Setup a GCP SharedVPC with default subnet using gcloud cli

The Host project will contain a network the Elastifile deployment will use

The service project will contain the Elastifile compute resources


Project TypeProject Name

Host Project

support-team-a

Service Project

support-team-b



Configure the Service Project ("support-team-b")

Login to service account for service project

gcloud auth login chutch@support-team-b.iam.gserviceaccount.com

Set config to the service project

gcloud config set project support-team-b

Add roles required for deployment into service project

gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.instanceAdmin.v1"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkAdmin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/storage.admin"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.imageUser"
gcloud projects add-iam-policy-binding support-team-b --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/editor"



Configure the Host Project ("support-team-a")

Login to service account for host project

gcloud auth login chutch@support-team-a.iam.gserviceaccount.com

Set config to the host project

gcloud config set project support-team-a

Verify credentials, region and zone are set for host project

gcloud config list
[compute]
region = us-central1
zone = us-central1-f
[core]
account = chutch@support-team-a.iam.gserviceaccount.com
project = support-team-a

Enabled SharedVPC on host project

This requires “compute.organizations.enableXpnHost” granted from parent org

gcloud compute shared-vpc enable support-team-a

Add the service project to the host project SharedVPC

gcloud compute shared-vpc associated-projects add --host-project=support-team-a support-team-b

Verify service project is configured from the host project

gcloud compute shared-vpc associated-projects list support-team-a
RESOURCE_ID     RESOURCE_TYPE
support-team-b  PROJECT

Verify host project is configured from the service project

gcloud compute shared-vpc get-host-project support-team-b
kind: compute#project
name: support-team-a



Setup Host Project subnets

Share all subnets from host project with service project (Project based rules)

gcloud projects add-iam-policy-binding support-team-a --member "serviceAccount:chutch@support-team-b.iam.gserviceaccount.com" --role "roles/compute.networkUser"

Add firewall rules to host projects subnet used in deployment

gcloud compute firewall-rules create elastifile-storage-management --network default --priority 1000 --direction ingress --target-tags elastifile-management-node --source-tags elastifile-storage-node,elastifile-replication-node,elastifile-clients --source-ranges 10.128.0.0/20 --allow icmp,tcp:22,tcp:53,tcp:80,tcp:8080,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667 --no-disabled


gcloud compute firewall-rules create elastifile-storage-service --network default --priority 1000 --direction ingress --target-tags elastifile-storage-node,elastifile-replication-node --source-ranges 10.128.0.0/20 --source-tags elastifile-management-node,elastifile-clients --allow icmp,tcp:22,tcp:111,tcp:2049,tcp:644,tcp:4040,tcp:4045,tcp:10015-10017,tcp:8000-9224,tcp:32768-60999,udp:111,udp:2049,udp:644,udp:4040,udp:4045,udp:6667,udp:8000,udp:9224,udp:32768,udp:60999 --no-disabled



Deploy into service project using host project’s default subnet

List subnets in the host project

gcloud compute networks subnets list-usable --project support-team-a
PROJECT         REGION                   NETWORK            SUBNET               RANGE          SECONDARY_RANGES
support-team-a  us-central1              default             default              10.128.0.0/20

Obtain URI for target subnet in the host project

gcloud compute networks subnets list --project support-team-a --uri
https://www.googleapis.com/compute/v1/projects/support-team-a/regions/us-central1/subnetworks/default

Update terraform.tfvars to use “NETWORK” and “SUBNETWORK” from host project

ZONE = "us-central1-f"
PROJECT = "support-team-b"
NETWORK = "default"
SUBNETWORK = "/projects/support-team-a/regions/us-central1/subnetworks/default"
IMAGE = "elastifile-storage-2-7-5-12-ems"
CREDENTIALS = "support-team-b-0715a3734e41.json"
SERVICE_EMAIL = "chutch@support-team-b.iam.gserviceaccount.com"

Or launch EMS directly via gcloud and complete provisioning via UI

gcloud beta compute --project=support-team-b instances create elastifile-storage-sp --zone=us-central1-f --machine-type=n1-standard-4 --subnet=/projects/support-team-a/regions/us-central1/subnetworks/default --network-tier=PREMIUM --maintenance-policy=MIGRATE --service-account=chutch@support-team-b.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=https://www.googleapis.com/compute/v1/projects/elastifle-public-196717/global/images/elastifile-storage-2-7-5-12-ems --boot-disk-size=100GB --boot-disk-type=pd-standard --boot-disk-device-name=elastifile-storage-sp --tags=elastifile-management-node


C
Colin is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.