This page describes the Shared VPC network and host project requirements for Cloud Composer.
Shared VPC enables organizations to establish budgeting and access control boundaries at the project level while allowing for secure and efficient communication using private IPs across those boundaries. In the Shared VPC configuration, Cloud Composer can invoke services hosted in other Google Cloud projects in the same organization without exposing services to the public Internet.
- Shared VPC requires that you designate a host project to which networks and subnetworks belong and a service project, which is attached to the host project. When Cloud Composer participates in a Shared VPC, the Cloud Composer environment is in the service project.
- To set up Shared VPC, select the following IP ranges in the host project:
- Primary IP Range of the subnet used by GKE nodes that Cloud Composer uses as its compute layer
- Secondary IP Range for GKE Services
- Secondary IP Range for GKE Pods
- Secondary IP Ranges cannot overlap with any other secondary ranges in this VPC.
Ensure that secondary ranges are large enough to accommodate the cluster's size and anticipated growth. For example, the network prefixes of the secondary ranges for a 3-node Cloud Composer environment should be no longer than:
The primary address range of the subnet should accommodate anticipated growth and account for the reserved IP addresses. Using the previous 3-node environment example, the network prefix of the subnet's primary address range should be no longer than
- Find the following project IDs and project numbers:
- Host project: The project that contains the Shared VPC network.
- Service project: The project that contains the Cloud Composer environment.
- Prepare your organization.
- Enable the GKE API in your host and service projects.
Host project configuration
Choose one of the following options to allocate and configure networking resources. For each option, you must name the secondary IP ranges for pods and services.
- Create a new VPC network, subnet, and two secondary IP ranges. When creating the subnet, use the Primary IP Range following the guidelines above. As part of the subnet definition, define two secondary IP ranges (for Pods and Services) as instructed above.
- Create a subnet and two secondary IP ranges in an existing VPC. When creating the subnet, use the Primary IP Range following the guidelines above. As part of the subnet definition, define two secondary IP ranges (for Pods and Services) as instructed above.
- Create two secondary IP ranges in an existing subnet and VPC. Define two secondary IP ranges (for Pods and Services) as instructed above, avoiding name and IP range conflicts with existing secondary ranges.
Set up Shared VPC and attach a service project, which you will use to host Cloud Composer environments. If the Shared VPC already exists, go directly to the Attaching a service project step. When attaching a project, leave the default VPC Network permissions in place.
Grant the compute.networkUser role to the Google APIs service account (SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com) at the project level. This is a requirement for managed instance groups used with Shared VPC, which GKE uses, because tasks like instance creation are performed by this type of service account.
In the host project, grant the
compute.networkUserrole to the GKE service accounts (service-SERVICE_PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com). To do this, go to the VPC networks list and select the target network. This permission needs to be granted at the network level to allow the service account to set up the VPC peering arcitecture required by Cloud Composer.
Host Service Agent Userrole to the GKE Service Account of the service project. This allows the GKE Service Account of the service project to use the GKE Service Account of the host project to configure shared network resources.
If this is the first Cloud Composer environment in the current project, you must first provision the Composer Agent Service Account:
gcloud beta services identity create --service=composer.googleapis.com.
Grant Composer Agent Service Account (service-SERVICE_PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com) a role of Composer Shared VPC Agent in case of Private IP environments or a role of Compute Network User in case of Public IP Composer environments.
You've completed Shared VPC network configuration for the host project.
Using the Cloud SDK, create a Cloud Composer environment and provide the host project's network and subnetwork as configuration parameters.