Follow these steps to create VPN before extending your AD to cloud.
There can also be a case when you already tried to extend your AD to cloud and the connection to your local AD failed. In such case we recommend checking the domain credentials you provided and the domain IP. If both are correct and you don't have interconnect, create a VPN to facilitate the connection between the cloud and your local AD.
Note: if you need to setup multiple sites (regions) for redundancy or any other reason, then please be aware that when creating the VPN you will need to set up the VPN using IKEv2. This is because IKEv1 does not support multiple IP ranges per traffic selector.

1. You can see the connection failed by refreshing your itopia dashboard and getting the following alert. Just click on "Create VPN" button:

2. Populate the Name (e.g. vpn-1 or v1) and Description field and click on the green + sign to add a new tunnel:

You will get a screen to insert Remote peer IP address which would be your client’s public IP. You can only use static IPs.

IKE version: IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage. You can learn more here.

Shared secret: a unique key will be generated and should be copied for your records since you will not be able to retrieve it later.

Remote network IP ranges: The range, or ranges, of the peer network, which is the network on the other side of the tunnel from the Cloud VPN gateway you are currently configuring

Local IP ranges: Specifies which IP ranges will be routed through the tunnel 

Google cloud vpn ciphers

Once saved, it can take from 5 to 10 minutes for the VPN tunnel to get created. In the meantime the VPN will appear as "Pending update" in itopia CAS.

The process does not open up any firewall rules between your on-prem network and the Google Cloud network. To manage firewall rules, login to GCP.

In order to allow traffic from your on-site network you will need to log into the Google console and create 2 firewall rules.

Go into the Firewall rules under VPC network (also make sure you selected the right project in the top):

Once in the Firewall rules page, click on Create Firewall Rule at the top of the page:

When creating the firewall rule, create a name for it, make sure the direction of traffic is Ingress, select Allow in the Action to Match section, type in your source IP range(s) and either allow all ports or select the ports you want to allow. Below is a screenshot showing most of those options filled in or selected:

Once you hit create, Google will create the firewall rule and traffic will be allowed from IP's on the source network you filled in and only on the ports you selected.

Did this answer your question?