Using Interconnects in Other Projects

You can use the same interconnect in different projects in the same organization by creating VLAN attachments in each of those projects. You can use separate projects to maintain a separation of billing and permissions.

This page describes how to create a VLAN attachment that uses an interconnect in a different project in your organization. It also covers some important background information.

VLAN attachments and interconnects

A VLAN attachment represents a usable portion of an interconnect, and it's possible to configure multiple VLAN attachments that use the same interconnect. In most cases, it's not necessary to create multiple interconnects; rather, you create multiple VLAN attachments that use the same interconnect.

VLAN attachments and VPC networks

When you create a VLAN attachment, you associate it with a project, a region, an existing Cloud Router, and an existing interconnect (either from the same project or a different project in the same organization). Though the VLAN attachment itself is not directly associated with a VPC network, it is indirectly tied to a single network because a Cloud Router can only be associated with a single VPC network. Therefore, the combination of a VLAN attachment and its Cloud Router are tied to a project and a network.

If you have multiple VLAN attachments for the same interconnect that are associated with different VPC networks, you must ensure that the VPC networks do not have any overlapping subnet IP address ranges. IP address ranges among all VPC networks and on-premises networks must be unique because the networks are connected to each other using the same interconnect.

Shared VPC considerations

In a Shared VPC scenario, the host project contains a common Shared VPC network usable by VMs in service projects. With Shared VPC, the VLAN attachments and Cloud Routers for an interconnect need to be created only in the Shared VPC host project. Because VMs in the service projects use the Shared VPC network, Service Project Admins do not need to create other VLAN attachments or Cloud Routers in the service projects themselves.

When using a Shared VPC Network with Dedicated Interconnect, consider the following:

  • VLAN attachments and Cloud Routers for Google Cloud Interconnect - Dedicated must exist in the Shared VPC host project, not in any service projects attached to the host project. When you create the Cloud Router to manage a VLAN attachment, you specify a particular VPC network. Effectively, the combination of a VLAN attachment and its associated Cloud Router are unique to a given Shared VPC network.

  • Service Project Admins can create VMs that use subnets in a Shared VPC network of a host project based on the permissions they have to the host project. VMs that use the Shared VPC network can use the custom dynamic routes for VLAN attachments available to that network.

For more information about setting up a Shared VPC network, see Provisioning Shared VPC.

Required permissions

To create the VLAN attachment and Cloud Router: Project owners, editors, or IAM members with the Network Admin role can create new VLAN attachments and Cloud Routers.

To use the interconnect from another project: Project owners, editors, or IAM members with the Network Admin to that other project have access to all of its interconnects. The minimal permission required to use an interconnect in another project is the compute.interconnects.use permission on the project that contains the interconnect.

Procedure

To create a VLAN attachment that uses an interconnect from another project:

Console

  1. Go to the Cloud Interconnect VLAN attachments tab in the Google Cloud Platform Console.
    Go to VLAN attachments tab
  2. Select the project in which you need to create VLAN attachment by using the project picker.
  3. Click Get started, select Dedicated Interconnect, then click Continue.
  4. Choose Add VLAN attachment to existing Dedicated Interconnect, then click Continue.
  5. On the Configure interconnect page, at the Choose an Interconnect step, select In another project. Enter the following information, then click Continue:
    • Project ID — Enter the project ID of the project that contains the interconnect.
    • Interconnect name — Enter the name of the interconnect.
  6. At the Attach VLANs step, click Add VLAN attachment. Provide the following information for the VLAN attachment, then click Done.
    • Name — Provide a name for the VLAN attachment.
    • Cloud Router — Choose an existing Cloud Router or create a new one. The Cloud Router you choose defines the region and VPC network to which your VLAN attachment will be available. The GCP ASN is also defined by the Cloud Router that you choose.
  7. Click Create. The attachment takes a few moments to create.
  8. After the attachment is created, click Configure to create a BGP session on the chosen Cloud Router. The Google and Peer BGP IP addresses are selected for you automatically.
  9. After you've added a BGP session, click Save configuration. The BGP session will not be active until you configure your on-premises router.

gcloud

  1. If you have not already created a Cloud Router, create one by using the following command:

    gcloud compute routers create [ROUTER_NAME] \
         --region=[REGION] \
         --asn=[GOOGLE_ASN] \
         --network=[NETWORK] \
         --project=[PROJECT_ID]
    

    Replace the placeholders with valid values:

    • [ROUTER_NAME] is a name you specify for your Cloud Router.
    • [REGION] is the GCP region in which your Cloud Router is created. This region must match the region used by the VLAN attachment.
    • [GOOGLE_ASN] is the private ASN (64512 - 65534, 4200000000 - 4294967294). It is used for all BGP sessions on the same Cloud Router, and it cannot be changed later.
    • [NETWORK] is the name of the network to which the Cloud Router will manage routes. This is the same network that your VLAN attachment will use.
    • [PROJECT_ID] is the ID for the project in which both the Cloud Router and VLAN attachment will exist. This project ID is different from the project where the interconnect is located.
  2. List interconnects in the project that contains your interconnects by using the following command, replacing [INTERCONNECT_PROJECT_ID] with that project's ID. Determine the name of the interconnect you need to use.

    gcloud compute interconnects list \
        --project=[INTERCONNECT_PROJECT_ID]
    

  3. Use the following command to determine the self link for the interconnect you need to use. Replace [INTERCONNECT_NAME] with its name, and [INTERCONNECT_PROJECT_ID] with the ID of the project that contains it:

    gcloud compute interconnects describe [INTERCONNECT_NAME] \
        --project=[INTERCONNECT_PROJECT_ID] \
        --format="get(selfLink)"
    

  4. Create the VLAN attachment by using the following command:

    gcloud compute interconnects attachments dedicated create [VLAN_ATTACHMENT_NAME] \
        --region=[REGION] \
        --router=[ROUTER_NAME] \
        --project=[PROJECT_ID] \
        --interconnect=[INTERCONNECT_SELF_LINK] \
        --candidate-subnets=[CANDIDATE_SUBNETS] \
        --vlan=[VLAN_ID]
    

    Replace the placeholders with valid values:

    • [VLAN_ATTACHMENT_NAME] is a name you specify for your VLAN attachment.
    • [REGION] must match the same region as the associated Cloud Router.
    • [ROUTER_NAME] is the name of the Cloud Router from the first step.
    • [PROJECT_ID] is the ID for the project in which both the Cloud Router and VLAN attachment will exist. This project ID is different from the project where the interconnect is located.
    • [INTERCONNECT_SELF_LINK] is the self link for the interconnect that the VLAN attachment will use. Note that the self link includes the ID of the project that contains the interconnect itself.
    • --candidate-subnets=[CANDIDATE_SUBNETS] is an optional flag that allows you to specify comma-delimited ranges of link-local IP addresses (as [CANDIDATE_SUBNETS]) to be used for the BGP session that manages routes for the VLAN attachment. For more information, refer to the gcloud documentation.
    • --vlan=[VLAN_ID] is an optional flag that allows you to specify a VLAN ID. For more information, refer to the gcloud documentation.
  5. Describe the VLAN attachment you just created by using the following command, replacing [VLAN_ATTACHMENT_NAME] with its name, [REGION] with its region, and [PROJECT_ID] with its project:

    gcloud compute interconnects attachments dedicated describe [VLAN_ATTACHMENT_NAME] \
        --region=[REGION] \
        --project=[PROJECT_ID] \
        --format="get(cloudRouterIpAddress,customerRouterIpAddress,tag8021q)"
    

    Note the following:

    • cloudRouterIpAddress is the BGP IP address that will be used by the BGP session on the associated Cloud Router.
    • customerRouterIpAddress is the BGP IP address that you will use to configure the BGP session on your on-premises router.
    • tag8021q is the VLAN ID, which you might have specified manually in the previous step.
  6. Create an interface on the Cloud Router using the following command:

    gcloud compute routers add-interface [ROUTER_NAME] \
        --interconnect-attachment=[VLAN_ATTACHMENT_NAME] \
        --region=[REGION] \
        --interface-name=[INTERFACE_NAME] \
        --project=[PROJECT_ID] \
        --ip-address=[CLOUD_ROUTER_IP] \
        --mask-length=29
    

    Replace the placeholders with valid values:

    • [ROUTER_NAME] is the name of the Cloud Router from the first step.
    • [VLAN_ATTACHMENT_NAME] is the name of the VLAN attachment you created and described in these steps.
    • [REGION] is the region used by the Cloud Router and VLAN attachment.
    • [INTERFACE_NAME] is a name you specify for the new interface on the Cloud Router.
    • [PROJECT_ID] is the ID for the project in which both the Cloud Router and VLAN attachment will exist. This project ID is different from the project where the interconnect is located.
    • [CLOUD_ROUTER_IP] is the cloudRouterIpAddress you determined in the previous step.
  7. Add a BGP peer to the new interface on the Cloud Router using the following command:

    gcloud compute routers add-bgp-peer [ROUTER_NAME] \
        --region=[REGION] \
        --interface-name=[INTERFACE_NAME] \
        --peer-name=[BGP_PEER_NAME] \
        --project=[PROJECT_ID] \
        --peer-ip-address=[CUSTOMER_ROUTER_IP] \
        --peer-asn=[PEER_ASN] \
        --advertised-route-priority=[PRIORITY] \
        --advertisement-mode=[ADVERTISEMENT_MODE]
    

    Replace the placeholders with valid values:

    • [ROUTER_NAME] is the name of the Cloud Router from the first step.
    • [REGION] is the region used by the Cloud Router and VLAN attachment.
    • [INTERFACE_NAME] is the name of the interface you created in the previous step.
    • [BGP_PEER_NAME] is a name you specify for the BGP peer.
    • [PROJECT_ID] is the ID for the project in which both the Cloud Router and VLAN attachment will exist. This project ID is different from the project where the interconnect is located.
    • [CUSTOMER_ROUTER_IP] is BGP IP address for your on-premises router. This is the customerRouterIpAddress you noted when you described your VLAN attachment.
    • [PEER_ASN] is the ASN for your on-premises router.
    • --advertised-route-priority=[PRIORITY] is an optional flag you can use to set the base priority for the “to Google” routes that the Cloud Router will share with the on-premises router. Refer to route metrics in the Cloud Router documentation for more details about this option and the base metric.
    • --advertisement-mode=[ADVERTISEMENT_MODE] is an optional flag you can use if you want customize the “to Google” routes advertised by the Cloud Router. Refer to route advertisements in the Cloud Router documentation for information about default and custom advertisements.

What's next

On your on-premises router, configure a VLAN subinterface and a BGP peer by using the values allocated by your VLAN attachment. For more information, see Configuring On-premises Router.

Var denne side nyttig? Giv os en anmeldelse af den:

Send feedback om...