This page provides an overview of the Network Connectivity Center hub administrator role
(roles/networkconnectivity.hubAdmin).
An Identity and Access Management (IAM) principal who has the hub administrator role can
do the following:
- Create a hub and create Virtual Private Cloud (VPC) spokes for VPC networks that are in the same project as the hub.
- Give access to spoke administrators so they can create VPC spoke proposals for VPC networks located in different projects.
- Review, accept, and reject VPC spoke proposals.
- View hub route tables.
Custom roles can also be used if they at least include the same permissions of the Network Connectivity Center hub administrator role.
How VPC spokes join a hub
If a VPC network and a Network Connectivity Center hub are located in the same project, creating a VPC spoke for the VPC network immediately establishes connectivity to the hub without any additional steps.
If a VPC network and a Network Connectivity Center hub are located in different projects, the process for creating a VPC spoke is as follows:
- A hub administrator establishes IAM policy bindings that let spoke administrators in other projects create VPC spoke proposals. Note: Hub administrators can change IAM policy bindings at any time. For example, a hub administrator might revoke access later, preventing a spoke administrator from creating additional spoke proposals.
- A spoke administrator proposes a VPC spoke.
- A hub administrator reviews each spoke proposal, and then accepts or rejects
the proposal. The following describes how hub connectivity works following
accepting or rejecting a proposal:
- A spoke becomes active only after a hub administrator accepts the spoke proposal. Network Connectivity Center only provides network connectivity to active spokes.
- A hub administrator can reject a previously accepted VPC spoke, making the spoke inactive. When a previously active VPC spoke becomes inactive, Network Connectivity Center does not provide network connectivity to the spoke.
The hub route table
Each Network Connectivity Center hub has one read-only route table that shows subnet
routes imported from the VPC spokes. When a new
VPC spoke is created, all local subnet routes from the
VPC network are exported to the hub unless the spoke
administrator uses the exclude-export-ranges
flag
in the Google Cloud CLI or the excludeExportRanges field in the API. For more
information, see subnet route
uniqueness.
Google Cloud automatically updates the VPC network route table of each VPC spoke and the Network Connectivity Center hub route table when any of the following occur:
- You perform a subnet lifecycle activity, such as adding or deleting a subnet.
- VPC spokes are added to or removed from the hub.
For more information, see Route tables that show subnet routes and Routes in the VPC documentation.
What's next
- To create hubs and spokes, see Work with hubs and spokes.
- To view a list of partners whose solutions are integrated with Network Connectivity Center, see Network Connectivity Center partners.
- To find solutions for Router appliance issues, see Troubleshooting.
- To get details about API and
gcloudcommands, see APIs and reference.