Cross-Cloud Interconnect lets you connect your remote cloud network to multiple Virtual Private Cloud (VPC) networks. You extend reachability by adding multiple VLAN attachments to the connection.
As part of this functionality, you can create a VLAN attachment that uses a Cross-Cloud Interconnect connection that's in a different project. You can use this approach as long as both resources are in the same organization.
If appropriate, you can share connectivity between even more VPC networks by using Shared VPC or VPC Network Peering. For more information about these approaches, see Options for connecting to multiple VPC networks.
Required permissions
In the project where you create the attachment, you need the
Network Admin role
(roles/compute.networkAdmin) .
In the project that contains the connection, you need one of the following:
- The Network Admin role
(
roles/compute.networkAdmin) or thecompute.interconnects.getpermission - Minimally, the
compute.interconnects.usepermission
compute.interconnects.get
If the user has the compute.interconnects.get permission, then the process
of creating the attachment is the same as it is for a network administrator.
compute.interconnects.use
If the user has the compute.interconnects.use permission and does not have
the compute.interconnects.get permission, then the user
does not have visibility into what type of remote cloud the connection uses.
In this case, the Google Cloud console can't detect requirements related to the
remote location.
For example, attachments to Azure require using an IPv4 subnet length of
/30.
For an administrative user, the Google Cloud console removes the
option to
request a /29 IPv4 subnet. However, it does not do so for users who have only
the compute.interconnects.use permission.
Some constraints are enforced by the API, and in such cases, the Google Cloud console returns an error if an invalid parameter is specified.
Other constraints are merely advisory, to guide users toward known valid configurations. For such constraints, the absence of Google Cloud console advice can result in incompatible configuration choices that are not discovered until further along in the configuration sequence.
The following are sample requirements:
- Microsoft Azure attachments require using an IPv4 subnet length of
/30. - Azure attachments require using the same VLAN ID on both ports of a pair.
- Amazon Web Services (AWS) attachments require using MD5 authentication for Border Gateway Protocol (BGP) sessions.
- Oracle Cloud Infrastructure (OCI) attachments require using a VLAN ID >=
100. Auto-allocated VLAN IDs meet this requirement.
To learn about constraints, consult the following pages:
When you grant a user the compute.interconnects.use permission, inform
them of any constraints.
Create a VLAN attachment
To create a VLAN attachment that uses a Cross-Cloud Interconnect connection from another project, follow these steps.
Console
In the Google Cloud console, go to the VLAN attachments tab.
Select the project in which you need to create a VLAN attachment by using the project picker.
Click Create VLAN attachments, and then select Cross-Cloud Interconnect connection.
In the Encrypt interconnect section, select Set up unencrypted Interconnect, and then click Continue.
On the Choose an Interconnect page, select In another project. Enter the following information:
- Project ID: Enter the ID of the project that contains the Cross-Cloud Interconnect connection.
- Interconnect name: Enter the name of the connection.
Click Continue.
For VLAN attachments, click Add VLAN attachment. Provide the following information:
- Name: Specify a name for the VLAN attachment.
- Cloud Router: Choose an existing Cloud Router or create a new one. The Cloud Router that you choose defines the region and VPC network to which your VLAN attachment is available. The Google Cloud ASN is also defined by the Cloud Router that you choose.
Click Done, and then click Create. The attachment takes a few minutes to create.
After the attachment is created, click Configure to create a BGP session on the chosen Cloud Router. The Google and Peer BGP IP addresses are selected for you automatically.
After you add the BGP session, click Save configuration. The BGP session is not active until you configure resources in your remote cloud.
gcloud
If you have not already created a Cloud Router, create one by running the following command:
gcloud compute routers create ROUTER_NAME \ --region=REGION \ --asn=GOOGLE_ASN \ --network=NETWORK \ --project=PROJECT_IDReplace the following:
ROUTER_NAME: a name that you specify for your Cloud RouterREGION: the Google Cloud region in which your Cloud Router is created; this region must match the region used by the VLAN attachmentGOOGLE_ASN: the private ASN (16550,64512 - 65534,4200000000 - 4294967294); it is used for all BGP sessions on the same Cloud Router, and it cannot be changed laterNETWORK: the name of the network to which the Cloud Router manages routes; this is the same network that your VLAN attachment usesPROJECT_ID: the ID for the project in which both the Cloud Router and VLAN attachment exist; this project ID is different from the project where the connection is located
In the project that contains your connections, list all the Cloud Interconnect connections:
gcloud compute interconnects list \ --project=INTERCONNECT_PROJECT_IDReplace
INTERCONNECT_PROJECT_IDwith that project's ID. Determine the name of the connection that you need to use.Determine the self link for the connection that you need to use:
gcloud compute interconnects describe INTERCONNECT_NAME \ --project=INTERCONNECT_PROJECT_ID \ --format="get(selfLink)"Replace
INTERCONNECT_NAMEwith its name, and replaceINTERCONNECT_PROJECT_IDwith the ID of the project that contains it.Create the VLAN attachment:
gcloud compute interconnects attachments dedicated create VLAN_ATTACHMENT_NAME \ --region=REGION \ --router=ROUTER_NAME \ --project=PROJECT_ID \ --interconnect=INTERCONNECT_SELF_LINK \ --candidate-subnets=CANDIDATE_SUBNETS \ --vlan=VLAN_IDReplace the following:
VLAN_ATTACHMENT_NAME: a name that you specify for your VLAN attachmentREGION: must match the same region as the associated Cloud RouterROUTER_NAME: the name of the Cloud Router from the first stepPROJECT_ID: the ID for the project in which both the Cloud Router and the VLAN attachment exist; this project ID is different from the project where the connection is locatedINTERCONNECT_SELF_LINK: the self link for the connection that the VLAN attachment uses; the self link includes the ID of the project that contains the connection itselfCANDIDATE_SUBNETS: an optional flag that lets you specify comma-delimited ranges of link-local IP addresses (asCANDIDATE_SUBNETS) to be used for the BGP session that manages routes for the VLAN attachment; for more information, see the Google Cloud CLI documentationVLAN_ID: an optional flag that lets you specify a VLAN ID; for more information, see the Google Cloud CLI documentation
Describe the VLAN attachment that you just created:
gcloud compute interconnects attachments dedicated describe VLAN_ATTACHMENT_NAME \ --region=REGION \ --project=PROJECT_ID \ --format="get(cloudRouterIpAddress,customerRouterIpAddress,tag8021q)"Replace the following:
VLAN_ATTACHMENT_NAME: its nameREGION: its regionPROJECT_ID: its project ID
Note the following:
cloudRouterIpAddressis the BGP IP address that is used by the BGP session on the associated Cloud Router.customerRouterIpAddressis the BGP IP address that you use to configure the BGP session in your remote cloud.tag8021qis the VLAN ID, which you might have specified manually in the previous step.
Create an interface on the Cloud Router:
gcloud compute routers add-interface ROUTER_NAME \ --interconnect-attachment=VLAN_ATTACHMENT_NAME \ --region=REGION \ --interface-name=INTERFACE_NAME \ --project=PROJECT_ID \Replace the following:
ROUTER_NAME: the name of the Cloud Router from the first stepVLAN_ATTACHMENT_NAME: the name of the VLAN attachment that you created and described in these stepsREGION: the region used by the Cloud Router and the VLAN attachmentINTERFACE_NAME: a name that you specify for the new interface on the Cloud RouterPROJECT_ID: the ID for the project in which both the Cloud Router and VLAN attachment exist; this project ID is different from the project where the connection is locatedCLOUD_ROUTER_IP: thecloudRouterIpAddressthat you determined in the previous step
Add a BGP peer to the new interface on the Cloud Router:
gcloud compute routers add-bgp-peer ROUTER_NAME \ --region=REGION \ --interface-name=INTERFACE_NAME \ --peer-name=BGP_PEER_NAME \ --project=PROJECT_ID \ --peer-asn=PEER_ASN \ --advertised-route-priority=PRIORITY \ --advertisement-mode=ADVERTISEMENT_MODEReplace the following:
ROUTER_NAME: the name of the Cloud Router from the first stepREGION: the region used by the Cloud Router and the VLAN attachmentINTERFACE_NAME: the name of the interface that you created in the previous stepBGP_PEER_NAME: a name that you specify for the BGP peerPROJECT_ID: the ID for the project in which both the Cloud Router and the VLAN attachment exist; this project ID is different from the project where the connection is locatedCUSTOMER_ROUTER_IP: the BGP IP address for your remote cloud; this is thecustomerRouterIpAddressthat you noted when you described your VLAN attachmentPEER_ASN: the ASN for your remote cloudPRIORITY: an optional flag that you can use to set the base priority for the routes that the Cloud Router advertises to the remote cloud; for more details about this option and the base metric, see Advertised prefixes and prioritiesADVERTISEMENT_MODE: an optional flag that you can use if you want to customize the routes that the Cloud Router advertises to the remote cloud; for information about default and custom advertisements, see route advertisements
What's next
To learn more about Cross-Cloud Interconnect, see the Cross-Cloud Interconnect overview.
To learn about common issues that you might encounter when using Cross-Cloud Interconnect, see Troubleshooting.