HEX
Server: Apache/2.4.65 (Ubuntu)
System: Linux ielts-store-v2 6.8.0-1036-gcp #38~22.04.1-Ubuntu SMP Thu Aug 14 01:19:18 UTC 2025 x86_64
User: root (0)
PHP: 7.2.34-54+ubuntu20.04.1+deb.sury.org+1
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
$ pwd: /snap/google-cloud-cli/396/help/man/man1/
Upload Files
File: //snap/google-cloud-cli/396/help/man/man1/gcloud_beta_compute_vpn-tunnels_create.1
.TH "GCLOUD_BETA_COMPUTE_VPN\-TUNNELS_CREATE" 1



.SH "NAME"
.HP
gcloud beta compute vpn\-tunnels create \- create a VPN tunnel



.SH "SYNOPSIS"
.HP
\f5gcloud beta compute vpn\-tunnels create\fR \fINAME\fR \fB\-\-shared\-secret\fR=\fISHARED_SECRET\fR (\fB\-\-peer\-address\fR=\fIPEER_ADDRESS\fR\ |\ \fB\-\-peer\-external\-gateway\fR=\fIPEER_EXTERNAL_GATEWAY\fR\ |\ \fB\-\-peer\-gcp\-gateway\fR=\fIPEER_GCP_GATEWAY\fR\ |\ \fB\-\-peer\-gcp\-gateway\-region\fR=\fIPEER_GCP_GATEWAY_REGION\fR) (\fB\-\-target\-vpn\-gateway\fR=\fITARGET_VPN_GATEWAY\fR\ |\ \fB\-\-target\-vpn\-gateway\-region\fR=\fITARGET_VPN_GATEWAY_REGION\fR\ |\ \fB\-\-vpn\-gateway\fR=\fIVPN_GATEWAY\fR\ |\ \fB\-\-vpn\-gateway\-region\fR=\fIVPN_GATEWAY_REGION\fR) [\fB\-\-description\fR=\fIDESCRIPTION\fR] [\fB\-\-ike\-version\fR=\fIIKE_VERSION\fR] [\fB\-\-interface\fR=\fIINTERFACE\fR] [\fB\-\-local\-traffic\-selector\fR=\fICIDR\fR,[\fICIDR\fR,...]] [\fB\-\-peer\-external\-gateway\-interface\fR=\fIPEER_EXTERNAL_GATEWAY_INTERFACE\fR] [\fB\-\-phase1\-dh\fR=\fIGROUPS\fR,[\fIGROUPS\fR,...]] [\fB\-\-phase1\-encryption\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]] [\fB\-\-phase1\-integrity\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]] [\fB\-\-phase1\-prf\fR=\fIPSEUDORANDOM\fR\ \fIFUNCTIONS\fR,[...]] [\fB\-\-phase2\-encryption\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]] [\fB\-\-phase2\-integrity\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]] [\fB\-\-phase2\-pfs\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]] [\fB\-\-region\fR=\fIREGION\fR] [\fB\-\-remote\-traffic\-selector\fR=\fICIDR\fR,[\fICIDR\fR,...]] [\fB\-\-router\fR=\fIROUTER\fR] [\fB\-\-router\-region\fR=\fIROUTER_REGION\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]



.SH "DESCRIPTION"

\fB(BETA)\fR \fBgcloud beta compute vpn\-tunnels create\fR is used to create a
Classic VPN tunnel between a target VPN gateway in Google Cloud Platform and a
peer address; or create Highly Available VPN tunnel between HA VPN gateway and
another HA VPN gateway, or Highly Available VPN tunnel between HA VPN gateway
and an external VPN gateway.



.SH "POSITIONAL ARGUMENTS"

.RS 2m
.TP 2m
\fINAME\fR

Name of the VPN Tunnel to create.


.RE
.sp

.SH "REQUIRED FLAGS"

.RS 2m
.TP 2m
\fB\-\-shared\-secret\fR=\fISHARED_SECRET\fR

Shared secret consisting of printable characters. Valid arguments match the
regular expression [ \-~]+

.TP 2m

Exactly one of these must be specified:


.RS 2m
.TP 2m
\fB\-\-peer\-address\fR=\fIPEER_ADDRESS\fR

Valid IPV4 address representing the remote tunnel endpoint, the peer address
must be specified when creating Classic VPN tunnels from Classic Target VPN
gateway

.TP 2m
\fB\-\-peer\-external\-gateway\fR=\fIPEER_EXTERNAL_GATEWAY\fR

Peer side external VPN gateway representing the remote tunnel endpoint, this
flag is used when creating HA VPN tunnels from Google Cloud to your external VPN
gateway.Either \-\-peer\-external\-gateway or \-\-peer\-gcp\-gateway must be
specified when creating VPN tunnels from High Available VPN gateway.

.TP 2m
\fB\-\-peer\-gcp\-gateway\fR=\fIPEER_GCP_GATEWAY\fR

Reference to the peer side Highly Available VPN gateway.

.TP 2m
\fB\-\-peer\-gcp\-gateway\-region\fR=\fIPEER_GCP_GATEWAY_REGION\fR

Region of the VPN Gateway to operate on. Should be the same as region, if not
specified, it will be automatically set. Overrides the default
\fBcompute/region\fR property value for this command invocation.

.RE
.sp
.TP 2m

Exactly one of these must be specified:


.RS 2m
.TP 2m
\fB\-\-target\-vpn\-gateway\fR=\fITARGET_VPN_GATEWAY\fR

A reference to a Cloud VPN Classic Target VPN Gateway.

.TP 2m
\fB\-\-target\-vpn\-gateway\-region\fR=\fITARGET_VPN_GATEWAY_REGION\fR

Region of the Target VPN Gateway to operate on. Should be the same as region, if
not specified, it will be automatically set. Overrides the default
\fBcompute/region\fR property value for this command invocation.

.TP 2m
\fB\-\-vpn\-gateway\fR=\fIVPN_GATEWAY\fR

Reference to a Highly Available VPN gateway.

.TP 2m
\fB\-\-vpn\-gateway\-region\fR=\fIVPN_GATEWAY_REGION\fR

Region of the VPN Gateway to operate on. Should be the same as region, if not
specified, it will be automatically set. Overrides the default
\fBcompute/region\fR property value for this command invocation.


.RE
.RE
.sp

.SH "OPTIONAL FLAGS"

.RS 2m
.TP 2m
\fB\-\-description\fR=\fIDESCRIPTION\fR

An optional, textual description for the VPN tunnel.

.TP 2m
\fB\-\-ike\-version\fR=\fIIKE_VERSION\fR

Internet Key Exchange protocol version number. Default is 2. \fIIKE_VERSION\fR
must be one of: \fB1\fR, \fB2\fR.

.TP 2m
\fB\-\-interface\fR=\fIINTERFACE\fR

Numeric interface ID of the VPN gateway with which this VPN tunnel is
associated. This flag is required if the tunnel is being attached to a Highly
Available VPN gateway. This option is only available for use with Highly
Available VPN gateway and must be omitted if the tunnel is going to be connected
to a Classic VPN gateway. \fIINTERFACE\fR must be one of: \fB0\fR, \fB1\fR.

.TP 2m
\fB\-\-local\-traffic\-selector\fR=\fICIDR\fR,[\fICIDR\fR,...]

Traffic selector is an agreement between IKE peers to permit traffic through a
tunnel if the traffic matches a specified pair of local and remote addresses.

\-\-local\-traffic\-selector allows to configure the local addresses that are
permitted. The value should be a comma separated list of CIDR formatted strings.
Example: 192.168.0.0/16,10.0.0.0/24.

Local traffic selector must be specified only for VPN tunnels that do not use
dynamic routing with a Cloud Router. Omit this flag when creating a tunnel using
dynamic routing, including a tunnel for a Highly Available VPN gateway.

.TP 2m
\fB\-\-peer\-external\-gateway\-interface\fR=\fIPEER_EXTERNAL_GATEWAY_INTERFACE\fR

Interface ID of the external VPN gateway to which this VPN tunnel is connected
to. This flag is required if the tunnel is being created from a Highly Available
VPN gateway to an External Vpn Gateway. \fIPEER_EXTERNAL_GATEWAY_INTERFACE\fR
must be one of: \fB0\fR, \fB1\fR, \fB2\fR, \fB3\fR.

.TP 2m
\fB\-\-phase1\-dh\fR=\fIGROUPS\fR,[\fIGROUPS\fR,...]

Phase 1 Diffie\-Hellman groups.

.TP 2m
\fB\-\-phase1\-encryption\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]

Phase 1 encryption algorithms.

.TP 2m
\fB\-\-phase1\-integrity\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]

Phase 1 integrity algorithms.

.TP 2m
\fB\-\-phase1\-prf\fR=\fIPSEUDORANDOM\fR \fIFUNCTIONS\fR,[...]

Phase 1 pseudorandom functions.

.TP 2m
\fB\-\-phase2\-encryption\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]

Phase 2 encryption algorithms.

.TP 2m
\fB\-\-phase2\-integrity\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]

Phase 2 integrity algorithms.

.TP 2m
\fB\-\-phase2\-pfs\fR=\fIALGORITHMS\fR,[\fIALGORITHMS\fR,...]

Phase 2 perfect forward secerecy algorithms.

.TP 2m
\fB\-\-region\fR=\fIREGION\fR

Region of the VPN Tunnel to create. If not specified, you might be prompted to
select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the
\f5\fIcompute/region\fR\fR property:

.RS 2m
$ gcloud config set compute/region REGION
.RE

A list of regions can be fetched by running:

.RS 2m
$ gcloud compute regions list
.RE

To unset the property, run:

.RS 2m
$ gcloud config unset compute/region
.RE

Alternatively, the region can be stored in the environment variable
\f5\fICLOUDSDK_COMPUTE_REGION\fR\fR.

.TP 2m
\fB\-\-remote\-traffic\-selector\fR=\fICIDR\fR,[\fICIDR\fR,...]

Traffic selector is an agreement between IKE peers to permit traffic through a
tunnel if the traffic matches a specified pair of local and remote addresses.

\-\-remote\-traffic\-selector allows to configure the remote addresses that are
permitted. The value should be a comma separated list of CIDR formatted strings.
Example: 192.168.0.0/16,10.0.0.0/24.

Remote traffic selector must be specified for VPN tunnels that do not use
dynamic routing with a Cloud Router. Omit this flag when creating a tunnel using
dynamic routing, including a tunnel for a Highly Available VPN gateway.

.TP 2m
\fB\-\-router\fR=\fIROUTER\fR

Router to use for dynamic routing.

.TP 2m
\fB\-\-router\-region\fR=\fIROUTER_REGION\fR

Region of the router to operate on. If not specified, you might be prompted to
select a region (interactive mode only).

To avoid prompting when this flag is omitted, you can set the
\f5\fIcompute/region\fR\fR property:

.RS 2m
$ gcloud config set compute/region REGION
.RE

A list of regions can be fetched by running:

.RS 2m
$ gcloud compute regions list
.RE

To unset the property, run:

.RS 2m
$ gcloud config unset compute/region
.RE

Alternatively, the region can be stored in the environment variable
\f5\fICLOUDSDK_COMPUTE_REGION\fR\fR.


.RE
.sp

.SH "GCLOUD WIDE FLAGS"

These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.

Run \fB$ gcloud help\fR for details.



.SH "NOTES"

This command is currently in beta and might change without notice. These
variants are also available:

.RS 2m
$ gcloud compute vpn\-tunnels create
.RE

.RS 2m
$ gcloud alpha compute vpn\-tunnels create
.RE
@ Telegram