Deprovision Shared VPC

This page describes how to deprovision an existing Shared VPC configuration, disconnecting all service projects from a Shared VPC host project. Deprovisioning is a one-way process. Make sure that you are familiar with the Shared VPC and Provision Shared VPC pages first.

Service Project Admin tasks

In each service project attached to the Shared VPC host project, a Service Project Admin must remove all dependencies on the host project. Dependencies might include instances, instance groups, instance templates, backend services, and forwarding rules.

Determine affected resources

To identify resources that depend on the Shared VPC host project, a Service Project Admin can list its shared subnets. When the service project is detached from the host project, these subnets will no longer be available to it; thus, any resources that depend on them will be affected.

Delete resources

Once a Service Project Admin has identified the resources that will be affected by the deprovisioning process, those resources will need to be deleted:

Load Balancer Admin tasks

Internal Application Load Balancers and regional external Application Load Balancers allow you to configure the load balancer so that a URL map in one host or service project can reference backend services (and backends) located across multiple projects in Shared VPC environments.

Before you can delete a service project, you must make sure that any such cross-project references to backend services in your service project have been removed. Load Balancer Admins will need to modify their URL maps to remove references to backend services in your service project.

Shared VPC Admin tasks

All tasks in this section must be performed by a Shared VPC Admin.

Detach service projects

Repeat these steps for each service project you need to detach from the Shared VPC host project.

Console

To view the Shared VPC page in the Google Cloud console, you must have the Shared VPC Admin role.

  1. Go to the Shared VPC page in the Google Cloud console.
    Go to Shared VPC
  2. Log in as a Shared VPC Admin.
  3. Select the host project you are removing service projects from.
  4. Click the Attached projects tab.
  5. Select the service project that you want to detach.
  6. Click the Detach Projects button.
  7. Review the information in the dialog.
  8. Click Detach.

gcloud

  1. If you have not already, authenticate to gcloud as a Shared VPC Admin. Replace SHARED_VPC_ADMIN with the name of the Shared VPC Admin:

    gcloud auth login SHARED_VPC_ADMIN
    
  2. Detach the service project from the host project. Replace SERVICE_PROJECT_ID with the project ID for the service project and HOST_PROJECT_ID with the project ID for the host project.

    gcloud compute shared-vpc associated-projects remove SERVICE_PROJECT_ID
        --host-project HOST_PROJECT_ID
    
  3. Confirm that the service project has been detached using one of these commands:

    gcloud compute shared-vpc get-host-project SERVICE_PROJECT_ID
    
    gcloud compute shared-vpc list-associated-resources HOST_PROJECT_ID
    
  4. If you only needed to detach service projects, log out of gcloud to protect your Shared VPC Admin account credentials. Otherwise, skip this step and proceed with disable the host project.

    gcloud auth revoke SHARED_VPC_ADMIN
    

API

  1. Detach the service project.

    POST https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/disableXpnResource
    {
      "xpnResource": {
        "id": "SERVICE_PROJECT_ID"
      }
    }
    

    Replace the placeholders with valid values:

    • HOST_PROJECT_ID is the ID of the host project.
    • SERVICE_PROJECT_ID is the ID of the service project to detach.

    For more information, refer to the projects.disableXpnResource method.

  2. Confirm that the service project has been detached.

    • Check that the service project isn't attached to any host project.

      GET https://compute.googleapis.com/compute/v1/projects/SERVICE_PROJECT_ID/getXpnHost
      

      Replace SERVICE_PROJECT_ID with the ID of the service project.

      For more information, refer to the projects.getXpnHost method.

    • List the service projects attached the Shared VPC host project to confirm that the project is no longer listed.

      GET https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/getXpnResources
      

      Replace HOST_PROJECT_ID with the ID of the host project.

      For more information, refer to the projects.getXpnResources method.

Disable host project

Disabling Shared VPC for the host project is only possible after all service projects have been detached. When disabled, the lien that prevents it from being easily deleted is removed automatically.

Console

To view the Shared VPC page in the Google Cloud console, you must have the Shared VPC Admin role.

  1. Go to the Shared VPC page in the Google Cloud console.
    Go to Shared VPC
  2. Log in as a Shared VPC Admin.
  3. Select the Host Project you want to disable.
  4. Click the Disable Shared VPC button.
  5. In the dialog, read the description carefully.
  6. Enter the project ID of the host project for Host project ID.
  7. Click Disable.

gcloud

  1. If you have not already, authenticate to gcloud as a Shared VPC Admin. Replace SHARED_VPC_ADMIN with the name of the Shared VPC Admin:

    gcloud auth login SHARED_VPC_ADMIN
    
  2. Disable Shared VPC for the host project. Replace HOST_PROJECT_ID with the ID of the host project.

    gcloud compute shared-vpc disable HOST_PROJECT_ID
    
  3. Confirm that the project is no longer listed as a host project for your organization. Replace ORG_ID with your organization ID (determined by gcloud organizations list).

    gcloud compute shared-vpc organizations list-host-projects ORG_ID
    
  4. If you only needed to disable a host project, you can log out of gcloud to protect your Shared VPC Admin account credentials. Otherwise, skip this step and continue with delete projects.

    gcloud auth revoke SHARED_VPC_ADMIN
    

API

  1. Disable Shared VPC for the project.

    POST https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/disableXpnHost
    

    Replace HOST_PROJECT_ID with the ID of the host project.

    For more information, refer to the projects.disableXpnHost method.

  2. List your host projects to confirm that the project isn't listed.

    POST https://compute.googleapis.com/compute/v1/projects/HOST_PROJECT_ID/listXpnHosts
    

    Replace HOST_PROJECT_ID with the ID of the host project.

    For more information, refer to the projects.listXpnHosts method.

Delete projects

This section discusses deleting projects that are no longer used; for example, you may have service projects that need to be deleted after they have been detached from a host project, or you may no longer need the host project after it has been disabled.

Delete host project

You may choose to keep it as a normal project or shut it down. Shutting down a project deletes it.

An IAM principal can delete the host project if the principal has the resourcemanager.projectDeleter role for your organization or if the principal is the owner of the host project. Shared VPC Admins may be able to delete host projects if they have the correct role or ownership.

Delete service project

You may choose to shut down each service project if you no longer need them. Before doing so, make sure that the service project has been detached from the host project.

An IAM principal can delete a service project if the principal has the resourcemanager.projectDeleter role for your organization or if the principal is the owner of the service project. Service Project Admins may be able to delete service projects if they have the correct role or ownership.

Forcibly delete a host project

While Shared VPC is active for a host project, a lien is placed on the project to prevent it from being accidentally deleted. Because this lien can be removed by a project owner, the guidelines for provisioning a Shared VPC include steps to define an organizational policy that limits which IAM principals have the ability to remove a project lien.

Normally, a host project should be deleted after the following tasks have been completed in this order:

  • All service projects have been detached from the host project, and
  • Shared VPC has been disabled.

When Shared VPC has been disabled, the lien that protects the host project is automatically removed.

This section details how to forcibly shut down a host project. You should only consider this option under these circumstances:

  • You cannot follow the normal steps of detaching service projects and disabling Shared VPC.
  • There are additional liens protecting the host project beyond the one that is added automatically.

If you forcibly shut down a host project and you have resources in service projects that use the Shared VPC network, the following events occur:

  • All Shared VPC networks, their subnets, routes, firewall rules, and all networking resources in the host project are deleted.
  • Resources, such as running instances in the service projects attached to the host project, are stopped.
  • Internal TCP/UDP load balancers are disabled if their forwarding rules depend on the Shared VPC network.

gcloud

  1. Authenticate to gcloud as an IAM principal who can remove a project lien. If you have an organizational policy that limits which principals can remove liens, you must authenticate as an IAM principal with the resourcemanager.lienModifier role for your organization. If you do not have such a policy in place, the project owner for the host project can remove the lien.

    Replace ACCOUNT with the name of the appropriate IAM principal:

    gcloud auth login ACCOUNT
    
  2. List the liens associated with the host project. Replace HOST_PROJECT_ID with the ID of the host project.

    gcloud alpha resource-manager liens list \
    --project HOST_PROJECT_ID
    
  3. Remove each lien by name, one at a time, until no more liens are present. Replace LIEN_NAME with the name of the lien to remove.

    gcloud alpha resource-manager liens delete LIEN_NAME \
    --project HOST_PROJECT_ID
    
  4. Confirm that all liens have been removed.

    gcloud alpha resource-manager liens list \
    --project HOST_PROJECT_ID
    
  5. After removing the lien, you can log out of gcloud to protect the credentials of the IAM principal which has permission to remove liens.

    gcloud auth revoke ACCOUNT
    
  6. The host project can now be shut down.

API

  1. List the liens that are associated with the host project.

    GET https://cloudresourcemanager.googleapis.com/v1/liens?parent=projects:HOST_PROJECT_ID
    

    Replace HOST_PROJECT_ID with the ID of the host project.

    For more information, refer to the liens.list method.

  2. Remove each lien by name until no more liens are present.

    DELETE https://cloudresourcemanager.googleapis.com/v1/liens/LIEN_NAME
    

    Replace LIEN_NAME with the name of the lien to delete.

    For more information, refer to the liens.delete method.

  3. List the liens again to confirm that they have been removed.

What's next