The term hybrid is usually used to describe a combination of an on-premises data center and a set of cloud-based resources. Hybrid architectures are becoming increasingly common for the simple reason that as big organizations move to the cloud, they need a hybrid setup during the migration period, and while they evaluate whether their cloud strategy is the right one.

The importance of hybrid infrastructures makes the VPN service a particularly important one for organizations that are moving to the cloud. It is trivial to set up a VPN connection between your on-premises setup and your organizations' cloud resources. This VPN connection will be secure, with a gateway at each end. The gateway at your on-premises end will be a physical one that you control, while the gateway at the GCP end is a virtual router, managed by the GCP.

There is a fair bit of advanced networking that goes on under the hood with VPN connections, notably the encryption of traffic at each end by the gateway device and the decryption at the other end. This requires the exchange of keys between those two devices, and happens using a specialized protocol called Internet Key Exchange (IKE). We will not dwell on the details of how this works, but you should be aware that VPN connections are secure. This also has the unfortunate side effect of making them relatively slow; if you have ever used a VPN connection to access your corporate network from home or while traveling, this is probably something you are familiar with. Here, the reason for slower speed will most likely be due to slower connections on the user’s end. Apart from that, it is also important to remember that keeping a VPN up and running incurs charges which makes them costlier.

If your organization is considering a hybrid setup for the long term (rather than merely as a stopgap during migration or evaluation), you might want to consider some of the enterprise grade interconnection options that the GCP offers, notably Cloud Interconnect, which is a program where trusted third-party ISPs (such as AT&T, KDDI, SoftBank, and Tata) work with your organization and with Google to provide a high-quality interconnection without the overhead of VPN. Do check Google's list of supported service providers, the list is constantly growing.

Finally, VPN by itself is not going to provide dynamic routing capabilities. This means that if, for instance, a new rack of servers is added to your on-premises setup, your GCP VMs are not going to learn about it unless you turn down and turn back up your gateway device. To enable dynamic routing, you can make use of another GCP service called Cloud Router. This will make the VPN gateway device a BGP-enabled one, which provides dynamic route advertisement. This way, topology changes at either end will be picked up on the fly.