Configuring shared VPC

This page describes the Shared VPC network and host project requirements for Cloud Composer.

Shared VPC enables organizations to establish budgeting and access control boundaries at the project level while allowing for secure and efficient communication using private IPs across those boundaries. In the context of a Cloud Composer environment, using a Shared VPC network means that workflows can invoke services hosted in other Google Cloud projects in the same organization without exposing services to the public Internet.

Before you begin

  • Shared VPC requires that you designate a host project to which networks and subnetworks belong and a service project, which is attached to the host project. When Cloud Composer participates in a Shared VPC, the Cloud Composer environment is in the service project.

  • You must configure the subnetwork that the Cloud Composer environment connects to for Alias IPs. If your network does not require specific secondary IP ranges, you must use the following two secondary IP ranges:

    • Pods: composer-pods
    • Services: composer-services
  • Ensure that the secondary ranges are large enough to accommodate the cluster's size and anticipated growth. For example, the network prefixes of the secondary ranges for a 3-node Cloud Composer environment should be no longer than:

    • Pods: /22
    • Services: /27
  • Because you cannot share a secondary range between environments and secondary ranges require a unique name for the subnet, each Cloud Composer environment that participates in a Shared VPC requires its own subnet. The primary address range of the subnet should accommodate anticipated growth and account for the reserved IP addresses. Using the previous 3-node environment example, the network prefix of the subnet's primary address range should be no longer than /29.

Configuring the host project

  1. Find the following project IDs and project numbers:
    • Host project: The project that contains the Shared VPC network.
    • Service project: The project that contains the Cloud Composer environment.
  2. Prepare your organization.
  3. Enable the GKE API in your host and service projects.
  4. Choose one of the following options to allocate and configure networking resources. For each option, you must name the secondary IP ranges for pods and services. Either specify the secondary range names for your network or name the ranges composer-pods and composer-services (default).

  5. On the subnetwork, enable Shared VPC and grant the compute.networkUser role to the GKE service accounts.

  6. On the host project, grant the Host Service Agent User role to the GKE Service Account of the service project. This allows the GKE Service Account of the service project to use the GKE Service Account of the host project to configure shared network resources.

You've completed Shared VPC network configuration for the host project.

What's next

Using the Cloud SDK, create a Cloud Composer environment and provide the host project's network and subnetwork as configuration parameters.

¿Te ha resultado útil esta página? Enviar comentarios:

Enviar comentarios sobre...