Google Cloud-Shared VPC Network

Sumit K
Google Cloud - Community
8 min readJan 24, 2023

As the name suggests, a Shared VPC is still a VPC but shared with other projects. So, in simple layman’s terms, it is the normal VPC but centrally managed and shared amongst other projects. The project which hosts the Shared VPC is called a Producer or host project and the project which consumes the shared VPC network is called a Consumer or service project. Shared VPCs provide a centralized network and security administration and are highly scalable. Networking resources such as firewalls, static rules, and DNS can be managed centrally with the host projects. In order to create a Shared VPC, you need to have an Organization. I will cover this topic in a separate article but for now, you can click here to know more about it.

Shared VPC Topology

Shared VPC Definition

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.

Terminology:

A Host Project contains one or more Shared VPC networks and one or more Service projects can be attached for IP allocation for resources(that require unique IP)within their environment. A Host Project is a project where the Network/Subnets are shared and Service projects are attached.

Service Project: these are the consumer project where your application/servers will be deployed but the IP will be allocated from the shared VPC from the Host Project.

Please keep in mind, A project that participates in shared VPC is either a host project or a service project. A project can’t be both a host project and a service project at the same time.

Note: You can’t specify which subnet can be used by which service project. When you shared a subnet, it is shared with each of your service projects. If you want to specify the subnet and project together, you need to configure user permissions per subnet by giving permissions to accounts or service accounts used by the particular project(s).

Prevent accidental deletion of host projects

The accidental deletion of a host project would lead to outages in all service projects attached to it. When a project is configured to be a Shared VPC host project, a special lock — called a lien — is placed upon it. As long as the lien is present, it prevents the project from being deleted accidentally. The lien is automatically removed from the host project when it is no longer configured for Shared VPC.

Caution: By default, a project owner can remove a lien from a project, including a Shared VPC host project, unless an organization-level policy is defined to limit lien removal. (Specifically, lien removal requires an IAM principal with the resourcemanager.projects.get and resourcemanager.projects.updateLiens permissions on the project.) The project owner for the host project could remove the lien then delete the Shared VPC project.

Warning: Setting up GCP Shared VPC is not easy. It requires various API rights and roles before you are allowed to create it from the UI. The GCP documentation is not clear and not straightforward. Since I am the super admin for my GCP organization called lyfedge.com and still I had to enable many roles in different places to create a shared service VPC.

Pre-requisite of setting up Shared VPC:

1. A GCP Account with Organization, 2 or more Projects. In my Organization, I have three projects as follows.

Host-Project: this project will be a hosted project where shared VPC will be configured.

ServiceA Project: This is a Service /Consumer Project.

My First Project: This is a Service /Consumer Project.

This is my current Organization and project structure.

2. A GCP Account must have appropriate permission at Organizational Level to set up shared VPC. You have to add these roles at the organizational level roles needed: Compute Network Admin, Compute Network User, Organization Administrator, and Owner.

you would also need to assign some additional custom permissions in order to enable/disable the shared VPC. Following are the list of custom permission that must require before you perform the demo otherwise you will be getting an API forbidden error. You can put these permissions in a custom role and can be attached to your account.

  • compute.organizations.disableXpnHost
  • compute.organizations.disableXpnResource
  • compute.organizations.enableXpnHost
  • compute.organizations.enableXpnResource
  • compute.projects.get
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list

3. A VPC network with one or more subnets. you can manually create a VPC network in the GCP console. In my case, I have already created a VPC (my-network1) with two subnets (subnet1 and subnet2). Let’s get started with a very simple demo.

To Setup and Configure Shared VPC:

Step 1. Login to the GCP console, and Select the host project(Host-Project). Navigate to the VPC network and click on Shared VPC. On your screen, you will see the Shared VPC Setup wizard. Click on Setup Shared VPC

Step 2: Enable the host project and select continue.

Step 3: Select the subnets that you want to share. you can share all subnets or select individual subnets of your choice. I will go with individual custom subnets. I have selected subnet1 and subnet2. Click Continue to Next.

Step 4: In Give Permission, you need to attach at least one service project. I am going to attach two service projects that can be granted the compute network user role on the selected subnets. Click on Save.

Step 5. if you do not see your selected service project on the screen, go to Tab “ATTACHED PROJECTS” and attach the projects again. The reason why this was not attached in the previous steps is that Compute Engine API is not enabled in the selected Service projects. you can go into each project and enable it manually and then come back to the host project and attach them.

Step 6. To test the Shared VPC, you need to spin up a new VM in the service project to see if a shared VPC is available for this project. When you deploy it, you need to select the shared network instead of the normal networks as shown below. You can see that I am able to fetch the shared VPC which proves that the Shared VPC setup is working as expected. This is what we wanted to achieve with the Sharped VPC :). I hope it’s clear up till this step.

you need to select “Network shared with me”
2 VMS are deployed in the service project on the Shared VPC network

In order to login to this VM, you need to create a firewall in the host project. you can either run the below command or do it manually. The choice is yours :)

$ gcloud compute firewall-rules create allow-ssh \
--network=my-network1 \
--allow=tcp:22 \
--source-ranges=0.0.0.0/0 \
--direction=INGRESS

Step 7. Remember I told you in the beginning that you can’t specify which subnet is used by which service project. By default, every shared subnet is exposed to every service project. If you want to achieve that, you can update user permissions on each subnet and give permissions to the account that needs access.

Subnet permission if you want to modify

In the above screenshot, you can see a list of users on the right panel. Only these users have access to the selected subnet in the service project.

Step 8. Let’s create a new user in the service project and test the permission whether or not a new user is able to create a VM instance in the service project. I have created a user: demo-user@lyfedge.com and granted access to the Service Project with Compute Admin Role.

Please note that you need to create a user either in your Google Workspace and then grant it to a specific project. I am using Google workspace (https://admin.google.com/) to manage users, groups and service account for my domain and Organization. Google Workspace is a directory service similar to Active Directory or Okta, etc.

new user created in Google Workspace: demo-user@lyfedge.com

Let’s log into the GCP console with demo-user@lyfedge.com. Once logged in, Select the organization “lyfedge.com” and open the Service project. you will notice that this user is unable to fetch the shared subnetworks due to the permission not being specified in the subnet.

Step 9. Let’s quickly give access to demo-user@lyfedge.com for specific subnets. To do this, Go back to your host project with an admin account, go to shared VPC, select the subnet1 and “ADD PRINCIPAL” as depicted below.

Step 10. Let’s test with the demo user one more time now. This should be able to access the subnetworks. Can you see it? This time you are able to fetch the subnetworks.

Shared Network is visible

Step 11. The last thing is how to attach more service projects: if you want to attach more projects to the Shared VPC, you can do that. It’s very simple. Just create a new project and attach it from the console. Try it out.

This concludes our demo and I hope you find this article useful. Thank you for reading. Check out my other articles. Feel free to like and comment. follow me if you like my article.

--

--

Sumit K
Google Cloud - Community

Humanity is the quality that we lack so much in real life, An Abide leaner, Cloud Architect⛅️, Love DevOps, AWS Community Builder 2023, Proud Hindu 🕉️