Set up Network Connectivity Center and create a hub
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to create a Network Connectivity Center hub using the
hybrid inspection topology so that you can add NCC Gateway spokes
and VPC spokes to the hub.
Before you get started, review the following sections.
Create or select a project
To make it easier to configure Network Connectivity Center, start by identifying a valid
project.
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Set up Network Connectivity Center and create a hub\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to create a Network Connectivity Center hub using the\nhybrid inspection topology so that you can add NCC Gateway spokes\nand VPC spokes to the hub.\n\nFor an introduction to NCC Gateway, see the\n[NCC Gateway overview](/network-connectivity/docs/network-connectivity-center/concepts/ncc-gateway-overview).\n\nBefore you begin\n----------------\n\nBefore you get started, review the following sections.\n\n### Create or select a project\n\nTo make it easier to configure Network Connectivity Center, start by identifying a valid\nproject.\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. If you are using the Google Cloud CLI, set your project\n ID by using the\n [`gcloud config set` command](/sdk/gcloud/reference/config/set).\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your unique project ID.\n\n The gcloud CLI instructions on this page assume that you have set your project ID.\n2. To confirm that you set the project ID correctly, use the\n [`gcloud config list` command](/sdk/gcloud/reference/config/list).\n\n ```\n gcloud config list --format='text(core.project)'\n ```\n\n### Enable the Network Connectivity API\n\nBefore you can perform *any* tasks using NCC Gateway, you must\nenable the Network Connectivity API. \n\n### Console\n\nTo enable the Network Connectivity API, do the following:\n\n1. In the Google Cloud console, go to the **Network Connectivity Center**\n page.\n\n [Go to Network Connectivity Center](https://console.cloud.google.com/hybrid/hubs/list)\n2. Click **Enable**.\n\nAlternatively, you can enable the API by\nusing the\n[Google Cloud console API Library](https://console.cloud.google.com/apis/library?project=_),\nas described in [Enabling APIs](/apis/docs/getting-started#enabling_apis).\n\n### Get access\n\nTo work with Network Connectivity Center and NCC Gateway, you need the\npermissions described in\n[Roles and permissions](/network-connectivity/docs/network-connectivity-center/concepts/access-control).\n\n### Identify resources\n\nWhen you reference resources by using the\ngcloud CLI or the API, use the conventions described in the\nfollowing table.\n\nCreate a Network Connectivity Center hub\n----------------------------------------\n\nTo create a Network Connectivity Center hub with the preset\n[hybrid inspection topology](/network-connectivity/docs/network-connectivity-center/concepts/connectivity-topologies#hybrid-inspection-topology),\nfollow these steps: \n\n### gcloud\n\nUse the [`gcloud network-connectivity hubs create` command](/sdk/gcloud/reference/network-connectivity/hubs/create)\nand specify the hybrid inspection preset topology. \n\n```\ngcloud beta network-connectivity hubs create HUB_NAME \\\n --preset-topology=hybrid-inspection\n```\n\nReplace \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e with a name for the new hub.\n\n### API\n\nUse the\n[`projects.locations.global.hubs.create` method](/network-connectivity/docs/reference/networkconnectivity/rest/v1beta/projects.locations.global.hubs/create). \n\n```\nPOST https://networkconnectivity.googleapis.com/v1beta/projects/PROJECT_ID/locations/global/hubs\n{\n \"name\":\"HUB_NAME\",\n \"description\":\"DESCRIPTION\",\n \"labels\": {\n \"KEY\": \"VALUE\"\n },\n \"presetTopology\": \"HYBRID_INSPECTION\"\n}\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID of the project that contains the new hub\n- \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e: the name of the new hub\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: optional text that describes the hub\n- \u003cvar translate=\"no\"\u003eKEY\u003c/var\u003e: the key in the key-value pair for the optional label text\n- \u003cvar translate=\"no\"\u003eVALUE\u003c/var\u003e: the value in the key-value pair for the optional label text\n\nConnect VPC networks to the hub\n-------------------------------\n\nThe process for connecting VPC networks to a hub differs\ndepending on whether the network and hub are in the same project.\n\n### Connect VPC networks and hub from different projects\n\nTo connect VPC networks from different projects,\nuse the following steps:\n\n- A VPC spoke administrator [proposes a VPC\n spoke in a different\n project](/network-connectivity/docs/network-connectivity-center/how-to/vpc-propose-a-spoke)\n- A hub administrator [reviews proposed VPC\n spokes](/network-connectivity/docs/network-connectivity-center/how-to/vpc-review-proposed-spokes)\n\n### Connect VPC networks and hub in the same project\n\nIf the VPC networks and hub are in the same project, you\ncan follow these steps in this section. \n\n### gcloud\n\nUse the [`gcloud network-connectivity spokes linked-vpc-network create` command](/sdk/gcloud/reference/network-connectivity/spokes/linked-vpc-network/create): \n\n```\ngcloud network-connectivity spokes linked-vpc-network create SPOKE_NAME \\\n --hub=HUB_NAME \\\n --description=DESCRIPTION \\\n --vpc-network=VPC_NETWORK_URI \\\n --global \\\n --group=GROUP_NAME\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSPOKE_NAME\u003c/var\u003e: the name of the spoke that you are creating, such as `vpc-spoke1`\n- \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e: the hub for the spoke\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: an optional description of the spoke\n- \u003cvar translate=\"no\"\u003eVPC_NETWORK_URI\u003c/var\u003e: the VPC network that this spoke points to\n- \u003cvar translate=\"no\"\u003eGROUP_NAME\u003c/var\u003e: the group that this spoke belongs to\n\nBecause the hub uses the [hybrid inspection\ntopology](/network-connectivity/docs/network-connectivity-center/concepts/connectivity-topologies#hybrid-inspection-topology),\nvalid group names for VPC spokes are `prod`, `non-prod`, and `services`.\n\nFor additional options available when adding a VPC spoke, including\ndetails about export filters, see\n[Create a VPC spoke](/network-connectivity/docs/network-connectivity-center/how-to/working-with-hubs-spokes#create-vpc-spoke).\n\n### API\n\nUse the [`projects.locations.spokes.create` method](/network-connectivity/docs/reference/networkconnectivity/rest/v1/projects.locations.spokes/create): \n\n```\nPOST https://networkconnectivity.googleapis.com/v1/projects/PROJECT_ID/locations/global/spokes/SPOKE_NAME\n\n{\n \"hub\":\"HUB_NAME\",\n \"description\": \"DESCRIPTION\",\n \"linkedVpcNetwork\": {\n \"uri\": \"VPC_NETWORK_URI\",\n \"include_export_ranges\": \"[INCLUDE_RANGES]\",\n \"exclude_export_ranges\": \"[EXCLUDE_IPV4_RANGES]\",\n \"group\": \"GROUP_NAME\"\n },\n}\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eSPOKE_NAME\u003c/var\u003e: the name of the spoke that you are creating, such as `vpc-spoke1`\n- \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e: the hub for the spoke\n- \u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e: an optional description of the spoke\n- \u003cvar translate=\"no\"\u003eVPC_NETWORK_URI\u003c/var\u003e: the VPC network that this spoke points to\n- \u003cvar translate=\"no\"\u003eGROUP_NAME\u003c/var\u003e: the group that this spoke belongs to\n\nBecause the hub uses the [hybrid inspection\ntopology](/network-connectivity/docs/network-connectivity-center/concepts/connectivity-topologies#hybrid-inspection-topology),\nvalid group names for VPC spokes are `prod`, `non-prod`, and `services`.\n\nFor additional options available when adding a VPC spoke, including\ndetails about export filters, see [Create a VPC\nspoke](/network-connectivity/docs/network-connectivity-center/how-to/working-with-hubs-spokes#create-vpc-spoke)."]]
