Skip to content

Instantly share code, notes, and snippets.

@thesaravanakumar

thesaravanakumar/shared_vpc.md

Last active October 12, 2022 05:53
Show Gist options
  • Save thesaravanakumar/0f29ccc5014953d7bf6075eba6aedbb4 to your computer and use it in GitHub Desktop.
Save thesaravanakumar/0f29ccc5014953d7bf6075eba6aedbb4 to your computer and use it in GitHub Desktop.
Download ZIP
Short overview for shared_vpc (GCP)
Raw
shared_vpc.md

Shared VPC (software-defined networking on top of Google's Andromeda)

Allows an organization to connect resources from multiple projects to a common VPC network, so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.

  • Traffic stays on google's private network and benefits from its security reliability and low latency currently
  • GCP lets you expand an existing subnet without affecting any existing VM's IP address, and with zero downtime.
  • Organization account is needed.
  • Compute Engine API should be enabled.

Goal: connect and have centralized control over network resources ( subnets, routes, firewall,..)

Consideration Shared VPC VPC Network Peering
Across organisation No Yes
Within project No Yes
Network administration centralized de-centralized

download

Instance A in service project A uses 10.0.1.0/24 subnet in us-west-1. Instance B in service project B uses 10.15.2.0/24 subnet in us-east-1. Instance A can ping Instace B and vice versa.

How to create a Shared VPC

image (2) image (3)

Host project ( has 2 subnets )
Service project ( development and production )

Multiple host projects

  • Both host projects have one Shared VPC network with subnets configured to use the same CIDR ranges. In both the Testing Network and Production Network, the two subnets are:

    • 10.0.1.0/24 Subnet in the us-west1 region

    • 10.15.2.0/24 Subnet in the us-east1 region

  • Consider Instance AT in the Apps Testing service project and Instance AP in the Apps Production service project:

    • Service Project Admins can create instances like them provided they have at least subnet-level permissions to the 10.0.1.0/24 Subnet.

    • Notice that both instances use the IP address 10.0.1.3. This is acceptable because each instance exists in a service project attached to a unique host project containing its own Shared VPC network. Both the testing and production networks have been purposefully configured in the same way.

    • Instances using the 10.0.1.0/24 Subnet must be located in a zone in the same region as the subnet, even though the subnet and instances are defined in separate projects. Because the 10.0.1.0/24 Subnet is located in the us-west1 region, Service Project Admins who create instances using that subnet must choose a zone in the same region, such as us-west1-a.

Hybrid cloud scenario

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment