First read  - Single project versus multiple projects in GCP to better understand what a project boundary really should be used for.

The Driver for the Shared VPC Construct

Using Shared VPCs (and shared projects - host and service projects) in GCP is almost a no brainer. Most GCP landing zones will contain such a project design as well as a network design (shared networking elements).

You may face a question on this design - do you need a VPC (Custom VPC) within your Service Projects? It is entirely possible to NOT have a container VPC for compute instances within your service project. Remember, a VPC on GCP is blank (no CIDR association).

Reasons to HAVE a custom VPC inside a Service Project

It provides an additional networking boundary. Think of a service project as an App hosting container. Do you want an additional network boundary around each app? This might be a good thing especially if you plan to have instances with on prem extended IP addresses.

Reasons to NOT have a custom (or default) VPC inside a Service Project

An additional CIDR block that will be assigned to Service Project, means that there is another place where networking is defined. This is essentially adding another set of IPs that an intruder (or a rogue GCP admin) can try to get into.

As a  best practice, for Shared VPCs, the networking should all be isolated in the host VPC - and no networking elements belong to the Service Project VPC.

Summary - So - Should you have a VPC in your service projects or not?

There's not really a one size fits all here. Google does RECOMMEND not having your service project resources within their own VPC. However, your particular networking and security requirements may dictate building a custom VPC as part of a service project.




Need an experienced Cloud Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.