GCP Shared VPC
- Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, so that they can communicate with each other securely and efficiently using internal IPs from that network.
- Shared VPC requires designating a project as a host project and attach one or more other service projects to it.
- Shared VPC allows organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.
- Shared VPC allows you to
- implement a security best practice of least privilege for network administration, auditing, and access control.
- apply and enforce consistent access control policies at the network level for multiple service projects in the organization while delegating administrative responsibilities
- use service projects to separate budgeting or internal cost centers.
Shared VPC Concepts
- Shared VPC connects projects within the same organization. Participating host and service projects cannot belong to different organizations
- Linked projects can be in the same or different folders, but if they are in different folders the admin must have Shared VPC Admin rights to both folders
- Each project in Shared VPC is either a host project or a service project
- A host project contains one or more Shared VPC networks. A Shared VPC Admin must first enable a project as a host project. After that, a Shared VPC Admin can attach one or more service projects to it.
- A service project is any project that has been attached to a host project by a Shared VPC Admin. This attachment allows it to participate in Shared VPC.
- A project cannot be both a host and a service project simultaneously. Thus, a service project cannot be a host project to further service projects.
- Multiple host projects can be created; however, each service project can only be attached to a single host project.
- A project that does not participate in Shared VPC is called a standalone project.
- VPC networks in the host project are called Shared VPC networks. Service projects resources can use subnets in the Shared VPC network
- Shared VPC networks can be either auto or custom mode, but legacy networks are not supported.
- Host and service projects are connected by attachments at the project level.
- Subnets of the Shared VPC networks in the host project are accessible by Service Project Admins
- Organization policies and IAM permissions work together to provide different levels of access control.
- Organization policies enable setting controls at the organization, folder, or project level.
GCP Virtual Private Cloud – Shared VPC