Your VMs on Compute Engine need to connect with physical servers at a remote site using private IPs, requiring dynamic routing and a shared address space of 10.108.0.1/22. To ensure tunnels are not overprovisioned during a failover, what are some Google-recommended practices for setting up a high-availability Cloud VPN for this scenario?