Shared VPC - Per Environment?

  1. The Shared VPC will contain part of your application resources within subnets. Say you use a PROD and a PREPROD subnet within the shared VPC to host these assets. How will you prevent communication between these two subnets? By default, all subnets in the same VPC can talk to each other
  2. Human Error - Exporting out a subnet from the shared VPC to the service projects - If you accidentally export something meant for the PROD Service project to a NON PROD service project, that would allow NON PROD a network path to get to PROD.

IAM controls are easily misconfigured. However, a safeguard against misconfigured IAM is network isolation. If network isolation is also compromised, there is a strong coupling between the PROD and NON PROD environments (in the scenario described above).

A Better Design

A better practice is to isolate each environment with it's own Shared VPC and Service Projects.




Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.