Deprovisioning Shared VPC

This document describes how to deprovision an existing an existing Shared VPC setup. The procedures assume you have an existing Shared VPC setup and want to remove it. See the Provisioning Shared VPC page for information on how to set up Shared VPC.

To safely deprovision a Shared VPC setup, you must remove all dependencies on the host project before deleting the host projects:

  1. Disable service project dependencies.

    1. Service project admin: Delete all the resources (instances, instance templates, instance groups, and forwarding rules) that are using shared subnets in the host project.

    2. Shared VPC admin:

      1. Remove Shared VPC service projects from the host project.
      2. Remove host project status from the host project.
  2. The organization admin or Shared VPC host project owner deletes the host project.

  3. A service project admin deletes the service project.

The exact steps are described in the following sections.

Deleting all resources associated with shared VPC networks

The service admin must delete the resources (VM instances, instance templates, forwarding rules) associated with the shared VPC network.

gcloud compute instances delete vm1

Unlinking service project and disabling the shared VPC host project

The Shared VPC Admin must unlink the service project from the host project.

gcloud compute shared-vpc associated-projects \
    remove [SERVICE_PROJECT_ID] --host-project [HOST_PROJECT_ID]

Disable the host project from being a shared VPC host project.

gcloud compute shared-vpc disable [HOST_PROJECT_ID]

The act of disabling Shared VPC capability from the host project automatically removes the Shared VPC lien that prevents it from being easily deleted. Once the project is no longer a host project, it can be deleted like any other project.

Deleting the former shared VPC host project

If you have completed all the steps above, then you can delete the former shared VPC host project like any other project.

gcloud projects delete [HOST_PROJECT_ID]

If you have not deprovisioned the shared VPC setup, but still want to delete the host project anyway, you must first remove the shared VPC lien on the project.

Deleting shared VPC service project

A service project owner should delete the shared VPC service project.

Deleting an unlinked service project is the same as deleting a regular standalone project. The owner or administrator of the service project needs to ensure that no resources that are still needed exist in the project and then delete the project.

When deleting a service project, first unlink the project from its host project. If you do not first unlink them, you will not be able to do it later, because deleting a project immediately stops all billable services, but the project remains in a recoverable state for 30 days (see Creating and Managing Projects). During that period, the system will still regard the two projects as linked, but you cannot run the command to unlink them or disable the shared VPC host. If you find yourself in this situation, you can either:

  • Wait for the service project to be permanently deleted.
  • Restore the service project, unlink it from the host, and delete it again.

Removing shared VPC liens and deleting active shared VPC host projects

To safeguard against outages due to accidental project deletion, a lien is automatically placed on any project enabled as a host project. This lien prevents project deletion unless a project owner first removes it. The lien is automatically removed when the project is disabled as a host project.

There are two circumstances in which liens must be removed manually:

  • If you want to delete a shared VPC host project without first disabling it as a host project, you must manually removed the shared VPC lien.
  • If you have created additional liens on the project, you must remove those liens manually.

An organization admin should remove the host project lien. However, the host project owner can remove the lien unless there is an Org policy preventing it. The organization policy should enforce the requirement that only a user with resourcemanager.projects.updateLiens permissions, the resourcemanager.lienModifier role at the organization level, or the Organization owner role can remove the lien on the host project.

If such policy is not enforced, the manual removal of a shared VPC lien requires the resourcemanager.projects.get and resourcemanager.projects.updateLiens permissions on the project, which are available to project owners.

Ramifications of deleting a shared VPC host project with services still attached:

  • Shared VPC network resources in the host project are also deleted.
  • Service project resources that use the shared VPC network resources in the host project will be stopped. This includes VM instances and forwarding rules for Internal load balancers.
  • The host project can be recovered within a period of 30 days, at which point dependent service project resources can also be restarted.

To remove the shared VPC lien on a project:

  1. Get the liens associated with a project

    gcloud alpha resource-manager liens list \
        --project [HOST_PROJECT_ID]

  2. Remove the shared VPC lien

    gcloud alpha resource-manager liens delete [NAME] \
        --project [HOST_PROJECT_ID]

  3. Remove other liens if necessary.

The host project can now be deleted without first deprovisioning the shared VPC setup, though this is not recommended.

What's next

Send feedback about...