This chapter covers Dedicated Interconnect and Partner Interconnect, two Google Cloud networking services that provide private, high-bandwidth connectivity between on-premises networks and Google Cloud VPC networks. For the ACE exam, these topics fall under Objective 2.1 (Planning Solutions) and typically appear in 3-5% of questions. You must understand the differences, use cases, capacity limits, SLA terms, and how they interact with Cloud Router and BGP sessions. This chapter breaks down the architecture, configuration steps, and exam traps so you can confidently answer any question on hybrid connectivity.
Jump to a section
Imagine your company needs a private, dedicated connection between two office buildings. You have two options: Option A is to buy your own fiber optic cable and have it buried between the buildings. You control the entire path, you pay for the physical cable and its maintenance, and you get guaranteed bandwidth regardless of what anyone else does. This is Dedicated Interconnect — you provision a physical cross-connect directly from your on-premises router to a Google Cloud colocation facility, and you manage the link yourself. Option B is to call a telecom provider and order a managed private line. The provider already has a network of cables; they just configure a virtual circuit for you over their existing infrastructure. You don't own the physical cable, but you get a service-level agreement (SLA) for bandwidth and availability. This is Partner Interconnect — you connect through a supported service provider (like Equinix, Megaport, or CenturyLink) who handles the physical connectivity to Google. In both cases, your traffic stays off the public internet, uses private IP addresses, and benefits from low latency and high reliability. The key difference is ownership and management: with Dedicated Interconnect, you provision and manage the physical connection; with Partner Interconnect, you rely on a partner's network and provisioning portal.
What is Dedicated Interconnect?
Dedicated Interconnect provides a direct physical connection between your on-premises network and Google's network. You must meet Google at a supported colocation facility (co-location) and arrange a cross-connect from your cage to Google's Meet Me Room (MMR). The connection is a single 10 Gbps or 100 Gbps Ethernet link (or an aggregate of multiple links). You can order up to 8 connections per location, giving a maximum of 800 Gbps per metro area. Each connection is a Layer 2 link that carries VLAN-tagged traffic. You then configure one or more VLAN attachments (each is a Cloud Router interface) to connect to a VPC network. The SLA guarantees 99.99% availability for connections that have at least two redundant links (one in each of two different edge availability domains).
What is Partner Interconnect?
Partner Interconnect uses a supported service provider to establish connectivity. You do not need to go to a colocation facility; the provider handles the physical connection. You order a 'VLAN' or 'circuit' from the provider, and they provision it to Google. The bandwidth can be as low as 50 Mbps (some providers offer 50 Mbps, others start at 100 Mbps) up to 10 Gbps or more. You must have a Cloud Router in your VPC and the provider must be connected to Google via a Partner Interconnect attachment. The provider uses a VLAN attachment on their side, and you configure BGP sessions over that. The SLA for Partner Interconnect is 99.9% availability (with two connections in different availability domains).
How It Works Internally
Both services use the same underlying technology: VLAN attachments on Cloud Router. When you create a Dedicated Interconnect connection, you get a 'pairing key' that you use to provision the attachment. For Partner Interconnect, the provider gives you a pairing key or you create an attachment and share the key with them. The attachment is associated with a Cloud Router that exchanges BGP routes with your on-premises router. Traffic flows as follows:
Your on-premises router sends a packet destined for a GCP VM IP.
The packet is tagged with a specific VLAN ID (802.1Q).
The physical link carries the packet to the Google edge router.
The edge router strips the VLAN tag and forwards the packet to the VPC network based on the BGP-learned routes.
Return traffic follows the reverse path.
Key Components, Values, Defaults, and Timers
VLAN Attachment: Maximum 8 VLAN attachments per Dedicated Interconnect connection. Each attachment supports up to 10 Gbps for 10 Gbps links, or up to 100 Gbps for 100 Gbps links.
Cloud Router: Required for both. BGP timers: keepalive interval 20 seconds, hold time 60 seconds (configurable).
BGP: You must advertise your on-premises prefixes (public or private) to GCP. GCP advertises the VPC subnet ranges. You cannot advertise more than 2000 prefixes per BGP session (soft limit).
Redundancy: For SLA, you need at least two connections in different edge availability domains (for Dedicated) or two VLAN attachments in different zones (for Partner).
Latency: Typically <1 ms within the same metro, but depends on physical distance.
Capacity: Dedicated Interconnect: 10 Gbps or 100 Gbps per link. Partner Interconnect: 50 Mbps to 10 Gbps (some providers support 100 Gbps via aggregation).
Configuration and Verification Commands
To create a Dedicated Interconnect connection:
gcloud compute interconnects dedicated create my-interconnect \
--location=us-east4 \
--interconnect-type=DEDICATED \
--requested-link-count=1 \
--admin-enabledThen create a VLAN attachment:
gcloud compute interconnects attachments dedicated create my-attachment \
--region=us-east4 \
--router=my-router \
--interconnect=my-interconnect \
--vlan=100For Partner Interconnect:
gcloud compute interconnects attachments partner create my-partner-attachment \
--region=us-east4 \
--router=my-router \
--edge-availability-domain=availability-domain-1 \
--partner-metadata=...Verify with:
gcloud compute interconnects list
gcloud compute interconnects attachments list
gcloud compute routers get-status my-router --region=us-east4The get-status command shows BGP session state (established, idle, etc.) and learned routes.
Interaction with Related Technologies
Cloud VPN: Can be used as a backup for Interconnect. If the Interconnect fails, traffic can failover to Cloud VPN (using dynamic routing with Cloud Router).
Cloud Router: Essential for BGP routing. Supports custom route advertisements and route priorities.
VPC Network Peering: Not directly related; Interconnect connects on-premises to VPC, not two VPCs.
Shared VPC: Interconnect can be attached to a Shared VPC host project; service projects can then use the connection.
Capacity Planning
Dedicated Interconnect: Each link is 10 or 100 Gbps. You can have up to 8 links per location, but you need to order cross-connects at the colo. Bandwidth is dedicated — no oversubscription.
Partner Interconnect: Bandwidth is shared with other customers of the provider, but SLA still applies. You can increase bandwidth by ordering a larger circuit from the provider.
Both: You can aggregate multiple attachments to a single Cloud Router for load balancing. Use BGP multipath.
Security
Traffic is private and does not traverse the public internet. No encryption is required, but you can add IPSec over Interconnect if needed (e.g., for compliance). Google does not inspect traffic; it's just a Layer 2/3 pipe.
SLA Details
Dedicated Interconnect: 99.99% availability when using two connections in different edge availability domains. Single connection: no SLA.
Partner Interconnect: 99.9% availability when using two VLAN attachments in different zones. Single attachment: no SLA.
Financial credits apply if SLA is not met (e.g., 10% credit for <99.99% uptime).
Exam Focus
Know the bandwidth options: Dedicated: 10 Gbps or 100 Gbps. Partner: 50 Mbps to 10 Gbps (some providers 100 Gbps).
Remember that Dedicated Interconnect requires a physical cross-connect; Partner does not.
SLA requires two connections/attachments in different availability domains/zones.
Cloud Router is mandatory for both.
Maximum VLAN attachments per Dedicated connection: 8.
BGP session limits: 2000 prefixes per session.
You cannot use Interconnect to connect two GCP VPCs; use VPC Peering.
Interconnect supports jumbo frames (MTU 1500 or 8896? Actually, Dedicated Interconnect supports MTU up to 8896 bytes; Partner supports up to 1500 bytes by default, but some providers support 8896).
Common Pitfalls
Confusing Dedicated and Partner Interconnect with Cloud VPN: VPN uses public internet; Interconnect is private.
Thinking you can connect directly to any region: You must be in a supported colocation facility for Dedicated; Partner supports many more locations.
Assuming one connection is enough for SLA: You need two for SLA.
Forgetting to configure BGP passwords or correct AS numbers.
Advanced: BGP and Route Propagation
Use BGP MED to influence inbound traffic.
Use AS path prepending to influence outbound traffic.
You can advertise specific routes (e.g., /32 host routes) but keep within limits.
Google advertises all VPC subnets by default; you can filter on Cloud Router.
Troubleshooting
Check BGP session status: gcloud compute routers get-status.
Verify VLAN attachment state: should be ACTIVE.
Check on-premises firewall: must allow BGP (TCP 179) and IP protocol 4 (IP-in-IP) if using encapsulation.
Use gcloud compute interconnects list to see connection state (UP/DOWN).
This covers the core knowledge needed for the ACE exam.
Plan Connectivity Requirements
Determine bandwidth needed: if you need 10 Gbps or more, Dedicated Interconnect is suitable; for lower bandwidth (50 Mbps – 10 Gbps), Partner Interconnect may be more cost-effective. Check if your on-premises location is near a supported colocation facility (for Dedicated) or if a Partner provider serves your area. Also decide on redundancy: for SLA, plan for two connections/attachments in different availability domains. Estimate the number of VLAN attachments needed (max 8 per Dedicated connection).
Create Cloud Router
Before provisioning Interconnect, create a Cloud Router in the target region. This router will exchange BGP routes with your on-premises router. Specify a Google ASN (64512-65534, default 64512) and your on-premises ASN. Optionally, set BGP keepalive and hold timers. The Cloud Router must be in the same region as the VLAN attachment.
Provision the Physical Connection
For Dedicated Interconnect: use the gcloud command or Cloud Console to create a Dedicated Interconnect connection. This generates a pairing key and a Google-assigned VLAN attachment ID. You then work with the colocation facility to arrange a cross-connect from your cage to the Google MMR. For Partner Interconnect: you order a VLAN from a supported partner. The partner will provide a pairing key or you generate one and share it. The partner then provisions the connection on their end.
Create VLAN Attachment
Create a VLAN attachment (for Dedicated or Partner) specifying the Cloud Router, region, and VLAN ID. For Dedicated, reference the interconnect resource. For Partner, specify the edge availability domain (availability-domain-1 or availability-domain-2) and optionally partner metadata. The attachment will remain in 'PENDING_CUSTOMER' state until the physical connection is established and BGP sessions are configured.
Configure BGP on On-Premises Router
On your on-premises router, configure a BGP session with the Google Cloud Router's IP address (provided in the attachment details). Use the same AS number as specified in Cloud Router. Advertise your on-premises prefixes (e.g., your internal IP ranges) to Google. Google will advertise the VPC subnet ranges. Ensure firewall rules allow BGP (TCP 179) and that the interface is up.
Verify Connectivity and Traffic Flow
After BGP session is established, verify that routes are exchanged using `gcloud compute routers get-status`. Test connectivity by pinging a VM from on-premises (or vice versa). Check that traffic is flowing over the Interconnect (not over public internet). Monitor link status and BGP session uptime. For redundancy, repeat steps for the second connection/attachment and verify failover works.
In real-world deployments, Dedicated Interconnect is commonly used by large enterprises that need guaranteed, high-bandwidth connectivity to Google Cloud. For example, a financial services company running trading applications in GCP might provision two 100 Gbps Dedicated Interconnect links to a colocation facility in northern Virginia (us-east4). They use BGP with MED values to prefer one link over the other for inbound traffic, and AS path prepending for outbound. The links are in different edge availability domains, achieving 99.99% SLA. They also set up a Cloud VPN as a backup (with lower priority routes) in case both Interconnects fail. The on-premises network team manages the cross-connects and works with the colo provider for fiber patching. A common issue is that the cross-connect may be mislabeled at the colo, causing the link to not come up. They verify using LLDP (Link Layer Discovery Protocol) to confirm the connection to Google's equipment.
Another scenario: a mid-sized SaaS company uses Partner Interconnect to connect their office in Dallas to GCP us-central1. They order a 500 Mbps circuit from Megaport, which provisions a VLAN attachment. They have a single connection initially, but later add a second attachment through a different Megaport point of presence in the same metro for redundancy. The company's network engineer configures BGP on a small Cisco router. They use private IP addresses (RFC 1918) on both sides. A frequent mistake is forgetting to enable BGP multipath, causing one link to be idle. They also set up monitoring with Stackdriver to alert on BGP session drops. The provider handles the physical link, so the company doesn't need colo space. However, they must ensure their router supports the required MTU (1500 or 8896) and VLAN tagging.
A third scenario: a healthcare provider needs to connect multiple on-premises sites to GCP for a hybrid cloud deployment. They use Partner Interconnect from different providers at each site to connect to the same VPC via a single Cloud Router (using multiple VLAN attachments). They must manage different BGP AS numbers for each site and ensure route advertisements don't conflict. They use BGP communities to tag routes for traffic engineering. The challenge is coordinating with multiple providers and ensuring consistent SLA across all links. They also implement IPSec over Interconnect for encryption to meet HIPAA compliance, even though Interconnect is private. This adds complexity but is necessary for audit requirements.
The ACE exam tests Dedicated and Partner Interconnect under Objective 2.1 (Planning Solutions). Expect 3-5 questions that assess your ability to choose the correct connectivity option based on bandwidth, latency, cost, and SLA requirements. The most common wrong answer is selecting Cloud VPN when the question mentions 'private' or 'dedicated' — candidates confuse VPN (which is private but over public internet) with Interconnect (which is truly private). Another trap: assuming Dedicated Interconnect requires you to be in the same physical data center as Google — actually, you must be in a colocation facility that has a Google Meet Me Room. Also, many candidates think Partner Interconnect can only be 1 Gbps or higher, but it supports as low as 50 Mbps. The exam loves to test SLA conditions: you need two connections/attachments in different edge availability domains (for Dedicated) or different zones (for Partner) to get the SLA. A single connection gets no SLA. Numbers to memorize: Dedicated Interconnect bandwidths: 10 Gbps and 100 Gbps. Max 8 VLAN attachments per connection. Partner Interconnect bandwidth: 50 Mbps to 10 Gbps (some providers up to 100 Gbps). SLA: 99.99% for Dedicated (with redundancy), 99.9% for Partner (with redundancy). Edge availability domains are specific to each location; there are exactly two per location. When a question asks about 'lowest latency', the answer is always Dedicated Interconnect because it's a direct physical link. For 'cost-effective' low bandwidth, choose Partner Interconnect. Also, remember that Interconnect does not provide encryption by default; use IPSec if needed. Another edge case: Interconnect can be used to connect to a Shared VPC host project, but the attachment must be in the host project. Finally, know that you cannot use Interconnect to connect two GCP VPCs; use VPC Peering or Cloud VPN. To eliminate wrong answers, focus on the key differentiators: physical vs. virtual, bandwidth range, SLA percentages, and redundancy requirements.
Dedicated Interconnect requires a physical cross-connect at a supported colocation facility; Partner Interconnect uses a service provider.
Dedicated Interconnect offers 10 Gbps or 100 Gbps per link; Partner Interconnect offers 50 Mbps to 10 Gbps.
Both require Cloud Router and BGP sessions; BGP keepalive 20s, hold 60s by default.
SLA for Dedicated: 99.99% with two links in different edge availability domains; Partner: 99.9% with two attachments in different zones.
Maximum 8 VLAN attachments per Dedicated Interconnect connection.
Interconnect does not encrypt traffic; use IPSec if needed.
You cannot use Interconnect to connect two GCP VPCs.
For exam: know bandwidths, SLA percentages, and redundancy requirements.
These come up on the exam all the time. Here's how to tell them apart.
Dedicated Interconnect
Requires physical cross-connect at colocation facility.
Bandwidth options: 10 Gbps or 100 Gbps per link.
Up to 8 VLAN attachments per connection.
SLA: 99.99% with two connections in different edge availability domains.
Lower latency (direct physical link).
Partner Interconnect
No colocation needed; provisioned via service provider.
Bandwidth: 50 Mbps to 10 Gbps (some providers up to 100 Gbps).
VLAN attachments per connection limited by provider (typically less than 8).
SLA: 99.9% with two attachments in different zones.
Slightly higher latency due to provider network.
Mistake
Dedicated Interconnect provides encryption by default.
Correct
No, Dedicated Interconnect is a private Layer 2 link but does not encrypt traffic. If encryption is required, you must configure IPSec over the Interconnect (e.g., using Cloud VPN or on-premises IPSec device).
Mistake
You can get an SLA with a single Dedicated Interconnect connection.
Correct
The SLA (99.99% for Dedicated) requires at least two connections in different edge availability domains. A single connection has no SLA coverage.
Mistake
Partner Interconnect is only available for bandwidths of 1 Gbps or higher.
Correct
Partner Interconnect supports bandwidths as low as 50 Mbps (some providers start at 100 Mbps). It is designed for a range from 50 Mbps to 10 Gbps, and some providers offer up to 100 Gbps via aggregation.
Mistake
You can connect to any GCP region using Dedicated Interconnect from any colocation facility.
Correct
You must be in a colocation facility that has a Google Meet Me Room (MMR) and is within the same metro area as the GCP region you want to connect to. Not all facilities are supported; Google provides a list of supported locations.
Mistake
Interconnect can be used to connect two VPC networks within GCP.
Correct
Interconnect is for hybrid connectivity between on-premises and GCP. To connect two VPCs, use VPC Peering or Cloud VPN. Interconnect cannot be used for VPC-to-VPC connectivity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Dedicated Interconnect provides a direct physical connection between your on-premises network and Google at a colocation facility. You manage the cross-connect and the link. Partner Interconnect uses a supported service provider to establish the connection; you do not need to go to a colo. Dedicated offers 10 or 100 Gbps; Partner offers 50 Mbps to 10 Gbps. Both require Cloud Router and BGP.
You can have up to 8 VLAN attachments per Dedicated Interconnect connection. Each attachment connects to a Cloud Router and can be in the same or different VPC networks (in the same region).
Yes. The 99.99% SLA requires at least two connections in different edge availability domains. A single connection has no SLA. For Partner Interconnect, you need two attachments in different zones for 99.9% SLA.
No. Interconnect is for hybrid connectivity between on-premises and GCP. To connect two VPCs, use VPC Peering or Cloud VPN. Interconnect cannot be used for VPC-to-VPC connectivity.
The minimum bandwidth is 50 Mbps, though some providers start at 100 Mbps. You can order any bandwidth up to 10 Gbps (or higher with some providers).
No, Interconnect provides a private Layer 2/3 connection but does not encrypt traffic. If encryption is required for compliance, you must configure IPSec over the Interconnect (e.g., using Cloud VPN or on-premises IPSec device).
Edge availability domains are physically separate infrastructure within a Google Cloud colocation facility. Each location has two domains. For SLA, you must place your Dedicated Interconnect connections in different domains to protect against facility-level failures.
You've just covered Dedicated Interconnect and Partner Interconnect — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?