Shared VPCs in a Hybrid Cloud Setup
Also read up on More than one shared VPC - to handle Production and Non Production Environments
Shared VPC in a Hybrid Setup
The key idea behind Shared VPCs is that of sharing Administrative tasks (and not sharing of network resources). The network resources (such as VPN Tunnels, are any ways shareable across subnets in a VPC - so there isn't a need to have a Shared VPC construct to accomplish that).
Groups and Roles in a Shared VPC
The Shared VPC Admin is the God Like Admin on the Shared VPC.
This Admin can further define (delegate) Network Admins (for VPN Tunnels, Routes and other networking resources - but NOT FW Rules.) and Security admins (for FW rules and SSL Certs). Also read this post on recommended groups in GCP
Also, note that Compute.networkAdmin can only handle networking resources and NOT firewall resources (they have read only on FW rules and SSL Certs). See GCP's documentation for network users and admins.
All these admins operate in the same shared infrastructure, but can only do their own limited tasks.
The Shared VPC network is connected via Cloud VPN to an on-premises network.
- A Shared VPC Admin role is required to enable the host project and connect service projects to it.
- IAM assignments ensure that Service Project Admin for each project is restricted to their own service project.
- The Shared VPC Admin has granted subnet-level or project-level permissions to the necessary Service Project Admins so they can create instances that use the Shared VPC network:
- A Service Project Admin for
Service Project C
who has project-level permissions to the whole host project can create instances in any of the subnets in any of the VPC networks in the host project.
- A Service Project Admin for
- Each service project is billed independently.
- A Shared VPC Admin has delegated network administration tasks to other IAM members who are Network and Security Admins for the Shared VPC network.
- A Network Admin has created a Cloud VPN gateway and configured a VPN tunnel through the Internet to an on-premises gateway.
- The Cloud VPN exchanges and receives routes with its on-premises counterpart because a corresponding Cloud Router in the same
us-east1
region has been configured. - IMPORTANT: If the dynamic routing mode of the VPC is global, the Cloud Router applies the learned routes to the on-premises network in all subnets in the VPC network, and it shares routes to all of the VPC subnets with its on-premises counterpart.
- Security Admins create and manage firewall rules in the Shared VPC network to control traffic among instances in Google Cloud and the on-premises network.
- Hybrid Application Stacks - Subject to applicable firewall rules, instances in the service projects can be configured to communicate with internal services, such as database or directory servers located on-premises.
Need a hands-on, GCP Consultant?
Need help with your GCP journey? Start the conversation today.
Leave a Reply