Deprovisioning Shared VPC

This page describes how to deprovision an existing Shared VPC configuration, disconnecting all service projects from a Shared VPC host project. Deprovisioning is a one-way process. Please make sure you are familiar with the Shared VPC Overview and Provisioning Shared VPC pages first.

Service Project Admin Tasks

In each service project attached to the Shared VPC host project, a Service Project Admin must remove all dependencies on the host project. Dependencies include instances, instance groups, instance templates, and forwarding rules for Internal Load Balancing.

Determine affected resources

To identify resources that depend on the Shared VPC host project, a Service Project Admin can list its shared subnets. When the service project is detached from the host project, these subnets will no longer be available to it; thus, any resources that depend on them will be affected.

Delete resources

Once a Service Project Admin has identified the resources that will be affected by the deprovisioning process, those resources will need to be deleted:

Shared VPC Admin Tasks

All tasks in this section must be performed by a Shared VPC Admin.

Detach service projects

Repeat these steps for each service project you need to detach from the Shared VPC host project.

gcloud

  1. If you have not already, authenticate to gcloud as a Shared VPC Admin. Replace [SHARED_VPC_ADMIN] with the name of the Shared VPC Admin:

    gcloud auth login [SHARED_VPC_ADMIN]
    

  2. Detach the service project from the host project. Replace [SERVICE_PROJECT_ID] with the project ID for the service project and [HOST_PROJECT_ID] with the project ID for the host project.

    gcloud compute shared-vpc associated-projects remove [SERVICE_PROJECT_ID]
        --host-project [HOST_PROJECT_ID]
    

  3. Confirm that the service project has been detached using one of these commands:

    gcloud compute shared-vpc get-host-project [SERVICE_PROJECT_ID]
    

    gcloud compute shared-vpc list-associated-resources [HOST_PROJECT_ID]
    

  4. If you only needed to detach service projects, log out of gcloud to protect your Shared VPC Admin account credentials. Otherwise, skip this step and proceed with disabling the host project.

    gcloud auth revoke [SHARED_VPC_ADMIN]
    

Disable host project

Disabling Shared VPC for the host project is only possible after all service projects have been detached. When disabled, the lien that prevents it from being easily deleted is removed automatically.

gcloud

  1. If you have not already, authenticate to gcloud as a Shared VPC Admin. Replace [SHARED_VPC_ADMIN] with the name of the Shared VPC Admin:

    gcloud auth login [SHARED_VPC_ADMIN]
    

  2. Disable Shared VPC for the host project. Replace [HOST_PROJECT_ID] with the ID of the host project.

    gcloud compute shared-vpc disable [HOST_PROJECT_ID]
    

  3. Confirm that the project is no longer listed as a host project for your organization. Replace [ORG_ID] with your organization ID (determined by gcloud organizations list).

    gcloud compute shared-vpc organizations list-host-projects [ORG_ID]
    

  4. If you only needed to disable a host project, you can log out of gcloud to protect your Shared VPC Admin account credentials. Otherwise, skip this step and continue with deleting projects.

    gcloud auth revoke [SHARED_VPC_ADMIN]
    

Deleting projects

This section discusses deleting projects that are no longer used; for example, you may have service projects that need to be deleted after they have been detached from a host project, or you may no longer need the host project after it has been disabled.

Delete host project

You may choose to keep it as a normal project or shut it down. Shutting down a project deletes it.

Any IAM member defined in your organization can delete the host project if the member has the resourcemanager.projectDeleter role for your organization or if the member is the owner of the host project. Shared VPC Admins may be able to delete host projects if they have the correct role or ownership.

Delete service projects

You may choose to shut down each service project if you no longer need them. Before doing so, make sure that the service project has been detached from the host project.

Any IAM member defined in your organization can delete a service project if the member has the resourcemanager.projectDeleter role for your organization or if the member is the owner of the service project. Service Project Admins may be able to delete service projects if they have the correct role or ownership.

Forcibly delete a host project

While Shared VPC is active for a host project, a lien is placed on the project to prevent it from being accidentally deleted. Because this lien can be removed by a project owner, the guidelines for provisioning a Shared VPC include steps to define an organizational policy that limits which IAM members have the ability to remove a project lien.

Normally, a host project should be deleted after the following tasks have been completed in this order:

  • All service projects have been detached from the host project, and
  • Shared VPC has been disabled.

When Shared VPC has been disabled, the lien that protects the host project is automatically removed.

This section details how to forcibly shut down a host project. You should only consider this option under these circumstances:

  • You cannot follow the normal steps of detaching service projects and disabling Shared VPC.
  • There are additional liens protecting the host project beyond the one that is added automatically.

Forcibly shutting down a host project with resources in service projects using its network will result in the following:

  • All Shared VPC networks, their subnets, routes, firewall rules, and all networking resources in the host project will be deleted.
  • Resources such as running instances in the service projects attached to the host project will be stopped.
  • Internal load balancers whose forwarding rules were defined in the host project will be disabled.

gcloud

  1. Authenticate to gcloud as an IAM member who can remove a project lien. If you have an organizational policy that limits which members can remove liens, you must authenticate as an IAM member with the resourcemanager.lienModifier role for your organization. If you do not have such a policy in place, the project owner for the host project can remove the lien.

    Replace [ACCOUNT] with the name of the appropriate IAM member:

    gcloud auth login [ACCOUNT]
    

  2. List the liens associated with the host project. Replace [HOST_PROJECT_ID] with the ID of the host project.

    gcloud alpha resource-manager liens list \
    --project [HOST_PROJECT_ID]
    

  3. Remove each lien by name, one at a time, until no more liens are present. Replace [LIEN_NAME] with the name of the lien to remove.

    gcloud alpha resource-manager liens delete [LIEN_NAME] \
    --project [HOST_PROJECT_ID]
    

  4. Confirm that all liens have been removed.

    gcloud alpha resource-manager liens list \
    --project [HOST_PROJECT_ID]
    

  5. After removing the lien, you can log out of gcloud to protect the credentials of the IAM member which has permission to remove liens.

    gcloud auth revoke [ACCOUNT]
    

  6. The host project can now be shut down.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...