Connecting your Metal VLAN to GCP

In this guide, you will learn how to connect your Equinix Metal VLAN to a VPC that you own on Google Cloud Platform (GCP).

Architecture

Before we get started, take a look at the architecture of the completed connection:

On the GCP side is a VPC with multiple subnets. The IP address range for the VPC, and for each of the subnets, is as assigned by you. The VPC connects with the rest of the world via the VPC Cloud Router.

On the Equinix Metal side is a VLAN with IP addresses assigned by you as well. The VLAN may or may not connect to standard Equinix Metal Layer 3 networking via an Equinix Metal Gateway.

The VLAN is connected to an Equinix Metal Gateway, which is connected to an instance of Equinix Metal Virtual Routing and Forwarding (VRF). VRF is connected to an Equinix Fabric Virtual Connection (VC). The VC is connected on one end to the VRF, and on the other end to the VLAN Attachments and then to the VPC Cloud Router.

Prerequisites

The prerequisites for connecting your VLAN to your GCP VPC are:

• A GCP account
• A VPC created in your GCP account
• An Equinix Metal account, with a project in it
• A VLAN deployed to your Equinix Metal project
• Configuration information

The configuration information is the following:

Item	Purpose	Example Values
GCP Subnets	CIDR ranges for the subnets	10.30.10.0/24, 10.30.20.0/24, 10.30.30.0/24
Metal VRF	CIDR range for the VRF	10.50.0.0/16
Metal VLAN	CIDR range for the VLAN, which must be within the VRF range	10.50.10.0/24
GCP ASN	The Autonomous System Number for the GCP side; this is fixed by Google	16550
Metal ASN	The Autonomous System Number for the Metal side	64600
Primary VC IP	IPs within the primary VC subnet to assign to each side, assigned by Google Cloud upon VLAN attachment creation
Secondary VC IP	IPs within the secondary VC subnet to assign to each side, assigned by Google Cloud upon VLAN attachment creation
MD5 password	A password to use for BGP peering, MD5-hashed	Clear text of "What A Great Guide!", hashed to dbc29529874661f92e089593c8adc10b

See the GCP documentation, as well as the Google Cloud training course for help setting up the GCP components. When complete, you should have your account, a VPC with a Cloud Router, and subnets in that VPC.

For Equinix Metal, we have guides to help with setting up your account, organization and project.

Once you have your project, in the Console, select Networking:

Then select VLANs:

Then click the "Add a VLAN" button:

In the dialog that appears, pick a Metro and any VLAN ID that is convenient for you, or let Metal pick it automatically. For our example, we will use VLAN ID 200 in Washington. We are using Washington, because it is the same metro where GCP's us-east4 region is located.

Deploy VRF

With the VLAN in place, you now need a VRF that will be used to connect to Equinix Fabric. The VRF is under "Networking", like "VLANs". Click on "Virtual Routing and Forwarding":

Then click "Create Virtual Router":

In order to create the Virtual Router, you need a few pieces of information:

• A name for the VRF. It doesn't have any inherent meaning; it just needs to be useful to you. We will call it "Cloud".
• The Metro. This must be the same metro as the VLAN you are connecting to. In our case, it is Washington.
• The ASN. This is the Metal-side ASN we selected earlier, 64600.
• The "allowed IP ranges". These are CIDR ranges that will be "behind" the VRF on the Metal side. Whatever ranges you pick here, these are the ranges that the VRF will tell Fabric, "send those addresses to me, I can handle them." This must include:
  • CIDRs used for Metal Gateways; we use the range we reserved earlier 10.50.0.0/16
  • CIDRs used for subnets for the Fabric VCs; these are generated automatically by Google Cloud, so we will add them later.

Click the Create Virtual Router button when you're finished.

Once the VRF is created, you need to reserve IP ranges to use from within the allowed IP ranges. For this particular VLAN we use the range we described above, 10.50.10.0/24, which is within the larger VRF allowed IP ranges.

In the console, click on the VRF:

This brings up the VRF details. Click "Add IP Reservation":

Then enter the range 10.50.10.0/24 and click "Submit Request":

Deploy Equinix Metal Gateway

We now have a VLAN and a VRF. Let's create a Metal Gateway to link them together. "Metal Gateway" is under "Networking", like "VLANs" and "Virtual Routing and Forwarding". Click on "Metal Gateways":

Then click "Create a Metal Gateway":

In order to create the Metal Gateway, you need a few pieces of information:

• The Metro. This must be the same metro as the VLAN you are connecting to. In our case, it is Washington.
• The VLAN. This is the VLAN that the Metal Gateway will connect to. We will use VLAN 200 which we created earlier.
• The IP block. This is one of a reserved public IPv4 range, a private IPv4 range, or a VRF IP range. Since we are connecting to a VRF, we will pick "VRF IP", and then the IP address reservation from the VRF.

Deploy Fabric Virtual Connection

There are several steps to deploying the Fabric Virtual Connection (VC):

1. Create the connection in Equinix Metal to Fabric
2. Create the Cloud Router and VLAN attachment in GCP
3. Create the Fabric VC
4. Update Equinix Metal with the GCP details

Create the connection in Equinix Metal to Fabric

From the left navigation bar, select Interconnections:

Then click the "Request a new interconnection" button:

There are two kinds of interconnection you can request, AWS Direct Connect and Request Interconnection. Since we are not connecting to AWS, select the "Request Interconnection" button:

The next screen has two interconnection options: Fabric VC and Dedicated Port. Dedicated Port covers connecting a Metal VLAN directly to a port in an Equinix colocation data center. You can connect directly to a port using Metal interconnections, as well as via Fabric. Since this guide is focused on connecting to GCP, we will use Fabric VC.

If you are interested in learning more about dedicated ports, please see our dedicated ports documentation, also available via the link in the "Dedicated Ports" box on the console.

There are two kinds of Fabric VC, Metal-billed and Fabric-billed. Either can be useful for this kind of interconnection, but we will use the Metal-billed one. Read the interconnections documentation for more information on the differences.

To create the connection, you need a few pieces of information:

• A name for the connection. It doesn't have any inherent meaning; it just needs to be useful to you. We will call it "GCP."
• The Metro. This must be the same metro as the VRF you are connecting to. In our case, it is Washington.
• The connection speed. Higher speeds have a higher cost. Since we are just creating a basic connection, we will use the lowest speed, 50Mbps. You can select a higher one if you need it.
• Single vs redundant. Each connection is exactly that, a single connection. If there are issues anywhere along the line, whether hardware issues such as a port on the GCP or Equinix end, or software problems, your connection will be out of service, at least until it is fixed. Like all good networking, you should plan for redundancy. We will use a redundant connection for this example.
• Connect to VLAN or VRF. The VC is a layer 2 connection between layer 3 routers with BGP support on each size. On the cloud provider side, the layer 3 routing is provided for you. On the Metal side, you can set up the layer 3 routing and BGP manually with software on Metal devices and additional VLANs connected directly to the VC, or you can let Metal do all of that for you with a VRF. We will use a VRF connection for this example.
• Primary and secondary connections. Since we selected redundant connections, we need to specify where each of the two connections attaches on the Equinix Metal side. In the case of a VLAN, that would require two distinct VLANs. Since we are using VRF, which is Virtual Routing and Forwarding, we can use the same VRF for both connections. This is a key advantage of VRF connections over VLAN connections. We will use our "Cloud" VRF for both.

Click the "Submit Request" button.

Once the request is submitted, you need two things:

1. An email to your address telling you that the service token is ready to use. You should get two such emails, one for each of the redundant connections. You know it is ready by the "Service Token Status" line.
2. The service token itself. This is a long string of characters that you will need to create the Fabric VC to Equinix Metal. It will appear in the emails, as well as in the console after you submit your request.

If you click Interconnections, you now will see the connection in the list under "Fabric VCs," with a status of "Pending," which eventually will change to "Ready" when all of the other steps are done.

You will need to update details of this connection. However, you do not have all of the information until the connection is complete from the Google Cloud side. We will come back to this later.

Create the Cloud Router and VLAN Attachment in GCP

In GCP, a Cloud Router is a virtual router that connects your VPC in a particular region to the rest of the world, including Interconnect connections.

You may already have a Cloud Router created for your VPC. If not, create one now.

In the search box, enter "Network Connectivity Center" and select it:

Then click Cloud Routers in the left navigation bar:

Then click the Create Router tab:

Fill in the details for the Cloud Router:

• Name: pick a representative name, such as "gcp-fabric"
• Network: select the VPC you are connecting to
• Region: select the region of the VPC, in our case, us-east4
• Google ASN: enter the ASN for the Google side, in our case, 16550.
• BGP identifier: leave blank
• Advertised routes: select all subnets, which is the default

Click the "Create" button.

With the Cloud Router in place, you can create a VLAN attachment. VLAN attachments are part of the Interconnect section of the Network Connectivity Center.

Click Interconnect in the left navigation bar:

Then click the "Create VLAN Attachments" button:

There are three kinds of VLAN attachments, depending on what will be on the other end of the connection. Because Equinix and Google Cloud partner, you can use the Partner Interconnect connection, so select that.

In the section Encrypt interconnect, you can set up the interconnect with a highly-available VPN. We do not need that for this guide, so leave it as Set up unencrypted interconnect.

Click the "Continue" button.

You already have a service provider - Equinix Fabric - so select the "I already have a service provider" button.

Select the following options:

• "Create a redundant pair of VLAN attachments": This will open up two attachments, which will provide for redundant connections.
• Network: Select the VPC you are connecting to.
• Region: Select the region of the VPC, in our case, us-east4.
• VLAN A: this is the first of the two attachments in the redundant pair.
  • Cloud Router: pick the Cloud Router you already have, or the one created above.
  • VLAN attachment name: enter a name that represents VLAN A; in our case, we will use gcp-fabric-vlan-a.
  • IP stack type: select either dual IPv4/IPv6, or leave as just IPv4. For the purposes of this guide, we will use IPv4 only.
  • MTU: set the same as the VPC.
• VLAN B: this is the second of the two attachments in the redundant pair.
  • Cloud Router: pick the Cloud Router you already have, or the one we created above.
  • VLAN attachment name: enter a name that represents VLAN A; in our case, we will use gcp-fabric-vlan-b.
  • IP stack type: select either dual IPv4/IPv6, or leave as just IPv4. For the purposes of this guide, we will use IPv4 only.
  • MTU: set the same as the VPC.

Click the "Create" button.

GCP now should give you pairing keys. These are keys that you will need to provide to Equinix Fabric to create the connections. Save both of them.

To keep things simple, we will enable pre-activation of the VLAN attachments. This means that the attachments will be ready to use as soon as the connections are created. You may choose to do otherwise. Check the box for "Enable pre-activation".

Click OK.

You now have a pair of VLAN attachments, ready to be connected to Equinix Fabric.

Create the Fabric VC

In this section, you'll create a Fabric VC between the VRF on Metal and the ExpressRoute circuit at GCP.

Log in to the Fabric console at https://fabric.equinix.com.

Once you are logged in, you will see the Equinix Fabric portal:

On the top menu bar, go to "Connections" and "Create Connection":

There are three main options for a connection: A Service Provider, An Equinix Fabric Customer, and My Own Assets. Click A Service Provider, then in the search box, type "Google". This will filter the options below to just a few. Select Google Cloud Platform and click Quick Connect.

Enter the following information:

• The connection type, in our case, Redundant.
• Your primary and secondary Google Cloud pairing keys. You retrieved these from the GCP console earlier.
• The destination, which should be the same region as our Equinix Metro. Since we deployed to the Equinix Washington metro, we select Ashburn (us-east4).
• Check "Use the same destination for both Connections".

Click Next.

In the next step, configure the connection type. Since the interconnection request gave us a pair of service tokens, under "Origin Asset Type" select "Service Token."

Click Enter Primary Service Token, which opens up the details window. Enter your first service token, and click "Enter Service Token."

Repeat the process for your secondary service token.

When you're done, you should have a page that looks like this:

Enter a name for each of the connections and select bandwidth to match what you selected earlier. For our example, we selected "Metal-VRF-GCP-primary" and "Metal-VRF-GCP-secondary" and 50Mbps for each.

Click Next.

Review the details and click "Create Connection."

You now should have a page showing the connections created.

If you selected "pre-activate" when setting up the "VLAN Attachments" in GCP, the connections should be ready to use. If not, you will need to activate them in GCP. The official Google Docs describe what pre-activation is and how it works.

These may take a few minutes to complete. You can check the status by clicking on the connection, which shows the details:

Update Equinix Metal with the GCP details

Before you can add the GCP details in Equinix Metal, you need to retrieve the IP addresses for the VLAN attachments.

In the Google Cloud console, click the first attachment:

Then select Edit BGP Session:

This brings up the BGP session details.

• "Peer ASN": ASN of the Equinix side, which we selected earlier: 64600.
• "Cloud Router BGP IP": IP of the GCP side. Save this for later, as you will need to enter it into Equinix Metal. In our example, 169.254.230.161.
• "BGP Peer IP": IP of the Equinix side. Save this for later, as you will need to enter it into Equinix Metal. In our example, 169.254.230.162.
• "Advanced options": Open this section up:
  • "MD5 Authentication": enable this.
  • "MD5 Authentication Key": use the key we generated earlier, dbc29529874661f92e089593c8adc10b.

Leave the rest of the options as they are, and click Save and Continue.

Repeat the process with the second VLAN attachment:

• "Peer ASN": ASN of the Equinix side, which we selected earlier, 64600.
• "Cloud Router BGP IP": IP of the GCP side. Save this for later, as you will need to enter it into Equinix Metal. In our example, 169.254.22.185.
• "BGP Peer IP": IP of the Equinix side. Save this for later, as you will need to enter it into Equinix Metal. In our example, 169.254.22.186.
• "Advanced options": Open this section up:
  • "MD5 Authentication": enable this.
  • "MD5 Authentication Key": use the key we generated earlier, dbc29529874661f92e089593c8adc10b.

Leave the rest of the options as they are, and click Save and Continue.

With the information from Google Cloud, specifically the IP address information, you can now update Metal Interconnection with the details. Before you do, you need to include the IP address range in Metal VRF.

The IP address ranges are the primary and secondary VC IPs, which you retrieved from the VLAN attachments in GCP. In our example, the IPs are:

• Primary: 169.254.230.161 and 169.254.230.162
• Secondary: 169.254.22.185 and 169.254.22.186

The smallest IP ranges that include each of those are:

• Primary: 169.254.230.160/30
• Secondary: 169.254.22.184/30

However, the minimum allowed range is /29; both of those are smaller than a /29 at /30. So take the next biggest size up.

• Primary: 169.254.230.160/29
• Secondary: 169.254.22.184/29

In the Equinix Metal console, select Networking and then Virtual Routing and Forwarding:

Click on the VRF created earlier:

This brings up the details of the VRF. Click Edit Virtual Router Details:

Now add 2 new IP ranges, the larger /29 ones we identified above:

• 169.254.230.160/29
• 169.254.22.184/29

Click Update Virtual Router.

In the Metal console, select Interconnections:

Click the specific connection created earlier:

Select the Primary Port tab:

At the bottom of the page, you will see the Virtual Circuits listed. Click the three bars button on the right to edit it:

This opens the "Manage Peering Details" window. Enter the following information. The ASN and MD5 Password are from our configuration table above. The Metal IP and Customer IP are from the VLAN Attachment information which we retrieved from Google Cloud. The Subnet is the smallest IP range which includes both; we calculated that at the beginning of this section.

• "Peer ASN": GCP-side ASN 16550
• "Subnet": Primary VC subnet 169.254.230.160/30
• "Metal IP": IP address of the Metal side of the connection, which we retrieved from the 169.254.230.162
• "Customer IP": IP address of the GCP side of the connection 169.254.230.161
• "MD5 Password": dbc29529874661f92e089593c8adc10b

Click the "Update Virtual Circuit" button.

Repeat the process with Second Port, using the secondary VC subnet and IP addresses.

• "Peer ASN": GCP-side ASN 16550
• "Subnet": Secondary VC subnet 169.254.22.184/30
• "Metal IP": IP address of the Metal side of the connection 169.254.22.186
• "Customer IP": IP address of the GCP side of the connection 169.254.22.185
• "MD5 Password": dbc29529874661f92e089593c8adc10b

Click the "Update Virtual Circuit" button again.

You can check the status of the connection on both ends.

In the Equinix Metal console, under the Interconnection details, the connection will show Active:

In the Google Cloud console, under VLAN Attachments, the connection will show Up:

6. Test Connection

The setup is complete, and now it's time to test the connection. We will deploy one server on each end, a Virtual Machine Instance in GCP, and a Metal server in our VLAN.

Since this is a guide on the connections, and not on deploying GCP instances or Metal servers, we won't give detailed descriptions here. For more information, refer to the Google Cloud Platform documentation or the Deploy Your First Equinix Metal Server Guide.

There are a few things to keep in mind.

For the GCP instance, ensure:

• It is in a subnet in the VPC that has the defined Cloud Router
• It has a public IP address
• It allows ICMP traffic from both of the private ranges: 10.30.0.0/16 for the VPC, and 10.50.0.0/16 for the Metal VLAN; normally, this is configured in the firewall set for your VPC
• Save the private IP of the server. In this example, GCP assigned 10.30.10.2

For the Metal server:

1. Deploy the server normally in the Washington metro.
2. Switch the server networking type to hybrid bonded, so you can SSH to it from the Internet while also connecting to the VLAN, then attach it to the VLAN and assign an IP address. Use the Equinix Metal hybrid bonded networking documentation for detailed instructions.
3. Add the route to the GCP VPC via the Metal Gateway, via ip route add <GCP subnet ranges> via <Metal Gateway>. In this example, that is ip route add 10.30.0.0/16 via 10.50.10.1.

root@c3-small-x86-01:~# apt-get install vlan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  vlan
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.4 kB of archives.
After this operation, 51.2 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 vlan all 2.0.5ubuntu5 [10.4 kB]
Fetched 10.4 kB in 0s (41.5 kB/s)
Selecting previously unselected package vlan.
(Reading database ... 74606 files and directories currently installed.)
Preparing to unpack .../vlan_2.0.5ubuntu5_all.deb ...
Unpacking vlan (2.0.5ubuntu5) ...
Setting up vlan (2.0.5ubuntu5) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning processor microcode...
Scanning linux images...

Running kernel seems to be up-to-date.

The processor microcode seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

root@c3-small-x86-01:~# modprobe 8021q

root@c3-small-x86-01:~# echo "8021q" >> /etc/modules

root@c3-small-x86-01:~# ip link add link bond0 name bond0.200 type vlan id 200

root@c3-small-x86-01:~# ip addr add 10.50.10.2/24 dev bond0.200

root@c3-small-x86-01:~# ip ro add 10.30.0.0/16 via 10.50.10.1

With everything set up, first try to ping the Metal Gateway:

root@c3-small-x86-01:~# ping 10.50.10.1
PING 10.50.10.1 (10.50.10.1) 56(84) bytes of data.
64 bytes from 10.50.10.1: icmp_seq=1 ttl=64 time=0.215 ms
64 bytes from 10.50.10.1: icmp_seq=2 ttl=64 time=0.381 ms
64 bytes from 10.50.10.1: icmp_seq=3 ttl=64 time=0.371 ms
^C
--- 10.50.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2050ms
rtt min/avg/max/mdev = 0.215/0.322/0.381/0.076 ms

Finally, ping the GCP instance, using the IP from earlier:

root@c3-small-x86-01:~# ping 10.30.10.2
PING 10.30.10.2 (10.30.10.2) 56(84) bytes of data.
64 bytes from 10.30.10.2: icmp_seq=1 ttl=62 time=2.16 ms
64 bytes from 10.30.10.2: icmp_seq=2 ttl=62 time=1.84 ms
64 bytes from 10.30.10.2: icmp_seq=3 ttl=62 time=1.76 ms
^C
--- 10.30.10.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.758/1.920/2.160/0.173 ms

Conclusion

You've now connected you private VLAN on Equinix Metal to an external VPC on Google Cloud Platform. You've configured gateways on either side of the connection, and you have a connection between them via Equinix Fabric Virtual Connection. This setup means you can communicate securely between the two networks.