This page describes how to create a VLAN attachment that uses a Dedicated Interconnect connection located in a different project than the attachment's project. Using separate projects can also help you maintain separate billing and permissions.
Dedicated Interconnect connections enable you to connect your on-premises network to multiple Virtual Private Cloud (VPC) networks by adding multiple VLAN attachments to that connection. You can create a VLAN attachment from a connection in one project to a VPC network in another project, as long as they are both in the same organization.
When using Partner Interconnect, you still create VLAN attachments to the VPC networks that you want to use. However, because the service provider manages the connection on your behalf, you don't have to be concerned about organization restrictions on the connection.
A VLAN attachment that is used with either type of connection can use Shared VPC or VPC Network Peering to share the connectivity between multiple VPC networks.
If you have VLAN attachments associated with multiple VPC networks that have overlapping IP ranges, the conflicting IP ranges might cause traffic to be routed incorrectly by one or more of your on-premises devices. To avoid this issue, we recommend that you assign unique IP ranges to all of your VPC subnets by configuring subnets in a VPC custom mode network.
For more information, see Options for connecting to multiple VPC networks.
If you are using VLAN attachments located in different regions than your Dedicated Interconnect connection, then change your VPC network's dynamic routing mode to Global.
Required permissions
To create the VLAN attachment and Cloud Router: Project owners,
editors, or Identity and Access Management (IAM) principals with the
Network Admin role
(roles/compute.networkAdmin) can create new VLAN attachments and
Cloud Routers.
To use the Dedicated Interconnect connection from another project: Project owners,
editors, or IAM principals with the Network Admin role
(roles/compute.networkAdmin) to that other project have access to all of its
connections. The minimal permission required to use a connection in another
project is the compute.interconnects.use permission on the project that
contains the connection.
Create a VLAN attachment
To create a VLAN attachment that uses a Dedicated Interconnect connection from another project, follow these steps.
Console
In the Google Cloud console, go to the Interconnect Hybrid Connectivity page.
Select the project in which you need to create a VLAN attachment by using the project picker.
Click Create VLAN attachments, and then select Dedicated Interconnect connection.
In the Encrypt interconnect section, select Set up unencrypted Interconnect, and then click Continue.
On the Choose an Interconnect page, select In another project. Enter the following information:
- Project ID: Enter the project ID of the project that contains the Dedicated Interconnect connection.
- Interconnect name: Enter the name of the connection.
Click Continue.
For VLAN attachments, click Add VLAN attachment. Provide the following information for the VLAN attachment:
- Name: Specify a name for the VLAN attachment.
- Cloud Router: Choose an existing Cloud Router or create a new one. The Cloud Router that you choose defines the region and VPC network to which your VLAN attachment is available. The Google Cloud ASN is also defined by the Cloud Router that you choose.
Click Done, and then click Create. The attachment takes a few minutes to create.
After the attachment is created, click Configure to create a BGP session on the chosen Cloud Router. The Google and Peer BGP IP addresses are selected for you automatically.
After you add the BGP session, click Save configuration. The BGP session is not active until you configure your on-premises router.
gcloud
If you have not already created a Cloud Router, create one by running the following command:
gcloud compute routers create ROUTER_NAME \ --region=REGION \ --asn=GOOGLE_ASN \ --network=NETWORK \ --project=PROJECT_IDReplace the following:
ROUTER_NAME: a name that you specify for your Cloud RouterREGION: the Google Cloud region in which your Cloud Router is created; this region must match the region used by the VLAN attachmentGOOGLE_ASN: the private ASN (64512 - 65534,4200000000 - 4294967294); it is used for all BGP sessions on the same Cloud Router, and it cannot be changed laterNETWORK: the name of the network to which the Cloud Router manages routes; this is the same network that your VLAN attachment usesPROJECT_ID: the ID for the project in which both the Cloud Router and VLAN attachment exist; this project ID is different from the project where the connection is located
List Dedicated Interconnect connections in the project that contains your connections:
gcloud compute interconnects list \ --project=INTERCONNECT_PROJECT_IDReplace
INTERCONNECT_PROJECT_IDwith that project's ID. Determine the name of the connection that you need to use.Determine the self link for the connection that you need to use:
gcloud compute interconnects describe INTERCONNECT_NAME \ --project=INTERCONNECT_PROJECT_ID \ --format="get(selfLink)"Replace
INTERCONNECT_NAMEwith its name, andINTERCONNECT_PROJECT_IDwith the ID of the project that contains it.Create the VLAN attachment:
gcloud compute interconnects attachments dedicated create VLAN_ATTACHMENT_NAME \ --region=REGION \ --router=ROUTER_NAME \ --project=PROJECT_ID \ --interconnect=INTERCONNECT_SELF_LINK \ [--candidate-subnets=CANDIDATE_SUBNETS] \ [--vlan=VLAN_ID]Replace the following:
VLAN_ATTACHMENT_NAME: a name that you specify for your VLAN attachmentREGION: must match the same region as the associated Cloud RouterROUTER_NAME: the name of the Cloud Router from the first stepPROJECT_ID: the ID for the project in which both the Cloud Router and VLAN attachment exist; this project ID is different from the project where the connection is locatedINTERCONNECT_SELF_LINK: the self link for the connection that the VLAN attachment uses; the self link includes the ID of the project that contains the connection itselfCANDIDATE_SUBNETS: an optional flag that lets you specify comma-delimited ranges of link-local IP addresses (asCANDIDATE_SUBNETS) to be used for the BGP session that manages routes for the VLAN attachment; for more information, see the Google Cloud CLI documentationVLAN_ID: an optional flag that lets you specify a VLAN ID; for more information, see the Google Cloud CLI documentation
Describe the VLAN attachment that you just created:
gcloud compute interconnects attachments dedicated describe VLAN_ATTACHMENT_NAME \ --region=REGION \ --project=PROJECT_ID \ --format="get(cloudRouterIpAddress,customerRouterIpAddress,tag8021q)"Replace the following:
VLAN_ATTACHMENT_NAME: its nameREGION: its regionPROJECT_ID: its project ID
Note the following:
cloudRouterIpAddressis the BGP IP address that is used by the BGP session on the associated Cloud Router.customerRouterIpAddressis the BGP IP address that you use to configure the BGP session on your on-premises router.tag8021qis the VLAN ID, which you might have specified manually in the previous step.
Create an interface on the Cloud Router:
gcloud compute routers add-interface ROUTER_NAME \ --interconnect-attachment=VLAN_ATTACHMENT_NAME \ --region=REGION \ --interface-name=INTERFACE_NAME \ --project=PROJECT_ID \ --ip-address=CLOUD_ROUTER_IP \ --mask-length=29Replace the following:
ROUTER_NAME: the name of the Cloud Router from the first stepVLAN_ATTACHMENT_NAME: the name of the VLAN attachment that you created and described in these stepsREGION: the region used by the Cloud Router and VLAN attachmentINTERFACE_NAME: a name that you specify for the new interface on the Cloud RouterPROJECT_ID: the ID for the project in which both the Cloud Router and VLAN attachment exist; this project ID is different from the project where the connection is locatedCLOUD_ROUTER_IP: thecloudRouterIpAddressthat you determined in the previous step
Add a BGP peer to the new interface on the Cloud Router:
gcloud compute routers add-bgp-peer ROUTER_NAME \ --region=REGION \ --interface-name=INTERFACE_NAME \ --peer-name=BGP_PEER_NAME \ --project=PROJECT_ID \ --peer-ip-address=CUSTOMER_ROUTER_IP \ --peer-asn=PEER_ASN \ [--advertised-route-priority=PRIORITY] \ [--advertisement-mode=ADVERTISEMENT_MODE]Replace the following:
ROUTER_NAME: the name of the Cloud Router from the first stepREGION: the region used by the Cloud Router and VLAN attachmentINTERFACE_NAME: the name of the interface that you created in the previous stepBGP_PEER_NAME: a name that you specify for the BGP peerPROJECT_ID: the ID for the project in which both the Cloud Router and VLAN attachment exist; this project ID is different from the project where the connection is locatedCUSTOMER_ROUTER_IP: the BGP IP address for your on-premises router; this is thecustomerRouterIpAddressthat you noted when you described your VLAN attachmentPEER_ASN: the ASN for your on-premises routerPRIORITY: an optional flag that you can use to set the base priority for the "to Google" routes that the Cloud Router shares with the on-premises router; for more details about this option and the base metric, see Advertised prefixes and prioritiesADVERTISEMENT_MODE: an optional flag that you can use if you want to customize the "to Google" routes advertised by the Cloud Router; for information about default and custom advertisements, see route advertisements
What's next
To configure a VLAN subinterface and a BGP peer on your on-premises router by using the values allocated by your VLAN attachment, see Configure on-premises routers.
To create a Dedicated Interconnect connection, see the Dedicated Interconnect provisioning overview.
To learn more about Cloud Interconnect options, see the Cloud Interconnect overview.
To help you solve common issues that you might encounter when using Cloud Interconnect, see Troubleshooting.