This page describes how to create a Network Connectivity Center hub using the hybrid inspection topology so that you can add NCC Gateway spokes and VPC spokes to the hub.
For an introduction to NCC Gateway, see the NCC Gateway overview.
Before you begin
Before you get started, review the following sections.
Create or select a project
To make it easier to configure Network Connectivity Center, start by identifying a valid project.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init If you are using the Google Cloud CLI, set your project ID by using the
gcloud config setcommand.gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your unique project ID.The gcloud CLI instructions on this page assume that you have set your project ID.
To confirm that you set the project ID correctly, use the
gcloud config listcommand.gcloud config list --format='text(core.project)'
Enable the Network Connectivity API
Before you can perform any tasks using NCC Gateway, you must enable the Network Connectivity API.
Console
To enable the Network Connectivity API, do the following:
In the Google Cloud console, go to the Network Connectivity Center page.
Click Enable.
Alternatively, you can enable the API by using the Google Cloud console API Library, as described in Enabling APIs.
Get access
To work with Network Connectivity Center and NCC Gateway, you need the permissions described in Roles and permissions.
Identify resources
When you reference resources by using the gcloud CLI or the API, use the conventions described in the following table.
| Convention | Supported for | Notes | Example |
|---|---|---|---|
| Full URI | All resources | Use one of these methods to reference Router appliance instances. |
"https://www.googleapis.com/compute/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME"
|
| Relative resource name | All resources |
"projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME"
|
|
| Name | Regional and global resources | Use this method for hubs, spokes, VPN tunnels, and VLAN attachments. |
"HUB_NAME"
|
Create a Network Connectivity Center hub
To create a Network Connectivity Center hub with the preset hybrid inspection topology, follow these steps:
gcloud
Use the gcloud network-connectivity hubs create command
and specify the hybrid inspection preset topology.
gcloud beta network-connectivity hubs create HUB_NAME \
--preset-topology=hybrid-inspection
Replace HUB_NAME with a name for the new hub.
API
Use the
projects.locations.global.hubs.create method.
POST https://networkconnectivity.googleapis.com/v1beta/projects/PROJECT_ID/locations/global/hubs
{
"name":"HUB_NAME",
"description":"DESCRIPTION",
"labels": {
"KEY": "VALUE"
},
"presetTopology": "HYBRID_INSPECTION"
}
Replace the following:
PROJECT_ID: the project ID of the project that contains the new hubHUB_NAME: the name of the new hubDESCRIPTION: optional text that describes the hubKEY: the key in the key-value pair for the optional label textVALUE: the value in the key-value pair for the optional label text
Connect VPC networks to the hub
The process for connecting VPC networks to a hub differs depending on whether the network and hub are in the same project.
Connect VPC networks and hub from different projects
To connect VPC networks from different projects, use the following steps:
- A VPC spoke administrator proposes a VPC spoke in a different project
- A hub administrator reviews proposed VPC spokes
Connect VPC networks and hub in the same project
If the VPC networks and hub are in the same project, you can follow these steps in this section.
gcloud
Use the gcloud network-connectivity spokes linked-vpc-network create command:
gcloud network-connectivity spokes linked-vpc-network create SPOKE_NAME \
--hub=HUB_NAME \
--description=DESCRIPTION \
--vpc-network=VPC_NETWORK_URI \
--global \
--group=GROUP_NAME
Replace the following:
SPOKE_NAME: the name of the spoke that you are creating, such asvpc-spoke1HUB_NAME: the hub for the spokeDESCRIPTION: an optional description of the spokeVPC_NETWORK_URI: the VPC network that this spoke points toGROUP_NAME: the group that this spoke belongs to
Because the hub uses the hybrid inspection
topology,
valid group names for VPC spokes are prod, non-prod, and services.
For additional options available when adding a VPC spoke, including details about export filters, see Create a VPC spoke.
API
Use the projects.locations.spokes.create method:
POST https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/global/spokes/SPOKE_NAME
{
"hub":"HUB_NAME",
"description": "DESCRIPTION",
"linkedVpcNetwork": {
"uri": "VPC_NETWORK_URI",
"include_export_ranges": "[INCLUDE_RANGES]",
"exclude_export_ranges": "[EXCLUDE_IPV4_RANGES]",
"group": "GROUP_NAME"
},
}
Replace the following:
SPOKE_NAME: the name of the spoke that you are creating, such asvpc-spoke1HUB_NAME: the hub for the spokeDESCRIPTION: an optional description of the spokeVPC_NETWORK_URI: the VPC network that this spoke points toGROUP_NAME: the group that this spoke belongs to
Because the hub uses the hybrid inspection
topology,
valid group names for VPC spokes are prod, non-prod, and services.
For additional options available when adding a VPC spoke, including details about export filters, see Create a VPC spoke.