To maintain a separation of billing, resources, or permissions, you might have several Google Cloud Platform (GCP) projects in your GCP organization. Because each interconnect has a fee and can take time to provision, you might want to share interconnects across multiple projects.
Use a shared VPC when possible. With shared VPC, you can share a network that's already connected (has VLAN attachments) to an interconnect. Then, all service projects can use the shared network and the connected interconnect.
If you can't use a shared VPC network, you can permit other projects within your
GCP organization to use the interconnect. Users of those projects must have the
compute.interconnects.use on the interconnect.
However, this method is less cost efficient than a shared VPC network because
each user must always create a connection to the interconnect (create a VLAN
attachment), which has a fee.
In the typical Shared VPC setup, there are one or more host projects in which all networking resources are configured by a network admin, and there are associated service projects where resources are created and attached to network in the host project.
For examples, users in the associated service projects might create Compute instances in the common host project. Those instances will have access to the interconnects that are configured in the host network, in the region which the instances belong to.
When you use Shared VPC and Google Cloud Dedicated Interconnect, consider the following behaviors:
- Interconnect resources are only allowed in the host project. Users can't create interconnects in the service projects.
- A service project that is part of an Shared VPC network can use the Interconnect resources. Users can connect their own VPC network to the interconnect in the host project. In other words, they can create a VLAN attachment with an interconnect in host project.
- VLAN attachments (InterconnectAttachments) can exist either in the host project or in a service project. A Cloud Router must exist in the project where the VLAN attachment is.
For more information about setting up a Shared VPC network, see Provisioning Shared VPC.
To use an interconnect in another project:
- Go to the VLAN attachments page in the Google Cloud Platform Console.
Go to VLAN attachments page
- Select Add to create a new VLAN attachment.
- Select In another project to specify an interconnect
in another project.
- Project ID — The name of the project that contains the
interconnect, such as
- Interconnect name — The name of the interconnect, such as
- Project ID — The name of the project that contains the interconnect, such as
- Select Add VLAN attachment.
- Name — A name for the attachment. This name is displayed
in the console and used by the
gcloudcommand-line tool to reference the interconnect, such as
- Router — A Cloud Router to associate with this attachment. The Cloud Router must be in the VPC network that you want to connect to. If you don't have an existing Cloud Router, create one. Use any private ASN (64512-65535 or 4200000000-4294967294) for the BGP AS number.
- Name — A name for the attachment. This name is displayed in the console and used by the
- Select Create. The attachment takes a few moments to create.
- After the attachment is created, select Configure to add a BGP session to your Cloud Router's interface. The Google and Peer BGP IP addresses are already allocated by the VLAN attachment.
- After you've added a BGP session, select Save configuration. The BGP sessions are inactive until you configure BGP on your on-premises router.
You must have an existing Cloud Router in the network and region that you want to reach from your on-premises network. If you don't, create one before you create a VLAN attachment. When you create the Cloud Router, use any private ASN (64512-65535 or 4200000000-4294967294) for the BGP AS number.
InterconnectAttachment, specifying your the names of your interconnect and Cloud Router. The attachment allocates a VLAN on your interconnect that connects to the Cloud Router.
The following example creates an attachment for the
my-interconnectinterconnect that connects to the
my-routerCloud Router, which is in the
gcloud compute interconnects attachments create my-attachment \ --region us-central1 \ --router my-router \ --interconnect projects/other-project/global/interconnects/my-interconnect
--interconnectflag, specify the fully qualified name of the interconnect, which includes the project name where the interconnect is located. Note that you must have IAM permissions to use the interconnect.
After you create the attachment, use the console or
gcloudcommands to configure BGP sessions on you Cloud Router.
On your on-premises router, configure a VLAN subinterface and a BGP peer by using the values allocated by your VLAN attachment. For more information, see Configuring On-premises Router.