Console
Start free

gcloud compute vpn-tunnels create

NAME
gcloud compute vpn-tunnels create - create a VPN tunnel
SYNOPSIS
gcloud compute vpn-tunnels create NAME --shared-secret=SHARED_SECRET (--peer-address=PEER_ADDRESS     | --peer-external-gateway=PEER_EXTERNAL_GATEWAY     | --peer-gcp-gateway=PEER_GCP_GATEWAY     | --peer-gcp-gateway-region=PEER_GCP_GATEWAY_REGION) (--target-vpn-gateway=TARGET_VPN_GATEWAY     | --target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION     | --vpn-gateway=VPN_GATEWAY     | --vpn-gateway-region=VPN_GATEWAY_REGION) [--description=DESCRIPTION] [--ike-version=IKE_VERSION] [--interface=INTERFACE] [--local-traffic-selector=CIDR,[CIDR,…]] [--peer-external-gateway-interface=PEER_EXTERNAL_GATEWAY_INTERFACE] [--phase1-dh=GROUPS,[GROUPS,…]] [--phase1-encryption=ALGORITHMS,[ALGORITHMS,…]] [--phase1-integrity=ALGORITHMS,[ALGORITHMS,…]] [--phase1-prf=PSEUDORANDOM FUNCTIONS,[…]] [--phase2-encryption=ALGORITHMS,[ALGORITHMS,…]] [--phase2-integrity=ALGORITHMS,[ALGORITHMS,…]] [--phase2-pfs=ALGORITHMS,[ALGORITHMS,…]] [--region=REGION] [--remote-traffic-selector=CIDR,[CIDR,…]] [--resource-manager-tags=[KEY=VALUE,…]] [--router=ROUTER] [--router-region=ROUTER_REGION] [GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute vpn-tunnels create is used to create a Classic VPN tunnel between a target VPN gateway in Google Cloud Platform and a peer address; or create Highly Available VPN tunnel between HA VPN gateway and another HA VPN gateway, or Highly Available VPN tunnel between HA VPN gateway and an external VPN gateway.
POSITIONAL ARGUMENTS
NAME
Name of the VPN Tunnel to create.
REQUIRED FLAGS
--shared-secret=SHARED_SECRET
Shared secret consisting of printable characters. Valid arguments match the regular expression [ -~]+
Exactly one of these must be specified:
--peer-address=PEER_ADDRESS
Valid IPV4 address representing the remote tunnel endpoint, the peer address must be specified when creating Classic VPN tunnels from Classic Target VPN gateway
--peer-external-gateway=PEER_EXTERNAL_GATEWAY
Peer side external VPN gateway representing the remote tunnel endpoint, this flag is used when creating HA VPN tunnels from Google Cloud to your external VPN gateway.Either --peer-external-gateway or --peer-gcp-gateway must be specified when creating VPN tunnels from High Available VPN gateway.
--peer-gcp-gateway=PEER_GCP_GATEWAY
Reference to the peer side Highly Available VPN gateway.
--peer-gcp-gateway-region=PEER_GCP_GATEWAY_REGION
Region of the VPN Gateway to operate on. Should be the same as region, if not specified, it will be automatically set. Overrides the default compute/region property value for this command invocation.
Exactly one of these must be specified:
--target-vpn-gateway=TARGET_VPN_GATEWAY
A reference to a Cloud VPN Classic Target VPN Gateway.
--target-vpn-gateway-region=TARGET_VPN_GATEWAY_REGION
Region of the Target VPN Gateway to operate on. Should be the same as region, if not specified, it will be automatically set. Overrides the default compute/region property value for this command invocation.
--vpn-gateway=VPN_GATEWAY
Reference to a Highly Available VPN gateway.
--vpn-gateway-region=VPN_GATEWAY_REGION
Region of the VPN Gateway to operate on. Should be the same as region, if not specified, it will be automatically set. Overrides the default compute/region property value for this command invocation.
OPTIONAL FLAGS
--description=DESCRIPTION
An optional, textual description for the VPN tunnel.
--ike-version=IKE_VERSION
Internet Key Exchange protocol version number. Default is 2. IKE_VERSION must be one of: 1, 2.
--interface=INTERFACE
Numeric interface ID of the VPN gateway with which this VPN tunnel is associated. This flag is required if the tunnel is being attached to a Highly Available VPN gateway. This option is only available for use with Highly Available VPN gateway and must be omitted if the tunnel is going to be connected to a Classic VPN gateway. INTERFACE must be one of: 0, 1.
--local-traffic-selector=CIDR,[CIDR,…]
Traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.

--local-traffic-selector allows to configure the local addresses that are permitted. The value should be a comma separated list of CIDR formatted strings. Example: 192.168.0.0/16,10.0.0.0/24.

Local traffic selector must be specified only for VPN tunnels that do not use dynamic routing with a Cloud Router. Omit this flag when creating a tunnel using dynamic routing, including a tunnel for a Highly Available VPN gateway.
--peer-external-gateway-interface=PEER_EXTERNAL_GATEWAY_INTERFACE
Interface ID of the external VPN gateway to which this VPN tunnel is connected to. This flag is required if the tunnel is being created from a Highly Available VPN gateway to an External Vpn Gateway. PEER_EXTERNAL_GATEWAY_INTERFACE must be one of: 0, 1, 2, 3.
--phase1-dh=GROUPS,[GROUPS,…]
Phase 1 Diffie-Hellman groups.
--phase1-encryption=ALGORITHMS,[ALGORITHMS,…]
Phase 1 encryption algorithms.
--phase1-integrity=ALGORITHMS,[ALGORITHMS,…]
Phase 1 integrity algorithms.
--phase1-prf=PSEUDORANDOM FUNCTIONS,[…]
Phase 1 pseudorandom functions.
--phase2-encryption=ALGORITHMS,[ALGORITHMS,…]
Phase 2 encryption algorithms.
--phase2-integrity=ALGORITHMS,[ALGORITHMS,…]
Phase 2 integrity algorithms.
--phase2-pfs=ALGORITHMS,[ALGORITHMS,…]
Phase 2 perfect forward secerecy algorithms.
--region=REGION
Region of the VPN Tunnel to create. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property: 

gcloud config set compute/region REGION

A list of regions can be fetched by running: 

gcloud compute regions list

To unset the property, run: 

gcloud config unset compute/region
 Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
--remote-traffic-selector=CIDR,[CIDR,…]
Traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.

--remote-traffic-selector allows to configure the remote addresses that are permitted. The value should be a comma separated list of CIDR formatted strings. Example: 192.168.0.0/16,10.0.0.0/24.

Remote traffic selector must be specified for VPN tunnels that do not use dynamic routing with a Cloud Router. Omit this flag when creating a tunnel using dynamic routing, including a tunnel for a Highly Available VPN gateway.
--resource-manager-tags=[KEY=VALUE,…]
A comma-separated list of Resource Manager tags to apply to the VPN tunnel.
--router=ROUTER
Router to use for dynamic routing.
--router-region=ROUTER_REGION
Region of the router to operate on. If not specified, you might be prompted to select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the compute/region property: 

gcloud config set compute/region REGION

A list of regions can be fetched by running: 

gcloud compute regions list

To unset the property, run: 

gcloud config unset compute/region
 Alternatively, the region can be stored in the environment variable CLOUDSDK_COMPUTE_REGION.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
These variants are also available: 
gcloud alpha compute vpn-tunnels create
 
gcloud beta compute vpn-tunnels create
 
gcloud preview compute vpn-tunnels create