Google Cloud Shared VPC

Google Cloud Shared VPC

  • Shared VPC allows an organization to connect resources from multiple projects to a common VPC network to communicate with each other securely and efficiently using internal IPs from that network.
  • requires designating a project as a host project and attach one or more other service projects to it.
  • allows organization administrators to delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.
  • allows you to
    • implement a security best practice of least privilege for network administration, auditing, and access control.
    • apply and enforce consistent access control policies at the network level for multiple service projects in the organization while delegating administrative responsibilities
    • use service projects to separate budgeting or internal cost centers.

Shared VPC Concepts

GCP Shared VPC - Multiple host projects

  • Shared VPC connects projects within the same organization. Participating host and service projects cannot belong to different organizations
  • Linked projects can be in the same or different folders, but if they are in different folders the admin must have Shared VPC Admin rights to both folders
  • Each project in Shared VPC is either a host project or a service project
    • host project contains one or more Shared VPC networks. A Shared VPC Admin must first enable a project as a host project. After that, a Shared VPC Admin can attach one or more service projects to it.
    • service project is any project that has been attached to a host project by a Shared VPC Admin. This attachment allows it to participate in Shared VPC.
  • A project cannot be both a host and a service project simultaneously. Thus, a service project cannot be a host project to further service projects.
  • Multiple host projects can be created; however, each service project can only be attached to a single host project.
  • A project that does not participate in Shared VPC is called a standalone project.
  • VPC networks in the host project are called Shared VPC networks. Service projects resources can use subnets in the Shared VPC network
  • Shared VPC networks can be either auto or custom mode, but legacy networks are not supported.
  • Host and service projects are connected by attachments at the project level.
  • Subnets of the Shared VPC networks in the host project are accessible by Service Project Admins
  • Organization policies and IAM permissions work together to provide different levels of access control.
  • Organization policies enable setting controls at the organization, folder, or project level.

IAM Roles

Administrator (IAM role) Purpose
Organization Admin Organization Admins nominate Shared VPC Admins by granting them appropriate project creation and deletion roles, and the Shared VPC Admin role for the organization. These admins can define organization-level policies, but specific folder and project actions require additional folder and project roles.
Shared VPC Admin Shared VPC Admins have the Compute Shared VPC Admin and Project IAM Admin roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC, such as enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins. A Shared VPC Admin for a given host project is typically its project owner as well.
A Shared VPC Admin can link projects in two different folders only if the admin has the role for both folders.
Service Project Admin A Shared VPC Admin defines a Service Project Admin by granting an IAM member the Network User role to either the whole host project or select subnets of its Shared VPC networks. Service Project Admins also maintain ownership and control over resources defined in the service projects, so they should have the Instance Admin role in the corresponding service projects. They may have additional IAM roles to the service projects, such as project owner.

Cloud Interconnect with Shared VPC

  • Shared VPC can help share the VLAN attachment in a project with other VPC networks.
  • Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to the on-premises network.
  • Host project contains a common Shared VPC network that VMs in service projects can use. Because VMs in service projects use this network, Service Project Admins don’t need to create other VLAN attachments or Cloud Routers in the service projects.
  • VLAN attachments and Cloud Routers for an Interconnect connection must be created only in the Shared VPC host project.
  • The combination of a VLAN attachment and its associated Cloud Router is unique to a given Shared VPC network.
  • Service Project Admins can create VMs in subnets that exist in a host project’s Shared VPC network based on the permissions that they have to the host project.
  • VMs that use the Shared VPC network can use the custom dynamic routes for VLAN attachments available to that network.

GCP Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Your company is building a large-scale web application. Each team is responsible for its own service component of the application
    and wants to manage its own individual projects. You want each service to communicate with the others over the RFC1918 address
    space. What should you do?

    1. Deploy each service into a single project within the same VPC.
    2. Configure Shared VPC, and add each project as a service of the Shared VPC project.
    3. Configure each service to communicate with the others over HTTPS protocol.
    4. Configure a global load balancer for each project, and communicate between each service using the global load balancer IP
      addresses.
  2. Where should you create the Cloud Router instance in a Shared VPC to allow connection from service projects across a new Dedicated Interconnect to your data center?
    1. VPC network in all projects
    2. VPC network in the IT Project
    3. VPC network in the Host Project
    4. VPC network in the Sales, Marketing, and IT Projects

Reference

GCP Virtual Private Cloud – Shared VPC