

Answer: b. Multiprotocol BGP (MP-BGP)

MP-BGP allows exchanging IPv6 routes over IPv4 BGP sessions (or IPv4 routes over IPv6 sessions) by selecting the dual-stack type in the connectivity product.

Question 4: You need routes that can detect loss of reachability at the next hop and that can use HA VPN tunnels as next hops. Static routes don’t meet these requirements. What should you use?

  1. BGP Route Policies
  2. Dynamic Routes from BGP peers
  3. Custom Learned Routes
  4. Policy-based Routes

Answer: c. Custom Learned Routes

Custom learned routes let you manually configure routes on a BGP session. Unlike static routes, they can detect loss of reachability and support HA VPN tunnels or VLAN attachments as next hops.

Question 5: Which of the following Google Cloud products require Cloud Router for dynamic routing? (Choose 3)

  1. Dedicated Interconnect
  2. Cloud CDN
  3. HA VPN
  4. Cross-Cloud Interconnect
  5. Cloud DNS

Answer: a, c, d

Cloud Router is required for Dedicated Interconnect, HA VPN, Cross-Cloud Interconnect, Partner Interconnect, and Router appliances. It is not used by Cloud CDN or Cloud DNS.

References

Google Cloud Networking Services Cheat Sheet

~ Last updated on : ~ jayendrapatil

Virtual Private Cloud

  • Virtual Private Cloud (VPC) provides networking functionality for the cloud-based resources and services that is global, scalable, and flexible.
  • VPC networks are global resources, including the associated routes and firewall rules, and are not associated with any particular region or zone.
  • Subnets are regional resources and each subnet defines a range of IP addresses
  • Network firewall rules
    • control the Traffic to and from instances.
    • Rules are implemented on the VMs themselves, so traffic can only be controlled and logged as it leaves or arrives at a VM.
    • Firewall rules are defined to allow or deny traffic and are executed within order with a defined priority
    • Highest priority (lower integer) rule applicable to a target for a given type of traffic takes precedence
  • Resources within a VPC network can communicate with one another by using internal IPv4 addresses, subject to applicable network firewall rules.
  • Private access options for services allow instances with internal IP addresses can communicate with Google APIs and services.
  • Shared VPC to keep a VPC network in a common host project shared with service projects. Authorized IAM members from other projects in the same organization can create resources that use subnets of the Shared VPC network
  • VPC Network Peering allow VPC networks to be connected with other VPC networks in different projects or organizations.
  • VPC networks can be securely connected in hybrid environments by using Cloud VPN or Cloud Interconnect.
  • Primary and Secondary IP address cannot overlap with the on-premises CIDR
  • VPC networks only support IPv4 unicast traffic. They do not support broadcast, multicast, or IPv6 traffic within the network; VMs in the VPC network can only send to IPv4 destinations and only receive traffic from IPv4 sources.
  • VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.

Cloud Load Balancing

  • Cloud Load Balancing is a fully distributed, software-defined managed load balancing service
  • distributes user traffic across multiple instances of the applications and reduces the risk that the of performance issues for the applications experience by spreading the load
  • provides health checking mechanisms that determine if backends, such as instance groups and zonal network endpoint groups (NEGs), are healthy and properly respond to traffic.
  • supports IPv6 clients with HTTP(S) Load Balancing, SSL Proxy Load Balancing, and TCP Proxy Load Balancing.
  • supports multiple Cloud Load Balancing types
    • Internal HTTP(S) Load Balancing
      • is a proxy-based, regional Layer 7 load balancer that enables running and scaling services behind an internal IP address.
      • supports a regional backend service, which distributes HTTP and HTTPS requests to healthy backends (either instance groups containing CE VMs or NEGs containing GKE containers).
      • supports path based routing
      • preserves the Host header of the original client request and also appends two IP addresses (Client and LB )to the X-Forwarded-For header
      • supports a regional health check that periodically monitors the readiness of the backends.
      • has native support for the WebSocket protocol when using HTTP or HTTPS as the protocol to the backend
    • External HTTP(S) Load Balancing
      • is a global, proxy-based Layer 7 load balancer that enables running and scaling the services worldwide behind a single external IP address
      • distributes HTTP and HTTPS traffic to backends hosted on Compute Engine and GKE
      • offers global (cross-regional) and regional load balancing
      • supports content-based load balancing using URL maps
      • preserves the Host header of the original client request and also appends two IP addresses (Client and LB) to the X-Forwarded-For header
      • supports connection draining on backend services
      • has native support for the WebSocket protocol when using HTTP or HTTPS as the protocol to the backend
      • does not support client certificate-based authentication, also known as mutual TLS authentication.
    • Internal TCP/UDP Load Balancing
      • is a managed, internal, pass-through, regional Layer 4 load balancer that enables running and scaling services behind an internal IP address
      • distributes traffic among VM instances in the same region in a Virtual Private Cloud (VPC) network by using an internal IP address.
      • provides high-performance, pass-through Layer 4 load balancer for TCP or UDP traffic.
      • routes original connections directly from clients to the healthy backends, without any interruption.
      • does not terminate SSL traffic and SSL traffic can be terminated by the backends instead of by the load balancer
      • provides access through VPC Network Peering, Cloud VPN or Cloud Interconnect
      • supports health check that periodically monitors the readiness of the backends.
    • External TCP/UDP Network Load Balancing
      • is a managed, external, pass-through, regional Layer 4 load balancer that distributes TCP or UDP traffic originating from the internet to among VM instances in the same region
      • Load-balanced packets are received by backend VMs with their source IP unchanged.
      • Load-balanced connections are terminated by the backend VMs. Responses from the backend VMs go directly to the clients, not back through the load balancer.
      • scope of a network load balancer is regional, not global. A network load balancer cannot span multiple regions. Within a single region, the load balancer services all zones.
      • supports connection tracking table and a configurable consistent hashing algorithm to determine how traffic is distributed to backend VMs.
      • does not support Network endpoint groups (NEGs) as backends
    • External SSL Proxy Load Balancing
      • is a reverse proxy load balancer that distributes SSL traffic coming from the internet to VM instances in the VPC network.
      • with SSL traffic, user SSL (TLS) connections are terminated at the load balancing layer, and then proxied to the closest available backend instances by using either SSL (recommended) or TCP.
      • supports global load balancing service with the Premium Tier
        supports regional load balancing service with the Standard Tier
      • is intended for non-HTTP(S) traffic. For HTTP(S) traffic, GCP recommends using HTTP(S) Load Balancing.
      • supports proxy protocol header to preserve the original source IP addresses of incoming connections to the load balancer
      • does not support client certificate-based authentication, also known as mutual TLS authentication.
    • External TCP Proxy Load Balancing
      • is a reverse proxy load balancer that distributes TCP traffic coming from the internet to VM instances in the VPC network
      • terminates traffic coming over a TCP connection at the load balancing layer, and then forwards to the closest available backend using TCP or SSL
      • use a single IP address for all users worldwide and automatically routes traffic to the backends that are closest to the user
      • supports global load balancing service with the Premium Tier
        supports regional load balancing service with the Standard Tier
      • supports proxy protocol header to preserve the original source IP addresses of incoming connections to the load balancer

Cloud CDN

  • caches website and application content closer to the user
  • uses Google’s global edge network to serve content closer to users, which accelerates the websites and applications.
  • works with external HTTP(S) Load Balancing to deliver content to the users
  • Cloud CDN content can be sourced from various types of backends
    • Instance groups
    • Zonal network endpoint groups (NEGs)
    • Serverless NEGs: One or more App Engine, Cloud Run, or Cloud Functions services
    • Internet NEGs, for endpoints that are outside of Google Cloud (also known as custom origins)
    • Buckets in Cloud Storage
  • Cloud CDN with Google Cloud Armor enforces security policies only for requests for dynamic content, cache misses, or other requests that are destined for the origin server. Cache hits are served even if the downstream Google Cloud Armor security policy would prevent that request from reaching the origin server.
  • recommends
    • using versioning instead of cache invalidation
    • using custom keys to improve cache hit ration
    • cache static content

Cloud VPN

  • securely connects the peer network to the VPC network or two VPCs in GCP through an IPsec VPN connection.
  • encrypts the data as it travels over the internet.
  • only supports site-to-site IPsec VPN connectivity and not client-to-gateway scenarios
  • allows users to access private RFC1918 addresses on resources in the VPC from on-prem computers also using private RFC1918 addresses.
  • can be used with Private Google Access for on-premises hosts
  • Cloud VPN HA
    • provides a high-available and secure connection between the on-premises and the VPC network through an IPsec VPN connection in a single region
    • provides an SLA of 99.99% service availability, when configured with two interfaces and two external IP addresses.
  • supports up to 3Gbps per tunnel with a maximum of 8 tunnels
  • supports static as well as dynamic routing using Cloud Router
  • supports IKEv1 or IKEv2 using a shared secret

Cloud Interconnect

  • Cloud Interconnect provides two options for extending the on-premises network to the VPC networks in Google Cloud.
  • Dedicated Interconnect (Dedicated connection)
    • provides a direct physical connection between the on-premises network and Google’s network
    • requires your network to physically meet Google’s network in a colocation facility with your own routing equipment
    • supports only dynamic routing
    • supports bandwidth to 10 Gbps minimum to 200 Gbps maximum.
  • Partner Interconnect (Use a service provider)
    • provides connectivity between the on-premises and VPC networks through a supported service provider.
    • supports bandwidth to 50 Mbps minimum to 10 Gbps maximum.
    • provides Layer 2 and Layer 3 connectivity
      • For Layer 2 connections, you must configure and establish a BGP session between the Cloud Routers and on-premises routers for each created VLAN attachment
      • For Layer 3 connections, the service provider establishes a BGP session between the Cloud Routers and their edge routers for each VLAN attachment.
  • Single Interconnect connection does not offer redundancy or high availability and its recommended to
    • use 2 in the same metropolitan area (city) as the existing one, but in a different edge availability domain (metro availability zone).
    • use 4 with 2 connections in two different metropolitan areas (city), and each connection in a different edge availability domain (metro availability zone)
    • Cloud Routers are required one in each Google Cloud region
  • Cloud Interconnect does not encrypt the connection between your network and Google’s network. For additional security, use application-level encryption or your own VPN.
  • Currently, Cloud VPN can’t be used with Dedicated Interconnect.

Cloud Router

  • is a fully distributed, managed service that provides dynamic routing and scales with the network traffic.
  • works with both legacy networks and VPC networks.
  • isn’t supported for Direct Peering or Carrier Peering connections.
  • helps dynamically exchange routes between the Google Cloud networks and the on-premises network.
  • peers with the on-premises VPN gateway or router to provide dynamic routing and exchanges topology information through BGP.
  • Google Cloud recommends creating two Cloud Routers in each region for a Cloud Interconnect for 99.99% availability.
  • supports following dynamic routing mode
    • Regional routing mode – provides visibility to resources only in the defined region.
    • Global routing mode – provides has visibility to resources in all regions

Cloud DNS

  • is a high-performance, resilient, reliable, low-latency, global DNS service that publishes the domain names to the global DNS in a cost-effective way.
  • With Shared VPC, Cloud DNS managed private zone, Cloud DNS peering zone, or Cloud DNS forwarding zone must be created in the host project
  • provides Private Zone which supports DNS services for a GCP project. VPCs in the same project can use the same name servers
  • supports DNS Forwarding for Private Zones, which overrides normal DNS resolution for the specified zones. Queries for the specified zones are forwarded to the listed forwarding targets.
  • supports DNS Peering, which allows sending requests for records that come from one zone’s namespace to another VPC network with GCP
  • supports DNS Outbound Policy, which forwards all DNS requests for a VPC network to the specified server targets. It disables internal DNS for the selected networks.
  • Cloud DNS VPC Name Resolution Order
    • DNS Outbound Server Policy
    • DNS Forwarding Zone
    • DNS Peering
    • Compute Engine internal DNS
    • Public Zones
  • supports DNSSEC, a feature of DNS, that authenticates responses to domain name lookups and protects the domains from spoofing and cache poisoning attacks