Networking and storageNetworkingIntermediate47 min read

What Is Shared VPC in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
Cisco CCNACompTIA Network+CompTIA A+ Core 1CompTIA Security+DVA-C02CLF-C02AZ-104Google ACEGoogle CDLGoogle PCAAZ-900SAA-C03
On This Page

Quick Definition

A Shared VPC is like having a single private network that several different teams or projects can use at the same time. Each team gets their own space within that network, but everything is managed from one central place. This helps organizations keep their cloud resources organized, secure, and efficient without creating separate networks for every small project.

Common Commands & Configuration

gcloud compute shared-vpc enable host-project-id

Enables the specified project as a Shared VPC host project on Google Cloud. This is the first step in setting up Shared VPC.

Exams test that you know this command is required before attaching service projects. Without this, the project cannot host a shared network.

gcloud compute shared-vpc associated-projects add service-project-id --host-project host-project-id

Attaches a service project to an existing Shared VPC host project, allowing the service project to use the host's subnets.

Commonly asked: Which command adds a service project to a Shared VPC? The answer must include the --host-project flag.

gcloud compute shared-vpc list-associated-projects host-project-id

Lists all service projects currently associated with the specified Shared VPC host project. Useful for auditing.

Useful for troubleshooting: if a user claims they cannot access shared subnets, check this list first.

aws ram create-resource-share --name my-share --resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-abc123 --principals arn:aws:organizations::123456789012:root/o-abc123

In AWS, this command shares a subnet with another account using AWS Resource Access Manager. The resource-arn specifies the subnet, and principals specifies the target account or organization.

AWS exams test RAM commands for VPC sharing. You must know that you share subnets, not the entire VPC, and that the target must be in the same organization.

az network vnet peering create --name hub-to-spoke --resource-group hub-rg --vnet-name hub-vnet --remote-vnet spoke-vnet-id --allow-vnet-access --allow-forwarded-traffic

Creates a VNet peering connection in Azure, which is the equivalent of enabling Shared VPC. The hub VNet acts as the central network, and spoke VNets connect to it.

For Azure exams, you must know that VNet peering is bi-directional (two peerings needed) and that allow-forwarded-traffic is required for route propagation.

gcloud compute networks subnets update my-subnet --region us-central1 --enable-private-ip-google-access

Enables Private Google Access on a shared subnet, allowing VMs in service projects to access Google services (e.g., Cloud Storage) without external IP addresses.

Exams love this: Without this flag, VMs in Shared VPC cannot reach Google APIs privately. It's a common troubleshooting step.

gcloud compute shared-vpc get-host-project service-project-id

Retrieves the host project associated with a given service project. Useful for identifying which VPC a service project belongs to.

This command is often used in exam scenarios to determine if a project is correctly attached to a Shared VPC.

Shared VPC appears directly in 68exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

Shared VPC appears across several major cloud certification exams because it tests a candidate's understanding of network architecture, governance, and security boundaries. For the AWS Cloud Practitioner exam, you will not be asked to configure Shared VPC, but you should understand that AWS Resource Access Manager allows sharing subnets across accounts within an organization. Questions may describe a scenario where a central network team wants to manage a VPC and allow multiple business units to launch resources, and you need to know that RAM is the correct service. It is a light supporting concept, meaning you should recognize the term and its basic purpose.

For the AWS Solutions Architect Associate (SAA-C03), Shared VPC is more prominent. You will encounter complex scenarios where you need to design a multi-account architecture. Questions may ask which networking model supports having a centralized VPC with subnets shared to multiple accounts while maintaining central control over route tables and security groups. The correct answer often involves AWS Resource Access Manager and a centralized VPC. You might also see questions about VPC peering versus Transit Gateway versus Shared VPC. The key nuance is that Shared VPC (via RAM) allows you to share subnets, while VPC peering connects entire VPCs. Understanding the difference is critical.

In Google Cloud exams (Google Cloud Digital Leader, Associate Cloud Engineer, Professional Cloud Architect), Shared VPC is a core topic because GCP implements it natively and elegantly. The exam objectives explicitly list Shared VPC under networking. You will be tested on the roles involved, particularly the Shared VPC Admin and Service Project Admin roles. Scenarios may involve an organization with multiple teams needing to use a common VPC for compliance. You need to know how to set up the host project, attach service projects, and grant subnet-level permissions. Questions may also compare Shared VPC with VPC Peering, and you need to explain why Shared VPC is preferred for centralized administration.

For Microsoft Azure exams (AZ-104, Azure Fundamentals), the concept is not called Shared VPC but is tested through hub-and-spoke VNet peering and Azure Virtual WAN. However, the core idea is the same: a central network team manages a hub VNet, and spoke VNets are connected to it. Questions may ask about how to implement forced tunneling, how to route traffic through a firewall, or how to share a VPN gateway across multiple spokes. Understanding that Azure does not have a native Shared VPC feature in the same way as GCP is important. The equivalent is achieved through VNet peering and route tables.

For non-cloud exams like CompTIA Network+ and Security+, Shared VPC is not directly tested because those exams focus on on-premises networking and general security concepts. However, the underlying principles of network segmentation, subnets, and centralized policy management are part of those exams. You might see questions about VLANs and their role in segmenting traffic, which is conceptually similar to how subnets work in a Shared VPC. For Security+, you might encounter scenarios about implementing a demilitarized zone (DMZ) in a cloud environment, and understanding VPC structure helps.

For CCNA, the focus is on routing and switching, and shared VPC in the cloud is tangential. But the exam does cover Virtual Routing and Forwarding (VRF), which is a similar concept of segmenting a single router into multiple virtual routers. That understanding can help you grasp Shared VPC faster. Overall, for cloud certifications, Shared VPC is a primary topic for Google Cloud and AWS, and it is also useful for Azure. You should memorize the specific service names, IAM roles, and architecture patterns for each provider.

Simple Meaning

Imagine a large office building that has one main hallway with many rooms off of it. The building owner (the central IT team) manages the hallway, the lights, the security cameras, and the main doors. Different departments, like sales, engineering, and human resources, each get their own room off that hallway. Each department can arrange their room however they like, put in their own furniture and equipment, and lock their door with their own key. But they all share the same hallway to get to their rooms. They do not need to build their own separate building or hallway. That is essentially what a Shared VPC does in the cloud.

In cloud computing, a VPC is your private section of the cloud. It is a logically isolated network where you launch your virtual machines, databases, and other services. Normally, each project or team would create their own VPC, which is like building their own separate building. That works, but it can get expensive and hard to manage. With a Shared VPC, you create one central VPC (the hallway), and then you allow other projects or teams to use parts of that VPC (the rooms). They can create their own resources inside the shared network, but they do not have to worry about setting up the network itself.

Think of it this way: the central IT team sets up the router, the firewall rules, the VPN connection to the on-premises data center, and the internet gateway. That is like building the hallway, installing the main security system, and connecting to the outside world. Then, each team gets a subnet, which is like their room. A subnet is a smaller section of the VPC with its own range of IP addresses. The team can put their servers and other resources inside their subnet. They can also set their own security rules for their subnet, like deciding who can come into their room. But they do not have to manage the main doors to the building or the hallway lights.

This model is very popular in large organizations where many different teams need to use cloud resources. It saves money because you only pay for one VPC instead of many. It also makes security simpler because the central team can enforce policies for the entire network, like blocking traffic from the internet. At the same time, individual teams can still control who can access their own resources. This balance between central control and team autonomy is why Shared VPC is so widely used in cloud environments like Amazon Web Services, Google Cloud, and Microsoft Azure.

Full Technical Definition

A Shared VPC (Virtual Private Cloud) is a networking model in cloud computing that allows an organization to centrally manage a single VPC network while delegating administrative control over its subnets to multiple projects, accounts, or service consumers. This architecture enables resource isolation, policy enforcement, and efficient IP address utilization across different business units without requiring each unit to create and manage its own VPC. The concept is implemented slightly differently across major cloud providers, but the core principles remain consistent.

In Google Cloud Platform (GCP), a Shared VPC is created using a host project that contains one or more VPC networks. The host project then attaches service projects to it, allowing those service projects to create resources (like Compute Engine instances, GKE clusters, or Cloud SQL instances) within the subnets of the host VPC. Access is controlled through Identity and Access Management (IAM) roles. The Shared VPC Admin (roles/compute.xpnAdmin) manages the host project and assigns subnet-level permissions. Service project users can then use those subnets but cannot modify the VPC itself. This is critical for compliance and boundary control. The underlying technology uses Virtual Extensible LAN (VXLAN) for network isolation and encapsulation, ensuring that traffic between different projects within the same VPC is secure and isolated at Layer 2.

In Amazon Web Services (AWS), the analogous concept is often implemented through a centralized VPC with shared subnets, frequently using AWS Organizations and AWS Resource Access Manager (RAM). An organization designates a VPC in a specific account (the host account) and then shares its subnets with other accounts within the organization using RAM. Those consuming accounts can then launch EC2 instances, RDS databases, or Lambda functions into the shared subnets. However, unlike GCP's Shared VPC, AWS's shared subnet model does not allow the consumer accounts to manage the VPC's route tables or security group rules centrally; those remain under the purview of the VPC owner. AWS Transit Gateway is often added to this architecture to enable communication between multiple shared VPCs or with on-premises networks. The protocols involved include VPC peering (Layer 3 connectivity) and AWS PrivateLink for private access to services.

In Microsoft Azure, the equivalent is often called VNet Peering with centralized hub-and-spoke architecture, or using Azure Virtual WAN. The hub VNet is owned by a central IT team, and spoke VNets are owned by individual teams. VNet Peering connects spoke VNets to the hub, allowing traffic to flow through centrally managed firewalls or Network Virtual Appliances (NVAs). This is not technically a single VPC being shared, but it achieves the same goal: centralized control with decentralized resource creation. Azure also offers Azure Private Link and service endpoints for secure access. The Azure implementation relies on software-defined networking and NVAs for routing and policy enforcement.

Key components of a Shared VPC include: the host project or account, service projects or consumer accounts, subnets with CIDR ranges, IAM roles (such as Network Admin, Security Admin, or Subnet-level roles), route tables, firewall rules (both centralized and delegated), and VPC flow logs for monitoring. Standards such as RFC 1918 define the private IP address ranges used within the VPC. Traffic within the VPC is typically encrypted using protocols like IPsec if connecting on-premises, or Google's internal encryption at rest and in transit. Service Level Agreements (SLAs) for VPCs typically guarantee 99.99% uptime for the control plane.

Real IT implementation involves careful planning of IP address space to avoid overlap between subnets and to allow for future growth. Organizations often use a /16 CIDR block (65,536 IP addresses) for the VPC and divide it into /23 or /24 subnets for individual teams. Central IT configures route tables to direct traffic to a shared firewall or intrusion detection system. Security groups and network ACLs are used at the subnet level and instance level. In a Shared VPC, the host project can enforce firewall rules that cannot be overridden by service projects, ensuring compliance with corporate security policies. This is particularly important for regulated industries like finance and healthcare.

For exam purposes, it is essential to understand that Shared VPC does not mean that all resources are in one flat network; it means that the VPC's lifecycle and core configuration are managed centrally while resource creation is delegated. Questions often test the distinction between who manages what, the IAM roles involved, and how traffic flows between different projects within the same Shared VPC. Understanding the specific implementation differences between AWS, GCP, and Azure is crucial for cloud certification exams.

Real-Life Example

Think of Shared VPC like a large apartment complex. The building owner (central IT) owns the entire building, including the lobby, the hallways, the elevator, and the main entrance. The owner also handles the building's internet connection, the security cameras in the lobby, and the contracts with the utility companies. Now, each apartment in the building is rented by a different tenant (a team or project). Each tenant can decorate their own apartment however they like, install furniture, connect their own Wi-Fi router inside their apartment, and lock their door. But they do not have to worry about the main entrance, the elevator, or the building's plumbing and electricity. Those are managed by the building owner.

In this analogy, the building is the VPC, the lobby is the internet gateway, the hallways are the routes that connect everything, and each apartment is a subnet. The tenants (teams) can bring in their own servers and resources into their apartment (subnet), but they do not need to build their own separate building. They benefit from the shared utilities like the internet connection and the security cameras. However, the building owner can also set rules. For example, the owner can say that no one can have a barbecue on their balcony because it's a fire hazard (a security rule). That rule applies to all tenants. The tenants can add their own rules inside their apartment, like not allowing guests after 10 PM, but they cannot change the building's no-barbecue rule.

Now, imagine that the building owner also keeps a spare key to every apartment. That is like the central IT team having administrative access to all resources if needed. But in a well-run Shared VPC, the owner only uses that key for emergencies, like a water leak. Typically, each tenant manages their own resources and only the central team manages the building's structure. This model saves money because you only rent one building instead of many. It also makes it easier to secure the building because everyone comes through the same secure entrance, and the owner can monitor who comes and goes. In the cloud, this means lower costs, easier compliance, and less administrative overhead for individual teams.

One challenge is that tenants might accidentally disturb each other. For example, if one tenant runs a very noisy party (heavy network traffic), it could affect the internet speed for others. In a cloud Shared VPC, this is handled by network traffic shaping and monitoring. Another challenge is that if the building owner makes a mistake, like turning off the main water supply, everyone is affected. So the central IT team must be very careful with their configurations. Overall, the apartment complex model is a practical and efficient way to manage shared infrastructure, and that is why Shared VPC is so popular in large organizations.

Why This Term Matters

Shared VPC matters because it solves a fundamental problem in cloud adoption: how to give individual teams or departments the freedom to create and manage their own cloud resources while maintaining central control over the network, security, and costs. Without Shared VPC, each team would create their own isolated VPC. This leads to a sprawl of networks, each with its own routing tables, firewall rules, and internet gateways. Managing that many VPCs quickly becomes a nightmare. Security policies are hard to enforce consistently, IP address ranges start overlapping, and costs skyrocket because you are paying for multiple redundant networking components like VPN gateways and NAT gateways.

From a practical IT perspective, Shared VPC enables the principle of least privilege. The central network team can give each team just enough access to the network parts they need, without giving them full control over the infrastructure. This aligns with the security best practice of separating duties. For example, a developer can launch a virtual machine into a subnet without ever being able to modify the route table that controls traffic to the database. This reduces the risk of misconfiguration that could bring down the entire network.

Another reason Shared VPC matters is cost efficiency. In cloud billing, you pay for each VPC's networking components. If you have 50 teams each running their own VPC, you might have 50 NAT gateways, 50 VPN connections, and 50 sets of flow logs. With Shared VPC, you typically have one NAT gateway for all teams, one VPN tunnel to your on-premises data center, and one set of flow logs monitored by the central team. The savings can be significant, especially in large enterprises.

Finally, Shared VPC is a key enabler for multi-account or multi-project strategies. In AWS, using AWS Organizations, you can structure your accounts into a hierarchy of management, core, and workload accounts. Shared VPC using RAM allows workload accounts to use networks owned by the core account, making it easy to standardize on a single network architecture. In GCP, the host project can be the central infrastructure project, and all development, staging, and production projects can attach to it. This creates a clean separation of concerns and simplifies audit trails. For any IT professional working in cloud environments, understanding Shared VPC is no longer optional; it is a core skill for designing scalable, secure, and cost-effective network architectures.

How It Appears in Exam Questions

Exam questions about Shared VPC typically fall into three categories: scenario-based architecture decisions, configuration of IAM roles and permissions, and troubleshooting connectivity issues. In scenario-based questions, you are given a company with multiple business units. Each unit needs to launch resources, but the network must be managed centrally to enforce security policies. You might be asked which service to use. On AWS, the options could be VPC Peering, Transit Gateway, or Resource Access Manager. The correct answer is RAM because it allows subnet sharing. On GCP, the options might be Shared VPC, VPC Peering, or a separate VPC per project. The correct answer is Shared VPC.

Configuration questions will test your knowledge of the specific steps and requirements. For example, a GCP question might ask: 'An organization wants to allow Project B to use a subnet from Project A's VPC. What is the first step?' The answer is to enable a Shared VPC in Project A (the host project) and then attach Project B as a service project. Another question might ask which IAM role allows a user to create instances in a Shared VPC subnet but not delete the subnet. The answer is roles/compute.networkUser at the subnet level.

Troubleshooting questions often involve connectivity issues. For instance, a question might say: 'An administrator created a Shared VPC in GCP and attached two service projects. Instances in one service project cannot communicate with instances in the other service project, even though they are in the same VPC. What is the most likely cause?' The answer might be that firewall rules are blocking the traffic, or that both subnets are using overlapping CIDR ranges. Another common issue is that the service project users have not been granted the necessary IAM permissions to use the subnet. The question might give a scenario where a developer gets a permission denied error when trying to launch an instance in a shared subnet, and you need to identify that the subnet-level IAM role is missing.

In AWS, a typical troubleshooting question might involve a company using RAM to share a subnet from a central VPC to another account. The consumer account can launch an EC2 instance, but it cannot reach the internet. You need to identify that the central VPC's route table does not have a route to a NAT gateway, or that the security group in the consumer account is blocking outbound traffic. Another pattern is that the consumer account cannot see the shared subnet in the VPC console, which means the RAM share has not been accepted or the subnet is not in the same region.

Azure questions often involve VNet peering and routing. A question might describe a hub VNet with a firewall and multiple spoke VNets. Traffic from a spoke to the internet is not working. The solution is to configure User-Defined Routes (UDRs) in the spoke VNet to force traffic through the hub firewall. Questions also test the difference between service endpoints and private endpoints, both of which are used in shared network architectures.

Finally, some questions test the conceptual distinction between Shared VPC and other networking models. For example, a question may ask: 'Which model allows multiple projects to use the same VPC while the VPC's lifecycle is managed by a single central admin?' The answer is Shared VPC. Another question may ask: 'Which model allows complete isolation between VPCs but still enables connectivity?' The answer is VPC Peering. Understanding these distinctions is key to getting the right answer. Practice exams should include a mix of these question types.

Practise Shared VPC Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company called CloudRetail Inc. has three teams: Web, Database, and Analytics. Each team needs to deploy cloud resources like virtual machines and storage. The company's security policy requires that all traffic from the internet goes through a central firewall, and all outbound traffic to the internet must use a single NAT gateway. The network team wants to manage these central components, while each team should be able to launch their own resources independently.

In the past, each team created their own VPC, which resulted in three separate internet gateways, three separate NAT gateways, and three sets of firewall rules. The network team could not enforce consistent security policies, and costs were high. The company decides to implement a Shared VPC.

The network team creates one VPC in a central project (the host project) with a CIDR block of 10.0.0.0/16. They create three subnets: Web-Subnet (10.0.1.0/24), DB-Subnet (10.0.2.0/24), and Analytics-Subnet (10.0.3.0/24). They attach a single internet gateway and a single NAT gateway in the VPC. They configure firewall rules that allow only HTTP and HTTPS traffic from the internet to the Web-Subnet, and they block all inbound traffic from the internet to the DB-Subnet and Analytics-Subnet. These rules are enforced centrally and cannot be overridden by the teams.

Then, the network team uses the Shared VPC feature to attach the three teams' projects as service projects. They grant each team the IAM role to use their specific subnet but not to modify the VPC or the central firewall rules. Now, the Web team can launch web servers in the Web-Subnet. The Database team can launch database servers in the DB-Subnet, which has no public internet access. The Analytics team can launch analytics instances in the Analytics-Subnet, which also has no public access but can reach out to the internet through the NAT gateway.

The teams no longer worry about network setup. They focus on their applications. The network team is happy because they have full visibility and control. The company saves money because they pay for only one NAT gateway and one internet gateway instead of three. If a new team joins, the network team just creates a new subnet and attaches the project. This scenario exactly reflects the power of Shared VPC in real-world cloud adoption.

Common Mistakes

Confusing Shared VPC with VPC Peering.

VPC Peering connects two separate VPCs, allowing traffic to flow between them, but each VPC remains independently managed. Shared VPC is a single VPC that is used by multiple projects, with central management. They are different architectures.

Think of Shared VPC as one house with many rooms, and VPC Peering as two separate houses connected by a bridge.

Assuming all cloud providers implement Shared VPC the same way.

Google Cloud uses the host project/service project model with dedicated Shared VPC roles. AWS uses Resource Access Manager to share subnets across accounts but does not have a single concept called 'Shared VPC'. Azure uses VNet peering with hub-spoke, which is functionally similar but not the same. Assuming uniformity leads to incorrect answers.

Study each provider's specific implementation, terminology, and limitations separately.

Thinking that service projects can manage the VPC's route tables or firewall rules.

In a Shared VPC, only the host project admin can modify core network components like route tables, firewall rules, and subnets. Service project users can only launch resources into the subnets they are given access to. Granting them more access would defeat the purpose of centralized control.

Remember that Shared VPC separates network management from resource management. Service project admins manage resources, not the network.

Overlooking IP address planning when creating a Shared VPC.

If the VPC's CIDR block is too small, you will run out of IP addresses for future subnets. If you use overlapping CIDR ranges across projects, routing will break. Many organizations fail to plan for growth and have to re-IP later.

Start with a large CIDR block like /16, and allocate subnets conservatively, leaving room for expansion. Use a formal IP address management (IPAM) process.

Believing that Shared VPC implies all resources in the same security domain.

Even within a Shared VPC, you can (and should) isolate subnets using firewall rules and security groups. A shared VPC does not automatically open all traffic between projects. You must explicitly configure firewall rules to allow inter-subnet traffic if needed.

Always design security groups and firewall rules to enforce least privilege, even inside a Shared VPC. Treat each subnet as its own trust boundary unless a specific need for cross-subnet traffic exists.

Exam Trap — Don't Get Fooled

{"trap":"The exam asks: 'You want to allow two different AWS accounts to use the same VPC, but each account should manage its own security groups. What should you do?' Some learners incorrectly choose VPC Peering because it is a common networking feature."

,"why_learners_choose_it":"Learners often associate VPC Peering with connecting multiple accounts and think it is the only way to share a network. They also know that VPC Peering allows traffic between resources in different VPCs, so they assume it fits the requirement.","how_to_avoid_it":"Read the question carefully.

The key phrase is 'use the same VPC'. VPC Peering connects two separate VPCs. Shared VPC via Resource Access Manager allows multiple accounts to use subnets from the same VPC. Security groups in a Shared VPC can be managed by each account if they have the correct permissions, but the VPC itself remains centrally owned.

The correct answer is to share the VPC's subnets via RAM and then let each account create resources in the shared subnets."

Commonly Confused With

Shared VPCvsVPC Peering

VPC Peering is a direct network connection between two separate VPCs. It allows traffic between them using private IP addresses, but each VPC remains independently managed. Shared VPC is a single VPC that multiple projects use, with central management. VPC Peering is used for connecting isolated VPCs, while Shared VPC is used for consolidating networking within one VPC.

Think of VPC Peering as two separate apartment buildings connected by a skybridge. Shared VPC is one apartment building with multiple units.

Shared VPCvsTransit Gateway

Transit Gateway is a central hub that connects multiple VPCs and on-premises networks together. It is a routing service, not a VPC itself. Shared VPC gives you a single VPC, while Transit Gateway connects many VPCs. Transit Gateway is used when you need to connect many independent networks, whereas Shared VPC is used when you want one network shared by many projects.

Transit Gateway is like a central train station connecting many different cities. Shared VPC is one city with many neighborhoods.

Shared VPCvsVPC Endpoint

A VPC Endpoint (either Gateway or Interface Endpoint) allows you to privately connect your VPC to AWS services like S3 or DynamoDB without going through the internet. It is a feature you can use inside a VPC, not a way to share a VPC. Shared VPC is about multiple accounts using one VPC, while an endpoint is about accessing services privately within your VPC.

A VPC Endpoint is like having a private door in your building that leads directly to the grocery store, so you don't have to go outside. Shared VPC is about having many apartments in that building.

Shared VPCvsMulti-account strategy

A multi-account strategy is the practice of using multiple cloud accounts to separate environments (dev, test, prod) or business units. Shared VPC is a networking model that can be part of a multi-account strategy, but it is not the same thing. You can have a multi-account strategy without Shared VPC (each account has its own VPC), and you can have Shared VPC within a single account with multiple projects.

Multi-account strategy is like having three separate buildings for different departments. Shared VPC is like having one building with separate rooms for each department.

Step-by-Step Breakdown

1

Plan IP Address Space

The first step is to decide the overall IP range for the Shared VPC. Typically, you choose a large CIDR block like 10.0.0.0/16 (65,536 addresses). This range must not overlap with your on-premises network if you plan to connect via VPN or Direct Connect. Planning ahead prevents future re-IP headaches.

2

Create the Host Project (GCP) or Central Account (AWS)

In GCP, you designate a project as the host project. In AWS, you choose an account (often the Network account) that will own the VPC. This project or account becomes the owner of the Shared VPC network. All central networking components will be created here.

3

Create the VPC and Subnets

Inside the host project, you create a VPC and define subnets. Each subnet should be sized appropriately for the teams that will use it. For example, /24 subnets (256 addresses) for smaller teams, /23 (512 addresses) for larger teams. You also create an internet gateway and a NAT gateway if needed.

4

Configure Central Firewall Rules and Route Tables

The host project admin sets up firewall rules that apply to all subnets. For example, you might block all inbound traffic from the internet except to a specific subnet. Route tables are configured to direct traffic through the NAT gateway or VPN. These rules are centrally enforced and cannot be modified by service projects.

5

Attach Service Projects (GCP) or Share Subnets (AWS)

In GCP, you attach service projects to the host project using the Shared VPC Admin console or gcloud command. In AWS, you use Resource Access Manager to share the subnets with other accounts in your organization. The service projects or consumer accounts can now see the shared subnets.

6

Grant IAM Permissions at Subnet Level

You assign specific IAM roles to users or service accounts in the service projects. In GCP, you typically grant roles/compute.networkUser on a subnet to allow launching instances. In AWS, you can use RAM to share with specific IAM roles or accounts. This step ensures that only authorized entities can use the subnets.

7

Test Connectivity and Deploy Resources

Teams in service projects can now launch virtual machines, databases, or containers into the shared subnets. The host project admin should test that traffic flows correctly, that internet access works (or is blocked) as intended, and that inter-subnet communication follows the firewall rules. Monitoring and logging should be enabled for visibility.

8

Manage and Audit

Ongoing management includes monitoring VPC flow logs, adjusting subnet sizes if teams grow, and auditing IAM permissions. The host project admin should regularly review which service projects are attached and whether they still need access. This step ensures the Shared VPC remains secure and efficient over time.

Practical Mini-Lesson

Shared VPC is a design pattern that every cloud professional should master because it directly impacts security, cost, and operational efficiency. In practice, setting up a Shared VPC is not just about clicking a button; it involves careful planning and understanding of the cloud provider's specific features. Let us walk through a real-world implementation on Google Cloud, as it is the most native implementation.

Start by creating a dedicated project that will serve as the host project. Name it something like 'prod-shared-networking'. In this project, create a VPC with a custom mode so you can manually create subnets. Avoid auto-mode because it uses non-RFC 1918 addresses and can conflict with on-premises IPs. Choose a CIDR block that is large enough, such as 10.0.0.0/16. Then, create subnets for each environment: 10.0.1.0/24 for dev, 10.0.2.0/24 for staging, 10.0.3.0/24 for production. Each subnet should be in a different zone for high availability. Also create a subnet for shared services like Active Directory or monitoring tools.

Next, create a firewall rule that blocks all incoming traffic from the internet except to a bastion host subnet. Create another rule that allows SSH from the bastion host to all other subnets. Configure the route table to have a default route (0.0.0.0/0) pointing to a centralized NAT gateway, which you also create in the host project. If you have an on-premises connection, add a route to the on-premises network through the VPN gateway.

Now, attach service projects. For example, a project called 'team-alpha-app' should be attached as a service project. Then, navigate to the subnet you want to share, and grant the service project's service account the role 'Compute Network User' (roles/compute.networkUser). You can do this at the subnet level for granularity. This allows users in team-alpha-app to see the subnet and create resources in it. They cannot delete the subnet or modify firewall rules.

What can go wrong? One common issue is that the service project users cannot see the subnet in the console if the project has not been enabled for Compute Engine API. Another issue is that they get permission errors if the IAM role is not propagated. Also, if you try to create a resource that requires a static IP, the service project may not have the compute.addresses.create permission on the shared subnet. You must ensure that the service project has the necessary compute permissions for the specific actions.

Another pitfall is overlapping firewall rules. The host project's firewall rules are evaluated before any firewall rules in the service project. If the host project blocks all inbound traffic, service project rules cannot override it. This is intentional for security, but it can cause confusion. Always test with a simple ping or SSH session.

Monitoring is crucial. Enable VPC flow logs on the shared subnets to capture traffic metadata. These logs are stored in the host project, and the central network team can analyze them for security incidents. Also configure alerts for any suspicious traffic patterns.

Shared VPC in practice is about balancing central control with team autonomy. The central team owns the network backbone, while teams own their applications. This model is used by most large enterprises adopting Google Cloud, and it is a cornerstone of the Google Cloud Well-Architected Framework's networking pillar. Understanding the IAM model, subnet delegation, and firewall rule precedence is essential for any cloud administrator.

Architecture and Benefits of Shared VPC in Cloud Environments

A Shared VPC (Virtual Private Cloud) is a networking architecture that allows an organization to create and manage a single VPC from a central project or account, and then share that VPC with multiple other projects, accounts, or teams within the same organization. This design is widely used in cloud platforms like Google Cloud (where it originated), AWS (via VPC sharing), and Azure (via Virtual Network peering and hub-and-spoke models). The core benefit is that it enables resource isolation and security controls while reducing administrative overhead and IP address fragmentation.

In a Shared VPC model, there is typically a host project (or host account) that owns the VPC network, subnets, routes, and firewall rules. Service projects (or member accounts) can then use the subnets defined in the host VPC to deploy their resources, such as Compute Engine instances, Kubernetes clusters, or databases. This eliminates the need for each team to create and manage their own VPC, which can lead to overlapping IP ranges, complex peering topologies, and inconsistent security policies.

From an exam perspective, especially for Google Cloud certifications (Google ACE, Google PCA, Google Cloud Digital Leader), Shared VPC is a key concept. The exams test your understanding of how Shared VPC simplifies network management, enforces centralized security, and supports multi-team collaboration. For AWS certifications (AWS Cloud Practitioner, AWS Developer Associate, AWS SAA), similar concepts appear under VPC sharing and Resource Access Manager (RAM). For Azure (AZ-104, Azure Fundamentals), the equivalent is Virtual Network peering with hub-spoke architecture, though Shared VPC is specific to Google Cloud. The A+, Security+, CCNA, and Network+ exams focus on the fundamental networking principles-IP addressing, routing, and security groups-that underpin Shared VPC architectures.

One critical benefit of Shared VPC is cost efficiency. By centralizing network resources, organizations reduce the number of VPNs, NAT gateways, and load balancers needed, as these can be shared across projects. This also simplifies billing because the host project pays for shared infrastructure, and service projects pay only for their compute resources. Security is another major advantage: network policies, firewall rules, and private Google Access can be defined once in the host VPC and automatically apply to all service projects. This ensures consistent compliance and reduces the risk of misconfiguration.

Shared VPC also supports hierarchical permissions. In Google Cloud, you can grant network admin roles to certain users in the host project, while giving limited permissions (like compute.instanceAdmin) to users in service projects. This separation of duties is a common exam scenario: you might be asked who can create subnets or configure firewall rules in a Shared VPC setup.

Finally, Shared VPC simplifies connectivity to on-premises networks. Instead of setting up multiple VPN tunnels or Cloud Interconnect connections from each project, you can have a single connection from the host VPC, and all service projects can access on-premises resources through that connection. This is a frequent topic in exam questions about hybrid cloud networking.

For network engineers studying for CCNA or Network+, understanding Shared VPC reinforces concepts like subnetting (CIDR), routing tables, and network segmentation. The Shared VPC model is essentially a real-world application of VLAN-like isolation at the cloud scale. Shared VPC is not just a feature-it's a best practice for large organizations that need to balance autonomy and control across multiple teams.

IAM Roles and Permissions for Shared VPC Administration

Managing a Shared VPC requires careful assignment of Identity and Access Management (IAM) roles to ensure that the right people have the right level of access. In Google Cloud, Shared VPC uses two main types of roles: host project roles and service project roles. The host project is the project that contains the VPC network, and the service projects are the projects that use subnets from that shared VPC.

At the host project level, you need a user with the Shared VPC Admin role (roles/compute.sharedVpcAdmin) to enable the project as a host project and to attach service projects. This role includes permissions to list, create, and delete subnets in the host VPC, as well as to manage the association with service projects. A Network Admin (roles/compute.networkAdmin) can manage firewall rules, routes, and other network resources within the host VPC. The Shared VPC Admin role does not grant permissions to deploy resources like virtual machines; that is handled by roles in the service projects.

In the service projects, users need roles that allow them to use the shared subnets. For example, the Compute Instance Admin (roles/compute.instanceAdmin) in a service project can create VMs in the shared subnets, but cannot modify the subnet configuration or firewall rules. This is a common exam question: a user in a service project can launch instances, but cannot change the network settings of the Shared VPC. The separation of duties is enforced through IAM.

For AWS, the equivalent concept uses AWS Resource Access Manager (RAM) to share subnets. In AWS, you create a VPC in one account (the owner), then share specific subnets with other accounts. The IAM roles in the shared account must have permissions like ec2:RunInstances and ec2:CreateNetworkInterface on the shared subnet. The owner account retains control over route tables, network ACLs, and security groups. This is tested in AWS SAA and AWS Developer Associate exams.

Azure's approach is different but conceptually similar: you can use Virtual Network peering with hub-spoke topologies, or you can use Azure Virtual WAN for centralized networking. IAM roles in Azure are managed through RBAC (Role-Based Access Control): a user in the hub subscription might have Network Contributor role, while users in spoke subscriptions have Virtual Machine Contributor roles. However, Azure does not have a direct "Shared VPC" feature; the closest is Azure Private Link and service endpoints.

Exam questions often test your ability to identify the correct role for a given scenario. For example: "An organization wants to delegate subnet creation to a specific team. Which role should be assigned?" The answer is Shared VPC Admin in the host project. Or: "A developer in a service project needs to deploy a web server in a shared subnet. Which role is sufficient?" The answer is Compute Instance Admin in the service project.

Another important IAM concept is the distinction between network-level permissions and resource-level permissions. A user with Network Admin in the host project can create firewall rules that affect all service projects, which is a powerful capability that must be carefully audited. Exam environments often simulate this by asking who can modify a firewall rule that blocks all traffic to a critical database: only users with compute.firewalls.update at the host project level.

For cybersecurity professionals (Security+), understanding IAM in Shared VPC reinforces the principle of least privilege. By centralizing network management, you reduce the attack surface: fewer people have permissions to change network configurations, which lowers the risk of accidental exposure.

mastering the IAM roles associated with Shared VPC is essential for any cloud exam, as it tests your ability to implement secure, scalable networking. The key takeaway is that host project roles control the network infrastructure, while service project roles control the use of that infrastructure-and never the two should cross without explicit permissions.

How Shared VPC Costs Are Distributed and Optimized

Understanding the cost model of Shared VPC is critical for both cloud practitioners and architects, as it directly impacts budgeting and billing for multi-team organizations. In Google Cloud, Shared VPC introduces a specific billing structure that separates infrastructure costs from resource consumption costs. The host project, which owns the VPC network, is billed for shared networking resources such as VPN gateways, Cloud NAT, load balancers, interconnects, and any static IP addresses that are attached to those resources. Service projects, on the other hand, are billed only for the compute resources they deploy into the shared subnets-like virtual machines, disks, and Kubernetes clusters.

This separation allows for clear cost attribution. For example, if a service project launches 10 VM instances in a shared subnet, the VM costs appear in the service project's billing, while the network egress costs associated with those VMs are charged to the host project. However, there is a nuance: data transfer costs between VMs in different service projects (but within the same Shared VPC) are considered internal traffic and typically do not incur egress charges, as long as they stay within the same region. This is a frequent exam trick: candidates often assume that cross-project traffic incurs extra costs, but within a Shared VPC, it is treated like intra-VPC traffic.

For AWS VPC sharing, the cost model is similar but has some differences. The owner account pays for the VPC infrastructure (e.g., NAT Gateway, Transit Gateway, VPN Connection), while the participant accounts pay for the EC2 instances and other resources they launch in the shared subnets. AWS also charges for data transfer across Availability Zones or regions regardless of VPC sharing, so you must consider that. In exam questions, you might be asked to compare the cost of using Shared VPC versus multiple separate VPCs; the correct answer often highlights the savings from reducing redundant NAT gateways and VPN connections.

Azure's hub-spoke architecture with VNet peering has a different cost model: peering itself is free within a region (though data transfer costs apply), but the hub VNet might have resources like Azure Firewall or VPN Gateway that are billed separately. The spoke VNets pay for their own VMs and storage. While not called Shared VPC, the principle is similar.

Cost optimization strategies for Shared VPC include rightsizing shared resources. For instance, instead of each service project deploying its own NAT gateway, you can have one Cloud NAT in the host project that all service projects use through Private Google Access. This reduces cost and simplifies management. Another optimization is using shared VPC with pre-allocated IP ranges to maximize IP utilization and reduce wasteful allocation.

Exam questions often test the concept of "who pays for what." A typical scenario: "Company A uses Shared VPC with three service projects. The host project has a VPN gateway to connect to on-premises. One service project deploys a large data processing job. Which costs are incurred by the service project?" The answer: the service project pays only for its compute resources (VMs, disks), not the VPN gateway.

Another cost-related exam topic is the use of committed use discounts (CUDs) for VMs in Shared VPC. In Google Cloud, committed use discounts are applied at the project level. If a service project wants to benefit from CUDs, the commitment must be made in that service project, even though the VMs are running in shared subnets. This can lead to scenarios where one service project gets a discount while another does not, complicating cost allocation. Exams may test your ability to recommend CUDs in a Shared VPC environment.

For network+ and CCNA, while cost is not the primary focus, understanding Shared VPC cost helps in designing cost-effective enterprise networks. The key takeaway is that Shared VPC centralizes billing for shared infrastructure while decentralizing compute costs, giving organizations both savings and visibility.

Shared VPC cost distribution is a favorite topic for cloud exams because it ties together networking, billing, and governance. Knowing which costs belong to the host vs. service projects, and how data transfer charges apply, will help you answer multiple-choice questions and scenario-based problems with confidence.

Migration to Shared VPC and Troubleshooting Common Issues

Migrating an existing organization to a Shared VPC architecture is a non-trivial process that involves reconfiguring networks, updating IAM policies, and often moving workloads. This section covers the migration steps and common troubleshooting scenarios that appear in cloud exams.

First, the planning phase. Before migrating, you need to audit existing VPCs to identify overlapping IP ranges. Shared VPC requires that all service projects' subnets come from the same VPC, so any existing VPCs with conflicting CIDRs must be re-addressed or decommissioned. This is a common exam scenario: "An organization has three VPCs with overlapping IP ranges. They want to adopt Shared VPC. What is the first step?" Answer: Renumber the VPCs to use non-overlapping ranges or migrate workloads to a new VPC.

Next, you enable the host project. In Google Cloud, you use the `gcloud compute shared-vpc enable` command on the host project, then attach service projects using `gcloud compute shared-vpc associated-projects add`. After that, you create subnets in the host VPC and grant IAM roles to service project users. For AWS, you create a VPC in the owner account, then use AWS RAM to share subnets with participant accounts.

A typical migration path is the "lift and shift" approach: create new subnets in the Shared VPC, then deploy new resources in those subnets, and gradually decommission old resources. This avoids downtime but requires careful planning for persistent resources like databases. Exam questions may ask about migration strategies: "Which migration approach minimizes downtime when moving to Shared VPC?" The answer is to use a phased migration with temporary peering between old and new VPCs.

Now, troubleshooting. One common issue is that service project users cannot see the shared subnets. This often happens because the subnet has not been granted to the service project, or the user lacks the necessary IAM permission (e.g., compute.subnetworks.use). To troubleshoot, the host project admin should verify that the service project is associated and that the subnet is shared using the `gcloud compute shared-vpc list-associated-projects` command or checking the Shared VPC status in the console.

Another frequent problem is that resources in a service project cannot reach the internet. This is usually because the host project's NAT gateway or Cloud NAT is not configured correctly, or Private Google Access is not enabled for the subnet. The symptom is that VMs have no external IP and cannot connect to external services. The fix is to configure Cloud NAT in the host project and ensure the subnet's privateGoogleAccess flag is set to true. This exact issue is a favorite for exam questions: "A VM in a Shared VPC service project cannot access the internet. What is the likely cause?"

A third issue is firewall rule conflicts. Since firewall rules in a Shared VPC are defined in the host project, they apply to all service projects. If a service project deploys a firewall rule (which is not allowed in Google Cloud Shared VPC-all firewall rules must be in the host project), the rule is ignored. Users might think they have set a firewall rule but it has no effect. The symptom is that traffic is unexpectedly blocked or allowed. The solution is to educate users that only host project admins can manage firewall rules. This is a classic exam trick: they present a scenario where a service project user reports a firewall rule not working, and the correct answer is that they lack permissions.

Another common issue is DNS resolution. Shared VPC uses the host project's DNS configuration. If the host project has custom DNS settings (e.g., using Cloud DNS or on-premises DNS), all service projects inherit those settings. A service project might try to use its own DNS, but it will be overridden. The symptom is that instances fail to resolve internal hostnames. The fix is to configure DNS in the host project. Exam questions may ask: "After migrating to Shared VPC, your on-premises servers can no longer be resolved by name. What is the remedy?"

Finally, consider the issue of subnet exhaustion. If a shared subnet runs out of IP addresses, new resources cannot be deployed. This is a planning issue, but during migration, it can surface if you underestimate the number of future resources. The symptom is that deployment fails with an error about insufficient IP addresses. The solution is to increase the subnet size or create additional subnets. In exams, this tests your understanding of CIDR planning and subnetting.

For network+ and CCNA, troubleshooting Shared VPC reinforces fundamental networking concepts like IP addressing, routing, and NAT. For cloud exams, it tests your practical ability to manage multi-project environments. Remembering these common issues and their fixes will greatly help in scenario-based questions.

migrating to and maintaining a Shared VPC requires careful planning and troubleshooting skills. Exams love to test these real-world scenarios, so practice with command-line tools and review the relevant documentation before test day.

Troubleshooting Clues

Service project cannot see shared subnets

Symptom: When trying to create a VM, the subnet list is empty or shows only non-shared subnets.

The subnet may not be shared with the service project, or the service project is not associated with the host project. The user may lack the compute.subnetworks.use permission.

Exam clue: Exams present this as: 'A developer in a service project cannot select any subnets for their VM. What is the most likely reason?' The answer is that the service project is not associated or IAM permissions are missing.

VMs in service project cannot access internet

Symptom: Instances have no external IP and cannot ping or reach external services.

The host project does not have a Cloud NAT or NAT gateway configured, or Private Google Access is not enabled on the shared subnet. Without these, instances without external IPs are isolated.

Exam clue: Exams often ask: 'Why can't my VM in a Shared VPC reach the internet?' The correct answer is that a NAT gateway is required, and it must be in the host project.

Firewall rules created by service project are ignored

Symptom: A user in a service project creates a firewall rule to allow SSH, but the VM is still unreachable.

In Google Cloud Shared VPC, all firewall rules must be created in the host project. Service projects do not have permission to create or modify firewall rules that affect shared subnets.

Exam clue: This is a classic exam trick: the user thinks their firewall rule should work, but they lack authority. The question: 'A team wants to allow HTTP traffic to their VMs in a Shared VPC. What should they do?' Answer: Request the host project admin to create the firewall rule.

DNS resolution fails for on-premises hosts

Symptom: VMs in service projects cannot resolve internal hostnames of on-premises servers, though they could before migration to Shared VPC.

Shared VPC uses the host project's DNS configuration. If the host project does not have a DNS zone or forwarding policy for on-premises, resolution fails. The service project cannot override this.

Exam clue: Exams test this by describing a scenario where after enabling Shared VPC, DNS breaks. The fix is to configure DNS in the host project (e.g., Cloud DNS forwarding).

Shared subnet runs out of IP addresses

Symptom: New VM deployments fail with an error: 'Insufficient IP addresses in subnet' or 'No available addresses'.

The subnet's CIDR range is too small for the number of resources being deployed. This usually happens when multiple service projects consume addresses without coordination.

Exam clue: Exams ask: 'What should you do to avoid subnet exhaustion in a Shared VPC?' The answer is to plan IP ranges carefully, use larger subnets, or create additional subnets with proper IP allocation.

Cross-project communication fails unexpectedly

Symptom: Two VMs in different service projects, both in the same Shared VPC, cannot ping each other.

Firewall rules in the host project may be blocking traffic between subnets or between service projects. By default, all traffic within a VPC is allowed, but explicit deny rules or misconfigured firewall rules can cause this.

Exam clue: Exams present this as a troubleshooting scenario: 'VMs in the same Shared VPC cannot communicate. What should you check?' The answer is to review the host project's firewall rules for any deny entries.

Unable to attach a service project to the host project

Symptom: When running gcloud compute shared-vpc associated-projects add, the command fails with a permissions error or project not found.

The user running the command does not have the Shared VPC Admin role (roles/compute.sharedVpcAdmin) on the host project, or the service project ID is incorrect. The service project must exist and be in the same organization.

Exam clue: Exams test this by asking: 'An administrator cannot attach a service project to a Shared VPC. What is the most likely cause?' The answer is insufficient IAM permissions.

Memory Tip

Think of 'Shared VPC' as 'Shared Building, Private Rooms', the central team manages the building (VPC), and each team gets a room (subnet) with their own key (IAM permissions).

Learn This Topic Fully

This glossary page explains what Shared VPC means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.In Google Cloud Shared VPC, which project is responsible for paying for a Cloud NAT gateway that provides internet access to VMs in all service projects?

2.A developer in a service project wants to create a firewall rule to allow inbound HTTPS traffic to their VM. What must they do?

3.You have just enabled a project as a Shared VPC host. What is the next step to allow a service project to use its subnets?

4.Which AWS service is used to share subnets from a VPC in one account with other accounts in the same organization?

5.An organization's VM in a Shared VPC service project cannot reach Google Cloud Storage APIs, even though it has no external IP. What is the most likely missing configuration?

6.After attaching a service project to a Shared VPC, a user reports they cannot see any shared subnets when trying to create a VM. What is the correct first troubleshooting step?