On September 15, 2026, all Cloud Composer 1 versions and versions 2.0.x of Cloud Composer 2 will reach their planned end of life. You will not be able to use environments with these versions. We recommend planning migration to Cloud Composer 3. Cloud Composer 2 versions 2.1.x and later are still supported and are not impacted by this change.
This page describes the Shared VPC network and host project requirements for
Cloud Composer.
Shared VPC enables organizations to establish
budgeting and access control boundaries at the project level while
allowing for secure and efficient communication using
private IPs across those boundaries.
In the Shared VPC configuration, Cloud Composer can invoke services hosted
in other Google Cloud projects in the same organization without exposing
services to the public internet.
Guidelines for Shared VPC
Figure 1. Service and host projects for
Cloud Composer 3 (click to enlarge)
Shared VPC requires that you designate a host project to which networks
and subnetworks belong and a service project, which is attached to the
host project.
When Cloud Composer participates in a Shared VPC,
the Cloud Composer environment is in the service project.
Make sure that Cloud Composer environment's internal IP range
and your VPC network ranges
do not have conflicts.
When attaching a project, leave the default VPC Network permissions
in place.
Grant permissions to the Composer Service Agent account
In the host project:
Edit permissions for the Composer Service Agent account,
service-SERVICE_PROJECT_NUMBER@cloudcomposer-accounts.iam.gserviceaccount.com)
Add another role, Composer Shared VPC Agent (composer.sharedVpcAgent).
at the project level.
Conclusion
You've completed the Shared VPC network configuration for both service and host
projects.
Now you can connect new and existing environments in the service project to the
host project's VPC network. You can use one of the following approaches:
Connect an environment to a Shared VPC network. Cloud Composer
creates a new network attachment for the environment.
Create a network attachment in the service project, connect it to a Shared
VPC network, and connect one or more environments to this network
attachment.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eShared VPC allows organizations to manage budgeting and access control at the project level while enabling secure communication using private IPs between projects.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring Shared VPC requires a designated host project for networks and subnetworks, and a service project where the Cloud Composer environment resides.\u003c/p\u003e\n"],["\u003cp\u003eYou must ensure that the Cloud Composer environment's internal IP range does not conflict with the VPC network ranges.\u003c/p\u003e\n"],["\u003cp\u003eThe service project requires the provisioning of the Composer Service Agent Account, while the host project requires configuration and addition of the \u003cstrong\u003eComposer Shared VPC Agent\u003c/strong\u003e role to the service agent account.\u003c/p\u003e\n"],["\u003cp\u003eAfter configuring the Shared VPC network, you can connect both new and existing Cloud Composer environments in the service project to the host project's VPC network using one of the described approaches.\u003c/p\u003e\n"]]],[],null,["# Configure Shared VPC networking\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n**Cloud Composer 3** \\| [Cloud Composer 2](/composer/docs/composer-2/configure-shared-vpc \"View this page for Cloud Composer 2\") \\| [Cloud Composer 1](/composer/docs/composer-1/configure-shared-vpc \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes the Shared VPC network and host project requirements for\nCloud Composer.\n\n[Shared VPC](/vpc/docs/shared-vpc) enables organizations to establish\nbudgeting and access control boundaries at the project level while\nallowing for secure and efficient communication using\n[private IPs](/composer/docs/composer-2/private-ip-environments) across those boundaries.\nIn the Shared VPC configuration, Cloud Composer can invoke services hosted\nin other Google Cloud projects in the same organization without exposing\nservices to the public internet.\n\nGuidelines for Shared VPC\n-------------------------\n\n[](/static/composer/docs/images/composer-3-service-host-projects.png) **Figure 1.** Service and host projects for Cloud Composer 3 (click to enlarge)\n\n\n- Shared VPC requires that you designate a *host project* to which networks\n and subnetworks belong and a *service project*, which is attached to the\n host project.\n When Cloud Composer participates in a Shared VPC,\n the Cloud Composer environment is in the service project.\n\n- Make sure that Cloud Composer environment's internal IP range\n and your VPC network ranges\n [do not have conflicts](/composer/docs/composer-3/connect-vpc-network#internal-range).\n\n- Cloud Composer 3 has\n [a limitation of one transitive DNS hop](/composer/docs/composer-3/connect-vpc-network#vpc-peering-limitations), make\n sure that your DNS configuration allows for that.\n\n \u003cbr /\u003e\n\nPreparation\n-----------\n\n1. [Find the following project IDs and project numbers](/kubernetes-engine/docs/how-to/cluster-shared-vpc#finding_your_project_ids_and_numbers):\n\n - Host project: The project that contains the Shared VPC network.\n - Service project: The project that contains the Cloud Composer environment.\n2. [Prepare your organization](/vpc/docs/provisioning-shared-vpc#prepare_your_organization).\n\nConfigure the service project\n-----------------------------\n\nIf Cloud Composer environments were never created in the service\nproject, then provision the Composer Service Agent Account\n**in the service project**: \n\n gcloud beta services identity create --service=composer.googleapis.com\n\nConfigure the host project\n--------------------------\n\nConfigure the host project as described further.\n| **Caution:** Do all of the described actions **in the host project**. For example, if you add roles to a service account from the service project, assign them in the host project's IAM configuration.\n\n### Configure networking resources\n\nChoose one of the following options:\n\n- Option 1.\n [Create a new VPC network and a subnet](/vpc/docs/create-modify-vpc-networks#create-custom-network).\n\n- Option 2.\n [Create a subnet in an existing VPC network](/vpc/docs/create-modify-vpc-networks#add-subnets).\n\n- Option 3. Use an existing VPC network and a subnet.\n\n\n### Set up Shared VPC and attach the service project\n\n1. If not already done, [Set up Shared VPC](/vpc/docs/provisioning-shared-vpc#enable-shared-vpc-host). If\n you already have set up Shared VPC, skip to the next step.\n\n2. [Attach the service project](/vpc/docs/provisioning-shared-vpc#create-shared), which you\n use to host Cloud Composer environments.\n\n When attaching a project, leave the default VPC Network permissions\n in place.\n\n### Grant permissions to the Composer Service Agent account\n\n| **Warning:** On this and next steps, when editing permissions, keep the existing account roles. Add another role to an account instead of replacing an existing role.\n\nIn the host project:\n\n1. Edit permissions for the Composer Service Agent account,\n `service-`\u003cvar translate=\"no\"\u003eSERVICE_PROJECT_NUMBER\u003c/var\u003e`@cloudcomposer-accounts.iam.gserviceaccount.com`)\n\n2. Add another role, **Composer Shared VPC Agent** (`composer.sharedVpcAgent`).\n at the project level.\n\n \u003cbr /\u003e\n\nConclusion\n----------\n\nYou've completed the Shared VPC network configuration for both service and host\nprojects.\n\nNow you can connect new and existing environments in the service project to the\nhost project's VPC network. You can use one of the following approaches:\n\n- Connect an environment to a Shared VPC network. Cloud Composer creates a new network attachment for the environment.\n- Create a network attachment in the service project, connect it to a Shared VPC network, and connect one or more environments to this network attachment.\n\nFor instructions and more information about differences between the two\ndescribed approaches, see\n[Connect a VPC network to your environment](/composer/docs/composer-3/connect-vpc-network).\n\n\nWhat's next\n-----------\n\n- [Connect a VPC network to your environment](/composer/docs/composer-3/connect-vpc-network).\n- [Create a Cloud Composer environment](/composer/docs/composer-3/create-environments)."]]
