Also see - granting the shared vpc admin role in gcp

Overview - why a shared vpc isn't meant for shared prod and non-prod environments

I wrote earlier about why a shared VPC should not be used to couple (as a hub for) PRODUCTION and NON-PRODUCTION environments on GCP.  As an alternative, this Hub Spoke Design on GCP was proposed.

In some scenarios (say you need a shared filesystem between Prod and Non-Prod - as is required for SAP 4 HANA), a shared VPC design may still be worth the additional risk entailed.

In such scenarios, there are certain best practices to be followed for  Shared VPC

Define VPC Constraints through Org Policies - As an Org Policy Administrator

Specify the following Shared VPC constraints (org policy constraints) in an organization policy:

  • Limit the set of host projects to which a non-host project or non-host projects in a folder or organization can be attached. The constraint applies when a Shared VPC Admin attaches a service project with a host project. The constraint doesn't affect existing attachments. Existing attachments remain intact even if a policy denies new ones. For more information, see the constraints/compute.restrictSharedVpcHostProject constraint.
  • Specify the Shared VPC subnets that a service project can access at the project, folder, or organization level. The constraint applies when you create new resources in the specified subnets and doesn't affect existing resources. Existing resources continue to operate normally in their subnets even if a policy prevents new resources from being added. For more information, see the constraints/compute.restrictSharedVpcSubnetworks constraint.

The two constraints above will control the subnets and the project elements that a NON PROD environment resource can connect to.

Summary

While coupling Prod and Non Prod through a shared VPC is not ideal, there are situations where such a design is pushed through. For such cases, it is important to enforce guardrails via VPC Constraints on the Shared VPC.




Need an experienced Cloud Security Expert?
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.