Deprovision Shared VPC
This page describes how to deprovision an existing Shared VPC configuration, disconnecting all service projects from a Shared VPC host project. Deprovisioning is a one-way process. Make sure that you are familiar with the Shared VPC and Provision Shared VPC pages first.
Service Project Admin tasks
In each service project attached to the Shared VPC host project, a Service Project Admin must remove all dependencies on the host project. Dependencies might include instances, instance groups, instance templates, backend services, and forwarding rules.
Determine affected resources
To identify resources that depend on the Shared VPC host project, a Service Project Admin can list its shared subnets. When the service project is detached from the host project, these subnets will no longer be available to it; thus, any resources that depend on them will be affected.
Delete resources
Once a Service Project Admin has identified the resources that will be affected by the deprovisioning process, those resources will need to be deleted:
Delete instances that use subnets in the host project.
Delete managed instance groups and unmanaged instance groups that use subnets in the host project.
Delete instance templates whose definitions depend on the host project.
Delete internal forwarding rules for internal TCP/UDP load balancers that reference a subnet in a Shared VPC network of the host project.
Delete static internal IP addresses used by network interfaces from VMs in other networks.
To do this, you must first get a list of the reserved addresses, then delete them.
Load Balancer Admin tasks
Internal Application Load Balancers and regional external Application Load Balancers allow you to configure the load balancer so that a URL map in one host or service project can reference backend services (and backends) located across multiple projects in Shared VPC environments.
Before you can delete a service project, you must make sure that any such cross-project references to backend services in your service project have been removed. Load Balancer Admins will need to modify their URL maps to remove references to backend services in your service project.
Shared VPC Admin tasks
All tasks in this section must be performed by a Shared VPC Admin.
Detach service projects
Repeat these steps for each service project you need to detach from the Shared VPC host project.
Console
To view the Shared VPC page in the Google Cloud console, you must have the Shared VPC Admin role.
- Go to the Shared VPC page in the Google Cloud console.
Go to Shared VPC - Log in as a Shared VPC Admin.
- Select the host project you are removing service projects from.
- Click the Attached projects tab.
- Select the service project that you want to detach.
- Click the Detach Projects button.
- Review the information in the dialog.
- Click Detach.
gcloud
If you have not already, authenticate to
gcloud
as a Shared VPC Admin. Replace SHARED_VPC_ADMIN with the name of the Shared VPC Admin:gcloud auth login SHARED_VPC_ADMIN
Detach the service project from the host project. Replace SERVICE_PROJECT_ID with the project ID for the service project and HOST_PROJECT_ID with the project ID for the host project.
gcloud compute shared-vpc associated-projects remove SERVICE_PROJECT_ID --host-project HOST_PROJECT_ID
Confirm that the service project has been detached using one of these commands:
gcloud compute shared-vpc get-host-project SERVICE_PROJECT_ID
gcloud compute shared-vpc list-associated-resources HOST_PROJECT_ID
If you only needed to detach service projects, log out of
gcloud
to protect your Shared VPC Admin account credentials. Otherwise, skip this step and proceed with disable the host project.gcloud auth revoke SHARED_VPC_ADMIN
API
Detach the service project.
POST https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/disableXpnResource { "xpnResource": { "id": "SERVICE_PROJECT_ID" } }
Replace the placeholders with valid values:
- HOST_PROJECT_ID is the ID of the host project.
- SERVICE_PROJECT_ID is the ID of the service project to detach.
For more information, refer to the
projects.disableXpnResource
method.Confirm that the service project has been detached.
Check that the service project isn't attached to any host project.
GET https://compute.googleapis.com/compute/v1/projects/SERVICE_PROJECT_ID/getXpnHost
Replace SERVICE_PROJECT_ID with the ID of the service project.
For more information, refer to the
projects.getXpnHost
method.List the service projects attached the Shared VPC host project to confirm that the project is no longer listed.
GET https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/getXpnResources
Replace HOST_PROJECT_ID with the ID of the host project.
For more information, refer to the
projects.getXpnResources
method.
Disable host project
Disabling Shared VPC for the host project is only possible after all service projects have been detached. When disabled, the lien that prevents it from being easily deleted is removed automatically.
Console
To view the Shared VPC page in the Google Cloud console, you must have the Shared VPC Admin role.
- Go to the Shared VPC page in the Google Cloud console.
Go to Shared VPC - Log in as a Shared VPC Admin.
- Select the Host Project you want to disable.
- Click the Disable Shared VPC button.
- In the dialog, read the description carefully.
- Enter the project ID of the host project for Host project ID.
- Click Disable.
gcloud
If you have not already, authenticate to
gcloud
as a Shared VPC Admin. Replace SHARED_VPC_ADMIN with the name of the Shared VPC Admin:gcloud auth login SHARED_VPC_ADMIN
Disable Shared VPC for the host project. Replace HOST_PROJECT_ID with the ID of the host project.
gcloud compute shared-vpc disable HOST_PROJECT_ID
Confirm that the project is no longer listed as a host project for your organization. Replace ORG_ID with your organization ID (determined by
gcloud organizations list
).gcloud compute shared-vpc organizations list-host-projects ORG_ID
If you only needed to disable a host project, you can log out of
gcloud
to protect your Shared VPC Admin account credentials. Otherwise, skip this step and continue with delete projects.gcloud auth revoke SHARED_VPC_ADMIN
API
Disable Shared VPC for the project.
POST https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/disableXpnHost
Replace HOST_PROJECT_ID with the ID of the host project.
For more information, refer to the
projects.disableXpnHost
method.List your host projects to confirm that the project isn't listed.
POST https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/listXpnHosts
Replace HOST_PROJECT_ID with the ID of the host project.
For more information, refer to the
projects.listXpnHosts
method.
Delete projects
This section discusses deleting projects that are no longer used; for example, you may have service projects that need to be deleted after they have been detached from a host project, or you may no longer need the host project after it has been disabled.
Delete host project
You may choose to keep it as a normal project or shut it down. Shutting down a project deletes it.
An IAM principal can delete the host project if the principal has the
resourcemanager.projectDeleter
role for your
organization or if the principal is the owner of the host project.
Shared VPC Admins may be able to delete host projects if they have the
correct role or ownership.
Delete service project
You may choose to shut down each service project if you no longer need them. Before doing so, make sure that the service project has been detached from the host project.
An IAM principal can delete a service project if the principal has the
resourcemanager.projectDeleter
role for your
organization or if the principal is the owner of the service project. Service
Project Admins may be able to delete service projects if they have the correct
role or ownership.
Forcibly delete a host project
While Shared VPC is active for a host project, a lien is placed on the project to prevent it from being accidentally deleted. Because this lien can be removed by a project owner, the guidelines for provisioning a Shared VPC include steps to define an organizational policy that limits which IAM principals have the ability to remove a project lien.
Normally, a host project should be deleted after the following tasks have been completed in this order:
When Shared VPC has been disabled, the lien that protects the host project is automatically removed.
This section details how to forcibly shut down a host project. You should only consider this option under these circumstances:
- You cannot follow the normal steps of detaching service projects and disabling Shared VPC.
- There are additional liens protecting the host project beyond the one that is added automatically.
If you forcibly shut down a host project and you have resources in service projects that use the Shared VPC network, the following events occur:
- All Shared VPC networks, their subnets, routes, firewall rules, and all networking resources in the host project are deleted.
- Resources, such as running instances in the service projects attached to the host project, are stopped.
- Internal TCP/UDP load balancers are disabled if their forwarding rules depend on the Shared VPC network.
gcloud
Authenticate to
gcloud
as an IAM principal who can remove a project lien. If you have an organizational policy that limits which principals can remove liens, you must authenticate as an IAM principal with theresourcemanager.lienModifier
role for your organization. If you do not have such a policy in place, the project owner for the host project can remove the lien.Replace ACCOUNT with the name of the appropriate IAM principal:
gcloud auth login ACCOUNT
List the liens associated with the host project. Replace HOST_PROJECT_ID with the ID of the host project.
gcloud alpha resource-manager liens list \ --project HOST_PROJECT_ID
Remove each lien by name, one at a time, until no more liens are present. Replace LIEN_NAME with the name of the lien to remove.
gcloud alpha resource-manager liens delete LIEN_NAME \ --project HOST_PROJECT_ID
Confirm that all liens have been removed.
gcloud alpha resource-manager liens list \ --project HOST_PROJECT_ID
After removing the lien, you can log out of
gcloud
to protect the credentials of the IAM principal which has permission to remove liens.gcloud auth revoke ACCOUNT
The host project can now be shut down.
API
List the liens that are associated with the host project.
GET https://cloudresourcemanager.googleapis.com/v1/liens?parent=projects:HOST_PROJECT_ID
Replace HOST_PROJECT_ID with the ID of the host project.
For more information, refer to the
liens.list
method.Remove each lien by name until no more liens are present.
DELETE https://cloudresourcemanager.googleapis.com/v1/liens/LIEN_NAME
Replace LIEN_NAME with the name of the lien to delete.
For more information, refer to the
liens.delete
method.List the liens again to confirm that they have been removed.
What's next
- For more information about Shared VPC, see Shared VPC.
- For instructions about setting up Shared VPC, see Provision Shared VPC.
- For instructions about setting up Google Kubernetes Engine clusters with Shared VPC, see Set up clusters with Shared VPC.