Also read up on More than one shared VPC - to handle Production and Non Production Environments

Shared VPC in a Hybrid Setup

The key idea behind Shared VPCs is that of sharing Administrative tasks (and not sharing of network resources). The network resources (such as VPN Tunnels, are any ways shareable across subnets in a VPC - so there isn't a need to have a Shared VPC construct to accomplish that).

Groups and Roles in a Shared VPC

The Shared VPC Admin is the God Like Admin on the Shared VPC.

This Admin can further define (delegate) Network Admins (for VPN Tunnels, Routes and other networking resources - but NOT FW Rules.) and Security admins (for FW rules and SSL Certs).  Also read this post on recommended groups in GCP

Also, note that Compute.networkAdmin can only handle networking resources and NOT firewall resources (they have read only on FW rules and SSL Certs).  See GCP's documentation for network users and admins.

All these admins operate in the same shared infrastructure, but can only do their own limited tasks.

Hybrid cloud (click to enlarge)

The Shared VPC network is connected via Cloud VPN to an on-premises network.

  • A Shared VPC Admin role is required to enable the host project and connect  service projects to it.
    • IAM assignments ensure that Service Project Admin for each project is restricted to their own service project.
    • The Shared VPC Admin has granted subnet-level or project-level permissions to the necessary Service Project Admins so they can create instances that use the Shared VPC network:
      • A Service Project Admin for Service Project C who has project-level permissions to the whole host project can create instances in any of the subnets in any of the VPC networks in the host project.
    • Each service project is billed independently.
  • A Shared VPC Admin has delegated network administration tasks to other IAM members who are Network and Security Admins for the Shared VPC network.
    • A Network Admin has created a Cloud VPN gateway and configured a VPN tunnel through the Internet to an on-premises gateway.
    • The Cloud VPN exchanges and receives routes with its on-premises counterpart because a corresponding Cloud Router in the same us-east1 region has been configured.
    • IMPORTANT: If the dynamic routing mode of the VPC is global, the Cloud Router applies the learned routes to the on-premises network in all subnets in the VPC network, and it shares routes to all of the VPC subnets with its on-premises counterpart.
    • Security Admins create and manage firewall rules in the Shared VPC network to control traffic among instances in Google Cloud and the on-premises network.
    • Hybrid Application Stacks  - Subject to applicable firewall rules, instances in the service projects can be configured to communicate with internal services, such as database or directory servers located on-premises.

Need a hands-on, GCP Consultant?

Need help with your GCP journey?  Start the conversation today.