Cloud Composer 1 is in the post-maintenance mode. Google does not release any further updates to Cloud Composer 1, including new versions of Airflow, bugfixes, and security updates. We recommend planning migration to Cloud Composer 2.

Configure Shared VPC networking

Cloud Composer 1 | Cloud Composer 2 | Cloud Composer 3

This page describes the Shared VPC network and host project requirements for Cloud Composer.

Shared VPC enables organizations to establish budgeting and access control boundaries at the project level while allowing for secure and efficient communication using private IPs across those boundaries. In the Shared VPC configuration, Cloud Composer can invoke services hosted in other Google Cloud projects in the same organization without exposing services to the public internet.

Guidelines for Shared VPC

A Cloud Composer environment is located in the service
project. A network attachment in the Cloud Composer environment
is connected to a VPC network in the host project. — **Figure 1.** Service and host projects for Cloud Composer 3 (click to enlarge)

Shared VPC requires that you designate a host project to which networks and subnetworks belong and a service project, which is attached to the host project. When Cloud Composer participates in a Shared VPC, the Cloud Composer environment is in the service project.
Make sure that Cloud Composer environment's internal IP range and your VPC network ranges do not have conflicts.

Preparation

Find the following project IDs and project numbers:
- Host project: The project that contains the Shared VPC network.
- Service project: The project that contains the Cloud Composer environment.
Prepare your organization.

Configure the service project

If Cloud Composer environments were never created in the service project, then provision the Composer Service Agent Account in the service project:

gcloud beta services identity create --service=composer.googleapis.com`

Configure the host project

Configure the host project as described further.

Configure networking resources

Choose one of the following options:

Option 1. Create a new VPC network and a subnet.
Option 2. Create a subnet in an existing VPC network.
Option 3. Use an existing VPC network and a subnet.

Set up Shared VPC and attach the service project

If not already done, Set up Shared VPC. If you already have set up Shared VPC, skip to the next step.
Attach the service project, which you use to host Cloud Composer environments.

When attaching a project, leave the default VPC Network permissions in place.

Grant permissions to the Composer Service Agent account

In the host project:

Edit permissions for the Composer Service Agent account, service-SERVICE_PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com)
Add another role, Composer Shared VPC Agent (composer.sharedVpcAgent). at the project level.

Conclusion

You've completed the Shared VPC network configuration for both service and host projects.

Now you can connect new and existing environments in the service project to the host project's VPC network. You can use one of the following approaches:

Connect an environment to a Shared VPC network. Cloud Composer creates a new network attachment for the environment.
Create a network attachment in the service project, connect it to a Shared VPC network, and connect one or more environments to this network attachment.

For instructions and more information about differences between the two described approaches, see Connect a VPC network to your environment.