Guides

Control Plane in Shared VPC (GCP)

This document provides a step-by-step guide to setting up and launching the Facets Control Plane in a GCP Shared VPC.

Suggest Edits

1. Pre-requisites

Before launching the Facets Control Plane, ensure the following GCP setup is complete:

Note: To learn how to create a shared VPC check this doc.

A. Organizational Setup

  • A GCP organizational account is required.
  • A Host Project with the following IAM roles:
    Compute Network Admin
    Compute Network User
    Organization Administrator
    Owner
  • Additional permissions:
    • compute.organizations.disableXpnHost
    • compute.organizations.disableXpnResource
    • compute.organizations.enableXpnHost
    • compute.organizations.enableXpnResource
    • compute.projects.get
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.list

B. Networking Setup in the Host Project

  • A VPC must be created in the host project, acting as the shared network for all attached service projects.
  • Create at least two or three subnets with /16 CIDR ranges.
  • Add secondary CIDR ranges (/16 each) for:
    • GKE pods
    • GKE services
  • Reserve a subnet for Internal Load Balancers (ILBs) for Facets components.
  • Enable Cloud NAT to allow outbound connections without exposing node IPs.
  • Enable Private Google Access for GKE clusters to securely access Google services.
  • Allocate a Private Service Access range (important if using managed services like AlloyDB).
  • Establish a Private GCP Connection for secure access to Google services.`

2. Configuring the Shared VPC

Attach Service Projects: Ensure that service projects are properly attached to the shared VPC with Kubernetes access enabled. This allows the service projects to utilize network resources from the host project.

Permissions:

Project-Level Permissions:

Assign the role of Compute Security Admin to service-\<SERVICE_PROJECT_NUMBER>@container-engine-robot.iam.gserviceaccount.com.

Assign the role of Kubernetes Engine Host Service Agent User to the same service account.

Subnet-Level Permissions:

Assign the role of Compute Network User to the following service accounts:

  • \<SERVICE_PROJECT_NUMBER>[[email protected]](mailto:[email protected])
  • \<SERVICE_PROJECT_NUMBER>@cloudservices.gserviceaccount.com
  • service-\<SERVICE_PROJECT_NUMBER>@container-engine-robot.iam.gserviceaccount.com

3. Configuring Facets Service Account

Create Facets Service Account:

Within the service project, create a service account designated for Facets. This account will manage interactions and operations specific to the Facets application within the shared VPC.

Assign Custom Role in Host Project:

Create a custom role in the host project with the following permissions:

  • compute.firewalls.create
  • compute.firewalls.update
  • compute.firewalls.delete
  • compute.firewalls.get
  • compute.globalOperations.get
  • compute.networks.updatePolicy
  • compute.subnetworks.get

Attach this custom role to the Facets service account created in the service project. This step is crucial for providing the necessary permissions for network management and configuration.

Updated 11 days ago