Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🌸 25% OFF All Reviewers on our International Women's Month Sale Extension! Save 10% OFF All Subscription Plans

Google Cloud Hybrid Connectivity

Home » Google Cloud » Google Cloud Hybrid Connectivity

Google Cloud Hybrid Connectivity

Last updated on March 17, 2026

Google Cloud Hybrid Connectivity Cheat Sheet

  • There are several ways to extend your on-premises environment to the Google Cloud Platform.
  • You can connect your infrastructure to Google Cloud Platform (GCP) on your terms, from anywhere based on your requirements.

 

Cloud Interconnect

  • Provides low latency, highly available connections that enable you to reliably transfer data between your on-premises and Google Cloud VPCs.
  • Cloud Interconnect connections provide internal IP address communication, which means internal IP addresses are directly accessible from both networks.
  • Cloud Interconnect offers two options to extend your on-premises network to the Google Cloud Platform:
    • Dedicated Interconnect
      • Direct physical Connection to Google’s network.
    • Partner Interconnect
      • Provides connectivity through a supported service provider.
    • You can use Cloud Interconnect in combination with Private Google Access for on-premises resources so that your on-premises resources can use internal IP addresses rather than external IP addresses to reach Google APIs and services.
    • Cross-Cloud Interconnect: Direct connection to AWS, Azure, and Oracle Cloud. Managed service with high bandwidth.
    • Cross-Site Interconnect: Connect your on-premises sites to each other through Google’s network.
    • Resiliency and SLA options:
      • Critical production: 99.99% uptime SLA
      • Non-critical production: 99.9% uptime SLA
      • No SLA option available
    • Encryption options:
      • MACsec for Cloud Interconnect: Encrypt traffic between on-premises router and Google’s edge routers
      • HA VPN over Interconnect: Add IPsec encryption to Interconnect traffic
    • MTU support: VLAN attachments support 1440, 1460, 1500, and 8896 bytes; cross-site networks support 9000 bytes.
    • Custom IP address ranges: Configure specific IPs for Cloud Router and customer router ends of VLAN attachments (/29 or /30 for IPv4, /125 or /126 for IPv6).
    • Application awareness: Map outbound traffic to different classes using DSCP for traffic prioritization (business-critical vs lower priority).
    • Network Topology visualization: View Interconnect connections and VLAN attachments in Network Topology tool.
    • GRE traffic support: Terminate GRE traffic on VMs from Interconnect connections (GRE version 0 only).
Tutorials dojo strip

 

Direct Peering

  • Direct Peering connects your on-premises network to Google services, including Google Cloud products that can be exposed via one or more public IP addresses.
  • Traffic from Google’s network to your on-premises network also takes that same connection, including traffic from VPC networks in your projects.
  • Direct Peering exists outside of Google Cloud Platform. So, unless you need to access Google Workspace applications, the recommended methods of access to Google Cloud Platform are via Dedicated Interconnect or Partner Interconnect.

 

Carrier Peering

  • Carrier Peering enables you to access Google applications, such as Google Workspace, by using a service provider to obtain enterprise-grade network services that connect your infrastructure to Google.
  • When connecting to Google through a service provider, you can get connections with higher availability and lower latency, using one or more links.

 

Cloud VPN

  • HA VPN (High Availability):
    • 99.99% SLA (99.9% for some topologies)
    • Dynamic routing only (BGP)
    • Two external IP addresses automatically assigned
    • Supports IPv6 (dual-stack and IPv6-only configurations)
    • Supports up to 250,000 packets per second per tunnel (1–3 Gbps)
  • Classic VPN:
    • 99.9% SLA
    • Static routing (policy-based or route-based)
    • Single external IP address
    • IPv4 only
  • HA VPN over Cloud Interconnect: Add IPsec encryption to Interconnect traffic for regulatory compliance.
  • Bandwidth: Each tunnel supports up to 250,000 packets per second (combined ingress/egress). Equivalent to 1–3 Gbps depending on packet size.
  • IPv6 support: Available only in HA VPN. Use IPV6_ONLY or IPV4_IPV6 stack types.
  • IKE support: IKEv1 and IKEv2 with pre-shared keys. Cipher configuration available for IKEv2 (AEAD and non-AEAD ciphers).
  • GRE traffic support: Terminate GRE traffic on VMs from VPN tunnels (GRE version 0 only).
  • Network Topology visualization: View VPN gateways and tunnels in Network Topology tool.
  • Dead Peer Detection (DPD): Automatically detects unhealthy tunnels and fails over traffic.
  • Bring Your Own IP (BYOIP): Use your own public IP addresses with Cloud VPN.
  • Restrict peer IPs: Organization policy to restrict which peer IP addresses can be used for VPN tunnels.

 

Network Connectivity Center

  • Hub-and-spoke model to connect multiple on-premises sites and VPC networks using Google’s network as a WAN.
  • Spoke types: VPN tunnels, VLAN attachments, and router appliance instances.
  • Reduces complexity of managing multiple point-to-point connections.
  • Traffic between sites stays on Google’s private backbone.

 

Pricing

Cloud Hybrid Connectivity pricing varies by service and usage:

  • Cloud Interconnect: Charges apply for connections (Dedicated, Partner, Cross-Cloud, Cross-Site) based on capacity and location.
  • Cloud VPN: Charges apply per VPN gateway, per tunnel, and for data transfer.
  • Network Connectivity Center: Charges apply for hub processing and spoke attachments.
  • Data Transfer: Egress charges vary by destination and network tier (Premium vs Standard).

For current pricing details, refer to the official Google Cloud pricing pages for each connectivity service.

Validate Your Knowledge

Question 1

You are running VMs that are currently reaching the maximum capacity on your on-premises data center. You decided to extend your data center infrastructure to Google Cloud to accommodate new workloads. You have to ensure that the VMs that you provisioned in GCP can communicate directly with on-premises resources via a private IP range.

What should you do?

  1. Create a VPC on Google Cloud and configure it as a host for a Shared VPC.
    2. Free AWS Courses
  2. Build a custom-mode VPC. Set up VPC Network Peering between your on-premises network and your newly created VPC to establish a connection through a private IP range.
  3. Provision virtual machines on your on-premises and Google Cloud VPC networks that will serve as bastion hosts. Configure the VMs as proxy servers using public IP addresses.
  4. Set up Cloud VPN between your on-premises network to a VPC network through an IPsec VPN connection.

Correct Answer: 4

On-premises hosts can reach Google APIs and services by using Cloud VPN or Cloud Interconnect from your on-premises network to Google Cloud.

Cloud VPN

On-premises hosts can send traffic from the following types of source IP addresses:

– a private IP address, such as an RFC 1918 address

– a privately used public IP address, except for a Google-owned public IP address. (Private Google Access for on-premises hosts does not support re-using Google public IP addresses as sources in your on-premises network.)

In the following example, the on-premises network is connected to a VPC network through a Cloud VPN tunnel. Traffic from on-premises hosts to Google APIs travels through the tunnel to the VPC network. After traffic reaches the VPC network, it is sent through a route that uses the default Internet gateway as its next hop. This next hop allows traffic to leave the VPC network and be delivered to restricted.googleapis.com (199.36.153.4/30).

Hence, the correct answer is: Set up Cloud VPN between your on-premises network to a VPC network through an IPsec VPN connection.

The option that says: Create a VPC on Google Cloud and configure it as a host for a Shared VPC is incorrect because this will only allow resources on multiple GCP projects to communicate with each other by defining a host project. This does not allow you to connect your on-premises data center to Google Cloud.

The option that says: Build a custom-mode VPC. Set up VPC Network Peering between your on-premises network and your newly created VPC to establish a connection through a private IP range is incorrect because VPC peering only connects Google VPC networks, regardless of whether they belong to the same project or organization. It will not help you establish a connection between your on-premises and GCP resources.

The option that says: Provision virtual machines on your on-premises and Google Cloud VPC networks that will serve as bastion hosts. Configure the VMs as proxy servers using public IP addresses is incorrect because bastion hosts are primarily designed for end-users to access private instances. Since we need to connect resources and not just users, using bastion hosts will not satisfy the requirement. 

References:
https://cloud.google.com/vpc/docs/private-access-options
https://cloud.google.com/vpc/docs/private-google-access-hybrid#private-vips

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Certified Associate Cloud Engineer Practice Exams

Google Cloud Hybrid Connectivity Cheat Sheet References:

https://cloud.google.com/hybrid-connectivity
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/overview
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
https://cloud.google.com/network-connectivity/docs/direct-peering

🌸 25% OFF All Reviewers on our International Women’s Month Sale Extension! Save 10% OFF All Subscription Plans & 5% OFF Store Credits/Gift Cards!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

$2.99 AWS and Azure Exam Study Guide eBooks

tutorials dojo study guide eBook

New AWS Generative AI Developer Professional Course AIP-C01

AIP-C01 Exam Guide AIP-C01 examtopics AWS Certified Generative AI Developer Professional Exam Domains AIP-C01

Learn GCP By Doing! Try Our GCP PlayCloud

Learn Azure with our Azure PlayCloud

FREE AI and AWS Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

SAA-C03 Exam Guide SAA-C03 examtopics AWS Certified Solutions Architect Associate

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?