Spoke administration overview

This page provides an overview of the spoke administrator or network administrator role.

As a VPC spoke administrator, you can configure a VPC network as an Network Connectivity Center spoke and request the spoke to join a hub in another project or organization. Only the hub administrator can review and approve a spoke's request to join a hub. If the hub administrator accepts the spoke's request to join, the spoke is attached to the hub and becomes active. The hub administrator can also reject the proposed join request for the spoke.

You can also check the status of a VPC spoke that you have proposed and sent to the hub administrator for review.

To complete your tasks, you need the following roles or permissions from the hub administrator of the hub that you want your spoke to attach to:

• Permissions

  networkconnectivity.groups.use

• Roles

  roles/networkconnectivity.groupUser

For more information, see the following sections.

• Propose a VPC spoke in a different project
• Check the status of a VPC spoke
• View VPC route tables
• VPC spokes overview

Operational considerations for spoke administrators

Before creating VPC spokes, consider the following guidelines:

• VPC spokes are global because VPC networks are global.
• There must be no subnet overlaps across VPC spokes on the same hub. You can avoid subnet overlaps by using the exclude-export-ranges flag in Google Cloud CLI or the excludeExportRanges field in the API.
• There cannot be a subnet overlap between VPC peers of a VPC spoke and other VPC spokes. For example, if VPC spokes A and B are attached to the same hub and VPC spoke B is connected to VPC network C through VPC peering, no overlap is allowed between VPC A subnets and VPC C subnets.
• If the hub and the VPC spokes are in different projects, spokes become active only after the hub administrator accepts them.

VPC route tables

A VPC route table lets you see which Network Connectivity Center subnet routes are reachable from your VPC spokes. You can also use the hub route table to view the reachable subnet routes. However, to access the hub route table, you must have the necessary IAM roles or permissions from the hub administrator.

If you are a spoke administrator, the VPC route table is updated when you update the topology of a Network Connectivity Center hub. This includes updates when you create or delete VPC spokes. The VPC route table is also updated when you create, update, or delete subnets in a VPC spoke.

A Network Connectivity CenterVPC subnet route has the hub as a next hop. To determine the actual next hop VPC network, see View the hub route table and routes.

The name of a Network Connectivity Center-VPC subnet route starts with a ncc-subnet-route- prefix. For more information, see REST Resource: routes.

What's next

• To create hubs and spokes, see Work with hubs and spokes.
• To create a spoke in a project different from the hub, see Propose a VPC spoke in a different project.
• To view a list of partners whose solutions are integrated with Network Connectivity Center, see Network Connectivity Center partners.
• To find solutions for common issues, see Troubleshooting.
• To get details about API and gcloud commands, see APIs and reference.