Hub administration overview

This page provides an overview of the Network Connectivity Center hub administrator role (roles/networkconnectivity.hubAdmin). An Identity and Access Management (IAM) principal who has the hub administrator role can do the following:

Custom roles can also be used if they at least include the same permissions of the Network Connectivity Center hub administrator role.

How VPC spokes join a hub

If a VPC network and a Network Connectivity Center hub are located in the same project, creating a VPC spoke for the VPC network immediately establishes connectivity to the hub without any additional steps.

If a VPC network and a Network Connectivity Center hub are located in different projects, the process for creating a VPC spoke is as follows:

  1. A hub administrator establishes IAM policy bindings that let spoke administrators in other projects create VPC spoke proposals. Note: Hub administrators can change IAM policy bindings at any time. For example, a hub administrator might revoke access later, preventing a spoke administrator from creating additional spoke proposals.
  2. A spoke administrator proposes a VPC spoke.
  3. A hub administrator reviews each spoke proposal, and then accepts or rejects the proposal. The following describes how hub connectivity works following accepting or rejecting a proposal:
    • A spoke becomes active only after a hub administrator accepts the spoke proposal. Network Connectivity Center only provides network connectivity to active spokes.
    • A hub administrator can reject a previously accepted VPC spoke, making the spoke inactive. When a previously active VPC spoke becomes inactive, Network Connectivity Center does not provide network connectivity to the spoke.

The hub route table

Each Network Connectivity Center hub has one read-only route table that shows subnet routes imported from the VPC spokes. When a new VPC spoke is created, all local subnet routes from the VPC network are exported to the hub unless the spoke administrator uses the exclude-export-ranges flag in the Google Cloud CLI or the excludeExportRanges field in the API. For more information, see subnet route uniqueness.

Google Cloud automatically updates the VPC network route table of each VPC spoke and the Network Connectivity Center hub route table when any of the following occur:

For more information, see Route tables that show subnet routes and Routes in the VPC documentation.

What's next