Deprovisioning XPN

This document describes how to deprovision an existing XPN setup. The procedures assume you have an existing XPN setup and want to remove it. See the Provisioning XPN page for information on how to set up XPN.

To safely deprovision a XPN setup, you must remove all dependencies on the host project before deleting the host projects:

  1. Disable service project dependencies.

    1. Service project admin: Delete all the resources (instances, instance templates, instance groups, and forwarding rules) that are using shared subnets in the XPN host project.

    2. XPN admin:

      1. Remove XPN service projects from the XPN host project.
      2. Remove XPN host project status from the host project.
  2. The organization admin or XPN host project owner deletes the XPN host project.

  3. A service project admin deletes the XPN service project.

The exact steps are described in the following sections.

Deleting all resources associated with shared VPC networks

The service admin must delete the resources (VM instances, instance templates, forwarding rules) associated with the shared VPC network.

gcloud compute instances delete vm1

Unlinking service project and disable XPN host project

The XPN Admin must unlink the service project from the host project.

gcloud beta compute xpn associated-projects \
    remove [XPN_SERVICE_PROJECT_ID] --host-project [XPN_HOST_PROJECT_ID]

Disable the host project from being an XPN host project.

gcloud beta compute xpn disable [XPN_HOST_PROJECT_ID]

The act of disabling XPN capability from the host project automatically removes the XPN lien that prevents it from being easily deleted. Once the project is no longer an XPN host project, it can be deleted like any other project.

Deleting the former XPN host project

If you have completed all the steps above, then you can simply delete the former XPN host project like any other project.

gcloud projects delete [XPN_HOST_PROJECT_ID]

If you have not deprovisioned the XPN setup, but still want to delete the XPN host project anyway, you must first remove the XPN lien on the project.

Deleting XPN service project

A XPN service project owner should delete the XPN service project.

Deleting a XPN service project is the same as deleting a regular standalone project. The owner or administrator of the service project needs to ensure that no resources that are still needed exist in the project and then delete the project. The deletion of the project will remove the association of the service project from the host project and the host project quota for number of service projects linked will be restored.

Removing XPN liens and deleting active XPN host projects

To safeguard against outages due to accidental project deletion, a lien is automatically placed on any project enabled as an XPN host project. This lien prevents project deletion unless a project owner first removes it. The lien is automatically removed when the project is disabled as an XPN host project.

There are two circumstances in which liens must be removed manually:

  • If you want to delete an XPN host project without first disabling it as a host project, you must manually removed the XPN lien.
  • If you have created additional liens on the project, you must remove those liens manually.

An organization admin should remove the XPN host project lien. However, the XPN host project owner can remove the lien unless there is an Org policy preventing it. The organization policy should enforce the requirement that only a user with resourcemanager.projects.updateLiens permissions, the resourcemanager.lienModifier role at the organization level, or the Organization owner role can remove the lien on the XPN host project.

If such policy is not enforced, the manual removal of an XPN lien requires the resourcemanager.projects.get and resourcemanager.projects.updateLiens permissions on the project, which are available to project owners.

Ramifications of deleting an XPN host project with services still attached:

  • Shared VPC network resources in the host project are also deleted.
  • Service project resources that use the shared VPC network resources in the host project will be stopped. This includes VM instances and forwarding rules for Internal load balancers.
  • The host project can be recovered within a period of 30 days, at which point dependent service project resources can also be restarted.

To remove the XPN lien on a project:

  1. Get the liens associated with a project

    gcloud alpha resource-manager liens list \
        --project [XPN_HOST_PROJECT_ID]
    

  2. Remove the XPN lien

    gcloud alpha resource-manager liens delete [NAME] \
        --project [XPN_HOST_PROJECT_ID]
    

  3. Remove other liens if necessary.

The host project can now be deleted without first deprovisioning the XPN setup, though this is not recommended.

What's next

Send feedback about...

Compute Engine Documentation