Configure connectors in Shared VPC service projects
If your organization uses Shared VPC, you can set up Serverless VPC Access connectors in either the service project or the host project. This guide shows how to set up a connector in the service project.
If you need to set up a connector in the host project, see Configure connectors in the host project. To learn about the advantages of each method, see Connecting to a Shared VPC network.
At a high level, you must take the following steps:
- Grant permissions
- Create a subnet
- In the page Configuring Serverless VPC Access, complete the steps in the following sections:
Grant permissions to service accounts in your service projects
For each service project that will use VPC Connectors, a Shared VPC
Admin must grant the Compute Network User
role (compute.networkUser
) in the
host project to the service project cloudservices
and vpcaccess
service
accounts.
To grant the role:
Use these commands:
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --role "roles/compute.networkUser" \ --member "serviceAccount:service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding HOST_PROJECT_ID \ --role "roles/compute.networkUser" \ --member "serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com"
If the
@gcp-sa-vpcaccess
service account does not exist, turn on the Serverless VPC Access API in the service project and try again:gcloud services enable vpcaccess.googleapis.com
If you prefer not to grant these service accounts access to the entire Shared VPC network and would rather only grant access to specific subnets, you can instead grant these roles to these service accounts on specific subnets only.
Create a subnet
When using Shared VPC, the Shared VPC Admin must create a subnet
for each connector. Follow the documentation in
adding a subnet to add a /28
subnet to the
Shared VPC network. This subnet must be in the same region as the
serverless services that will use the connector.
Next steps
- In the page Configuring Serverless VPC Access, complete the steps in the following sections: