This page describes the Shared VPC network and host project requirements for Cloud Composer.
Shared VPC enables organizations to establish budgeting and access control boundaries at the project level while allowing for secure and efficient communication using private IPs across those boundaries. In the context of a Cloud Composer environment, using a Shared VPC network means that workflows can invoke services hosted in other Google Cloud projects in the same organization without exposing services to the public Internet.
Before you begin
Shared VPC requires that you designate a host project to which networks and subnetworks belong and a service project, which is attached to the host project. When Cloud Composer participates in a Shared VPC, the Cloud Composer environment is in the service project.
You must configure the subnetwork that the Cloud Composer environment connects to for Alias IPs. If your network does not require specific secondary IP ranges, you must use the following two secondary IP ranges:
- Pods: composer-pods
- Services: composer-services
Ensure that the secondary ranges are large enough to accommodate the cluster's size and anticipated growth. For example, the network prefixes of the secondary ranges for a 3-node Cloud Composer environment should be no longer than:
Because you cannot share a secondary range between environments and secondary ranges require a unique name for the subnet, each Cloud Composer environment that participates in a Shared VPC requires its own subnet. The primary address range of the subnet should accommodate anticipated growth and account for the reserved IP addresses. Using the previous 3-node environment example, the network prefix of the subnet's primary address range should be no longer than
Configuring the host project
- Find the following project IDs and project numbers:
- Host project: The project that contains the Shared VPC network.
- Service project: The project that contains the Cloud Composer environment.
- Prepare your organization.
- Enable the GKE API in your host and service projects.
Choose one of the following options to allocate and configure networking resources. For each option, you must name the secondary IP ranges for pods and services. Either specify the secondary range names for your network or name the ranges composer-pods and composer-services (default).
- Create a new network and subnetwork in the host project.
- Create a new subnetwork in an existing network in the host project.
Add secondary IP ranges to an existing subnetwork in the host project. A subnetwork supports up to 30 secondary IP ranges.
On the subnetwork, enable Shared VPC and grant the
compute.networkUserrole to the GKE service accounts.
On the host project, grant the
Host Service Agent Userrole to the GKE Service Account of the service project. This allows the GKE Service Account of the service project to use the GKE Service Account of the host project to configure shared network resources.
You've completed Shared VPC network configuration for the host project.
Using the Cloud SDK, create a Cloud Composer environment and provide the host project's network and subnetwork as configuration parameters.