Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
About Network Connectivity Center
Hub-and-Spoke Architecture
Features of Network Connectivity Center
Working in a Network Connectivity Center
Working with hubs
Working with Spokes
Router Appliance
Working with Router Appliance
Roles and Permissions
Audit Logging Information
Frequently Asked Questions
What is GCP interconnect?
What is a firewall appliance?
What is an example of a network appliance?
What is VPN in GCP?
What is VLAN Google Cloud?
Last Updated: Mar 27, 2024

Network Connectivity Center

Author Amit Singh
0 upvote
Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @


As the global enterprises move their assets into the cloud, they are required to have a special place to manage the connectivity between their different on-premises networks. This is where the Network Connectivity Center comes in. You can use Network Connectivity Center to connect on-premises networks in a hub-and-spoke configuration. 

In this article, we will learn about Network Connectivity Center in Google Cloud Platform in detail. We will also learn what are hubs and spokes? Why are they used? How to work with them? We will also discuss the audit logs with roles and permissions as well.


About Network Connectivity Center

Network Connectivity Center can be understood as a network connectivity product that employs a hub-and-spoke architecture to manage hybrid connectivity. Using this architecture, each connectivity resource is actually represented as a spoke. Each and every spoke is attached to a central management resource known as a hub.


Network Connectivity Center includes a Router appliance. This feature allows you to install a third-party network virtual appliance in Google Cloud. Using this approach, the appliance can exchange routes with Cloud Router using Border Gateway Protocol (BGP).

Hub-and-Spoke Architecture

Hub-and-Spoke is a Message-Oriented Middleware that uses a central message broker.

The communication occurs between each application (spoke) and the central hub, not between pairs of apps. Routing and message translation to the receiving spoke are two functions of the broker. This design permits content-based routing, which operates in accordance with data contained in the message header or in a defined message body element. The hub can choose the recipient spokes by applying rules to the message's content.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Features of Network Connectivity Center

A Network Connectivity Center has many capabilities. With these capabilities, you can:

  • Connect an external network to the Google Cloud using an SD-WAN router (third-party) or another appliance. This approach is actually known as site-to-cloud connectivity.
  • Use a network virtual appliance (third-party) to manage the connectivity between your different Virtual Private Cloud networks as per your need.
  • Actually, use Google's network as a wide area network (WAN) to connect to sites outside of the Google Cloud. You can also establish full mesh connectivity between your external sites using the resources such as Cloud Interconnect, Cloud VPN, and third-party network virtual appliances. This approach is actually known as site-to-site data transfer.

Working in a Network Connectivity Center

Each connectivity resource is actually represented as a spoke in Network Connectivity Center. Each spoke is connected to the hub, a central management resource.

Before performing any tasks using Network Connectivity Center, you must enable the Network Connectivity API.

To enable the Network Connectivity API, follow these steps:

  1. You must first open the Console.
  2. Then, go to the Network Connectivity Center page.
  3. Click Enable.


A hub is a resource for global management to which spokes are connected.


The function of the hub is dependent on whether its spokes use the features known as site-to-site data transfer. When you utilize this feature, the hub provides you a full mesh connectivity between all the spokes in which you have enabled the feature.

If none of the spokes have data transmission enabled, the hub only connects to Google Cloud resources. The hub does not establish connectivity between these spokes.

Working with hubs

So, a hub is an essential requirement when you are creating a Network Connectivity Center. 


Before we get into more depth, you must do some basic stuff.

  1. You must either create or select a project that you want to use.
  2. You MUST enable the Network Connectivity API.
  3. You must have permission to work on the Network Connectivity Center.
  4. You must identify resources.

After all that, you will be able to:

  1. Create a hub, add a description, and label it using the gcloud network-connectivity hubs create command. The description part is optional. 
  2. List hubs already present in the project using the gcloud network-connectivity hubs list command.
  3. Describe a hub that means to get detailed information about an existing hub using the gcloud network-connectivity hubs describe command.
  4. Update a hub by adding or changing labels and descriptions using the gcloud network-connectivity hubs update command. 
  5. Delete a hub using the gcloud network-connectivity hubs delete command.


A spoke is used to represent one or more Google Cloud network resources connected to a hub. When creating a spoke, you must associate it with at least one supported connectivity resource, sometimes known as a backing resource.


A spoke can utilize any of the following Google Cloud resources as its backing resource.

  1. Router Appliance: These are used for
    1. Site-to-cloud connectivity,
    2. Site-to-site data transfer, and
    3. Connectivity between VPC networks.
  2. Dedicated Interconnect VLAN attachments, Partner Interconnect VLAN attachments, and /or Cloud VPN (HA VPN) tunnels,
  3. All these are used for:
    1. Site-to-site data transfer.

More than one resource can be connected to a single spoke, but they all need to be of the same kind. For instance, even though a single spoke may be connected to several VPN tunnels, it cannot be connected to both VPN tunnels and router appliance instances.

There is a data transfer option for each spoke. The hub offers full mesh connectivity between those spokes when you enable this option for numerous spokes. Other implications of this choice exist as well.

For example, if multiple spokes utilize data transfer, then the backing resources for those spokes must be located in the same VPC network.

Working with Spokes

The ideal practice is to build every spoke in the same Google Cloud region as the Network Connectivity resource you intend to link it to. Consider, for illustration, that you have a VPN tunnel that connects to a HA VPN gateway in us-central1. You must create the spoke in us-central1 in order to establish a spoke that utilizes this tunnel.


Before we get into more depth, you must do some basic stuff that we have done before.

After all that, you will be able to:

  1. Create a spoke. 
  2. List spokes already present in the project using the gcloud network-connectivity spokes list command.
  3. Describe a spoke that means to get detailed information about an existing hub using the gcloud network-connectivity spokes describe command.
  4. Updating a spoke means adding or changing labels, descriptions, and resources. 
  5. Delete a spoke using the gcloud network-connectivity spokes delete command.

Router Appliance

The Router appliance feature allows you to install a network virtual appliance within the Google Cloud. It can be used as the backing resource for a spoke.


The router appliance is one of several supported spoke types for the Network Connectivity Center.

Working with Router Appliance


If you want to create a router appliance instance, you need to begin by installing a virtual appliance image onto a Compute Engine virtual machine (VM). Then you need to complete specific setup steps as well. 

In this setup, we establish Border Gateway Protocol (BGP) peering between the Virtual Machine and a Cloud Router. 

Border Gateway Protocol (BGP) enables the dynamic exchange of routes between the Cloud Router and the router appliance instance. 

Route exchange lets you establish connectivity between your VPC network and other networks.

Cloud Router uses interfaces configured with RFC 1918 internal IP addresses to establish BGP peering with router appliance instances.

Roles and Permissions


After that, let's move on to the Identity and Access Management (IAM) roles and permissions needed to use Network Connectivity Center.

There are three predefined roles:

  1. Hub & Spoke Admin: It has complete access to hub and spoke resources.
  2. Hub & Spoke Viewer: It has read-only access to hub and spoke resources.
  3. Spoke Admin: It has full access to spoke resources and read-only access to hub resources.

Additionally, depending on what actions you need to take in Network Connectivity Center, you might need:

  1. Permission to create a spoke.
  2. Permission to use Network Connectivity Center in the console.

Audit Logging Information


To assist you in determining "Who did what, where, and when?" regarding your Google Cloud resources, Google Cloud services keep audit logs.

To assist you in identifying who performed what actions when and where inside your Google Cloud resources, Google Cloud services keep audit logs.

Only the audit logs for resources that are used directly within a Google Cloud project are included in your projects. The audit logs for the entity itself are kept in other Google Cloud resources, including billing accounts, organizations, and files.


Following are the types of audit logs available for Network Connectivity Center:

  • Admin Activity audit logs: It includes "admin write" operations that write metadata or configuration information. Also, you can't disable Admin Activity audit logs.
  • Data Access audit logs: It includes "admin read" operations that read metadata or configuration information. It also has "data read" and "data write" operations that read or write user-provided data. And to receive Data Access audit logs, you must explicitly enable them.

Frequently Asked Questions

What is GCP interconnect?

Cloud Interconnect provides low latency, high availability connections that enable you to reliably transfer data between your on-premises and Google Cloud Virtual Private Cloud (VPC) networks.

What is a firewall appliance?

A physical firewall device, also known as firewall hardware, is a device that lies between the uplink and the client system and filters the traffic to determine what gets through on the basis of preconfigured security policies, user profiles, and business regulations.

What is an example of a network appliance?

A typical network appliance could be a DSL router, probe, camera, or access device (like RFID locks). These devices require cryptography to authenticate and encrypt data between some client or server and itself.

What is VPN in GCP?

Your Virtual Private Cloud (VPC) network and peer network are safely connected by a cloud VPN over an IPsec VPN connection. One VPN gateway encrypts all incoming and outgoing traffic between the two networks, and the other decrypts it.

What is VLAN Google Cloud?

VLAN attachments (also known as interconnectAttachments ) determine which Virtual Private Cloud (VPC) networks can reach your on-premises network through a Dedicated Interconnect connection.


In this article, we have studied about Network Connectivity Center in detail. We have also discussed audit logs and roles and permissions as well.

We hope that this article has provided you with the help to enhance your knowledge regarding Network Connectivity Center and if you would like to learn more, check out our articles on cloud domains and cloud hypervisor.


Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, JavaScript, System Design, etc. Enrol in our courses and refer to the mock test and problems available, Take a look at the interview experiences and interview bundle for placement preparations.

Do upvote our blog to help other ninjas grow.

Merry Learning!

Previous article
  Google Cloud Armor
Next article
Network Service Tiers
Live masterclass