What Is Shared VPC in Networking?
On This Page
What do you want to do?
Quick Definition
A Shared VPC is like having a single private network that several different teams or projects can use at the same time. Each team gets their own space within that network, but everything is managed from one central place. This helps organizations keep their cloud resources organized, secure, and efficient without creating separate networks for every small project.
Common Commands & Configuration
gcloud compute shared-vpc enable host-project-idEnables the specified project as a Shared VPC host project on Google Cloud. This is the first step in setting up Shared VPC.
Exams test that you know this command is required before attaching service projects. Without this, the project cannot host a shared network.
gcloud compute shared-vpc associated-projects add service-project-id --host-project host-project-idAttaches a service project to an existing Shared VPC host project, allowing the service project to use the host's subnets.
Commonly asked: Which command adds a service project to a Shared VPC? The answer must include the --host-project flag.
gcloud compute shared-vpc list-associated-projects host-project-idLists all service projects currently associated with the specified Shared VPC host project. Useful for auditing.
Useful for troubleshooting: if a user claims they cannot access shared subnets, check this list first.
aws ram create-resource-share --name my-share --resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-abc123 --principals arn:aws:organizations::123456789012:root/o-abc123In AWS, this command shares a subnet with another account using AWS Resource Access Manager. The resource-arn specifies the subnet, and principals specifies the target account or organization.
AWS exams test RAM commands for VPC sharing. You must know that you share subnets, not the entire VPC, and that the target must be in the same organization.
az network vnet peering create --name hub-to-spoke --resource-group hub-rg --vnet-name hub-vnet --remote-vnet spoke-vnet-id --allow-vnet-access --allow-forwarded-trafficCreates a VNet peering connection in Azure, which is the equivalent of enabling Shared VPC. The hub VNet acts as the central network, and spoke VNets connect to it.
For Azure exams, you must know that VNet peering is bi-directional (two peerings needed) and that allow-forwarded-traffic is required for route propagation.
gcloud compute networks subnets update my-subnet --region us-central1 --enable-private-ip-google-accessEnables Private Google Access on a shared subnet, allowing VMs in service projects to access Google services (e.g., Cloud Storage) without external IP addresses.
Exams love this: Without this flag, VMs in Shared VPC cannot reach Google APIs privately. It's a common troubleshooting step.
gcloud compute shared-vpc get-host-project service-project-idRetrieves the host project associated with a given service project. Useful for identifying which VPC a service project belongs to.
This command is often used in exam scenarios to determine if a project is correctly attached to a Shared VPC.
Shared VPC appears directly in 68exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
Shared VPC appears across several major cloud certification exams because it tests a candidate's understanding of network architecture, governance, and security boundaries. For the AWS Cloud Practitioner exam, you will not be asked to configure Shared VPC, but you should understand that AWS Resource Access Manager allows sharing subnets across accounts within an organization. Questions may describe a scenario where a central network team wants to manage a VPC and allow multiple business units to launch resources, and you need to know that RAM is the correct service. It is a light supporting concept, meaning you should recognize the term and its basic purpose.
For the AWS Solutions Architect Associate (SAA-C03), Shared VPC is more prominent. You will encounter complex scenarios where you need to design a multi-account architecture. Questions may ask which networking model supports having a centralized VPC with subnets shared to multiple accounts while maintaining central control over route tables and security groups. The correct answer often involves AWS Resource Access Manager and a centralized VPC. You might also see questions about VPC peering versus Transit Gateway versus Shared VPC. The key nuance is that Shared VPC (via RAM) allows you to share subnets, while VPC peering connects entire VPCs. Understanding the difference is critical.
In Google Cloud exams (Google Cloud Digital Leader, Associate Cloud Engineer, Professional Cloud Architect), Shared VPC is a core topic because GCP implements it natively and elegantly. The exam objectives explicitly list Shared VPC under networking. You will be tested on the roles involved, particularly the Shared VPC Admin and Service Project Admin roles. Scenarios may involve an organization with multiple teams needing to use a common VPC for compliance. You need to know how to set up the host project, attach service projects, and grant subnet-level permissions. Questions may also compare Shared VPC with VPC Peering, and you need to explain why Shared VPC is preferred for centralized administration.
For Microsoft Azure exams (AZ-104, Azure Fundamentals), the concept is not called Shared VPC but is tested through hub-and-spoke VNet peering and Azure Virtual WAN. However, the core idea is the same: a central network team manages a hub VNet, and spoke VNets are connected to it. Questions may ask about how to implement forced tunneling, how to route traffic through a firewall, or how to share a VPN gateway across multiple spokes. Understanding that Azure does not have a native Shared VPC feature in the same way as GCP is important. The equivalent is achieved through VNet peering and route tables.
For non-cloud exams like CompTIA Network+ and Security+, Shared VPC is not directly tested because those exams focus on on-premises networking and general security concepts. However, the underlying principles of network segmentation, subnets, and centralized policy management are part of those exams. You might see questions about VLANs and their role in segmenting traffic, which is conceptually similar to how subnets work in a Shared VPC. For Security+, you might encounter scenarios about implementing a demilitarized zone (DMZ) in a cloud environment, and understanding VPC structure helps.
For CCNA, the focus is on routing and switching, and shared VPC in the cloud is tangential. But the exam does cover Virtual Routing and Forwarding (VRF), which is a similar concept of segmenting a single router into multiple virtual routers. That understanding can help you grasp Shared VPC faster. Overall, for cloud certifications, Shared VPC is a primary topic for Google Cloud and AWS, and it is also useful for Azure. You should memorize the specific service names, IAM roles, and architecture patterns for each provider.
Simple Meaning
Imagine a large office building that has one main hallway with many rooms off of it. The building owner (the central IT team) manages the hallway, the lights, the security cameras, and the main doors. Different departments, like sales, engineering, and human resources, each get their own room off that hallway. Each department can arrange their room however they like, put in their own furniture and equipment, and lock their door with their own key. But they all share the same hallway to get to their rooms. They do not need to build their own separate building or hallway. That is essentially what a Shared VPC does in the cloud.
In cloud computing, a VPC is your private section of the cloud. It is a logically isolated network where you launch your virtual machines, databases, and other services. Normally, each project or team would create their own VPC, which is like building their own separate building. That works, but it can get expensive and hard to manage. With a Shared VPC, you create one central VPC (the hallway), and then you allow other projects or teams to use parts of that VPC (the rooms). They can create their own resources inside the shared network, but they do not have to worry about setting up the network itself.
Think of it this way: the central IT team sets up the router, the firewall rules, the VPN connection to the on-premises data center, and the internet gateway. That is like building the hallway, installing the main security system, and connecting to the outside world. Then, each team gets a subnet, which is like their room. A subnet is a smaller section of the VPC with its own range of IP addresses. The team can put their servers and other resources inside their subnet. They can also set their own security rules for their subnet, like deciding who can come into their room. But they do not have to manage the main doors to the building or the hallway lights.
This model is very popular in large organizations where many different teams need to use cloud resources. It saves money because you only pay for one VPC instead of many. It also makes security simpler because the central team can enforce policies for the entire network, like blocking traffic from the internet. At the same time, individual teams can still control who can access their own resources. This balance between central control and team autonomy is why Shared VPC is so widely used in cloud environments like Amazon Web Services, Google Cloud, and Microsoft Azure.
Full Technical Definition
A Shared VPC (Virtual Private Cloud) is a networking model in cloud computing that allows an organization to centrally manage a single VPC network while delegating administrative control over its subnets to multiple projects, accounts, or service consumers. This architecture enables resource isolation, policy enforcement, and efficient IP address utilization across different business units without requiring each unit to create and manage its own VPC. The concept is implemented slightly differently across major cloud providers, but the core principles remain consistent.
In Google Cloud Platform (GCP), a Shared VPC is created using a host project that contains one or more VPC networks. The host project then attaches service projects to it, allowing those service projects to create resources (like Compute Engine instances, GKE clusters, or Cloud SQL instances) within the subnets of the host VPC. Access is controlled through Identity and Access Management (IAM) roles. The Shared VPC Admin (roles/compute.xpnAdmin) manages the host project and assigns subnet-level permissions. Service project users can then use those subnets but cannot modify the VPC itself. This is critical for compliance and boundary control. The underlying technology uses Virtual Extensible LAN (VXLAN) for network isolation and encapsulation, ensuring that traffic between different projects within the same VPC is secure and isolated at Layer 2.
In Amazon Web Services (AWS), the analogous concept is often implemented through a centralized VPC with shared subnets, frequently using AWS Organizations and AWS Resource Access Manager (RAM). An organization designates a VPC in a specific account (the host account) and then shares its subnets with other accounts within the organization using RAM. Those consuming accounts can then launch EC2 instances, RDS databases, or Lambda functions into the shared subnets. However, unlike GCP's Shared VPC, AWS's shared subnet model does not allow the consumer accounts to manage the VPC's route tables or security group rules centrally; those remain under the purview of the VPC owner. AWS Transit Gateway is often added to this architecture to enable communication between multiple shared VPCs or with on-premises networks. The protocols involved include VPC peering (Layer 3 connectivity) and AWS PrivateLink for private access to services.
In Microsoft Azure, the equivalent is often called VNet Peering with centralized hub-and-spoke architecture, or using Azure Virtual WAN. The hub VNet is owned by a central IT team, and spoke VNets are owned by individual teams. VNet Peering connects spoke VNets to the hub, allowing traffic to flow through centrally managed firewalls or Network Virtual Appliances (NVAs). This is not technically a single VPC being shared, but it achieves the same goal: centralized control with decentralized resource creation. Azure also offers Azure Private Link and service endpoints for secure access. The Azure implementation relies on software-defined networking and NVAs for routing and policy enforcement.
Key components of a Shared VPC include: the host project or account, service projects or consumer accounts, subnets with CIDR ranges, IAM roles (such as Network Admin, Security Admin, or Subnet-level roles), route tables, firewall rules (both centralized and delegated), and VPC flow logs for monitoring. Standards such as RFC 1918 define the private IP address ranges used within the VPC. Traffic within the VPC is typically encrypted using protocols like IPsec if connecting on-premises, or Google's internal encryption at rest and in transit. Service Level Agreements (SLAs) for VPCs typically guarantee 99.99% uptime for the control plane.
Real IT implementation involves careful planning of IP address space to avoid overlap between subnets and to allow for future growth. Organizations often use a /16 CIDR block (65,536 IP addresses) for the VPC and divide it into /23 or /24 subnets for individual teams. Central IT configures route tables to direct traffic to a shared firewall or intrusion detection system. Security groups and network ACLs are used at the subnet level and instance level. In a Shared VPC, the host project can enforce firewall rules that cannot be overridden by service projects, ensuring compliance with corporate security policies. This is particularly important for regulated industries like finance and healthcare.
For exam purposes, it is essential to understand that Shared VPC does not mean that all resources are in one flat network; it means that the VPC's lifecycle and core configuration are managed centrally while resource creation is delegated. Questions often test the distinction between who manages what, the IAM roles involved, and how traffic flows between different projects within the same Shared VPC. Understanding the specific implementation differences between AWS, GCP, and Azure is crucial for cloud certification exams.
Real-Life Example
Think of Shared VPC like a large apartment complex. The building owner (central IT) owns the entire building, including the lobby, the hallways, the elevator, and the main entrance. The owner also handles the building's internet connection, the security cameras in the lobby, and the contracts with the utility companies. Now, each apartment in the building is rented by a different tenant (a team or project). Each tenant can decorate their own apartment however they like, install furniture, connect their own Wi-Fi router inside their apartment, and lock their door. But they do not have to worry about the main entrance, the elevator, or the building's plumbing and electricity. Those are managed by the building owner.
In this analogy, the building is the VPC, the lobby is the internet gateway, the hallways are the routes that connect everything, and each apartment is a subnet. The tenants (teams) can bring in their own servers and resources into their apartment (subnet), but they do not need to build their own separate building. They benefit from the shared utilities like the internet connection and the security cameras. However, the building owner can also set rules. For example, the owner can say that no one can have a barbecue on their balcony because it's a fire hazard (a security rule). That rule applies to all tenants. The tenants can add their own rules inside their apartment, like not allowing guests after 10 PM, but they cannot change the building's no-barbecue rule.
Now, imagine that the building owner also keeps a spare key to every apartment. That is like the central IT team having administrative access to all resources if needed. But in a well-run Shared VPC, the owner only uses that key for emergencies, like a water leak. Typically, each tenant manages their own resources and only the central team manages the building's structure. This model saves money because you only rent one building instead of many. It also makes it easier to secure the building because everyone comes through the same secure entrance, and the owner can monitor who comes and goes. In the cloud, this means lower costs, easier compliance, and less administrative overhead for individual teams.
One challenge is that tenants might accidentally disturb each other. For example, if one tenant runs a very noisy party (heavy network traffic), it could affect the internet speed for others. In a cloud Shared VPC, this is handled by network traffic shaping and monitoring. Another challenge is that if the building owner makes a mistake, like turning off the main water supply, everyone is affected. So the central IT team must be very careful with their configurations. Overall, the apartment complex model is a practical and efficient way to manage shared infrastructure, and that is why Shared VPC is so popular in large organizations.
Why This Term Matters
Shared VPC matters because it solves a fundamental problem in cloud adoption: how to give individual teams or departments the freedom to create and manage their own cloud resources while maintaining central control over the network, security, and costs. Without Shared VPC, each team would create their own isolated VPC. This leads to a sprawl of networks, each with its own routing tables, firewall rules, and internet gateways. Managing that many VPCs quickly becomes a nightmare. Security policies are hard to enforce consistently, IP address ranges start overlapping, and costs skyrocket because you are paying for multiple redundant networking components like VPN gateways and NAT gateways.
From a practical IT perspective, Shared VPC enables the principle of least privilege. The central network team can give each team just enough access to the network parts they need, without giving them full control over the infrastructure. This aligns with the security best practice of separating duties. For example, a developer can launch a virtual machine into a subnet without ever being able to modify the route table that controls traffic to the database. This reduces the risk of misconfiguration that could bring down the entire network.
Another reason Shared VPC matters is cost efficiency. In cloud billing, you pay for each VPC's networking components. If you have 50 teams each running their own VPC, you might have 50 NAT gateways, 50 VPN connections, and 50 sets of flow logs. With Shared VPC, you typically have one NAT gateway for all teams, one VPN tunnel to your on-premises data center, and one set of flow logs monitored by the central team. The savings can be significant, especially in large enterprises.
Finally, Shared VPC is a key enabler for multi-account or multi-project strategies. In AWS, using AWS Organizations, you can structure your accounts into a hierarchy of management, core, and workload accounts. Shared VPC using RAM allows workload accounts to use networks owned by the core account, making it easy to standardize on a single network architecture. In GCP, the host project can be the central infrastructure project, and all development, staging, and production projects can attach to it. This creates a clean separation of concerns and simplifies audit trails. For any IT professional working in cloud environments, understanding Shared VPC is no longer optional; it is a core skill for designing scalable, secure, and cost-effective network architectures.
How It Appears in Exam Questions
Exam questions about Shared VPC typically fall into three categories: scenario-based architecture decisions, configuration of IAM roles and permissions, and troubleshooting connectivity issues. In scenario-based questions, you are given a company with multiple business units. Each unit needs to launch resources, but the network must be managed centrally to enforce security policies. You might be asked which service to use. On AWS, the options could be VPC Peering, Transit Gateway, or Resource Access Manager. The correct answer is RAM because it allows subnet sharing. On GCP, the options might be Shared VPC, VPC Peering, or a separate VPC per project. The correct answer is Shared VPC.
Configuration questions will test your knowledge of the specific steps and requirements. For example, a GCP question might ask: 'An organization wants to allow Project B to use a subnet from Project A's VPC. What is the first step?' The answer is to enable a Shared VPC in Project A (the host project) and then attach Project B as a service project. Another question might ask which IAM role allows a user to create instances in a Shared VPC subnet but not delete the subnet. The answer is roles/compute.networkUser at the subnet level.
Troubleshooting questions often involve connectivity issues. For instance, a question might say: 'An administrator created a Shared VPC in GCP and attached two service projects. Instances in one service project cannot communicate with instances in the other service project, even though they are in the same VPC. What is the most likely cause?' The answer might be that firewall rules are blocking the traffic, or that both subnets are using overlapping CIDR ranges. Another common issue is that the service project users have not been granted the necessary IAM permissions to use the subnet. The question might give a scenario where a developer gets a permission denied error when trying to launch an instance in a shared subnet, and you need to identify that the subnet-level IAM role is missing.
In AWS, a typical troubleshooting question might involve a company using RAM to share a subnet from a central VPC to another account. The consumer account can launch an EC2 instance, but it cannot reach the internet. You need to identify that the central VPC's route table does not have a route to a NAT gateway, or that the security group in the consumer account is blocking outbound traffic. Another pattern is that the consumer account cannot see the shared subnet in the VPC console, which means the RAM share has not been accepted or the subnet is not in the same region.
Azure questions often involve VNet peering and routing. A question might describe a hub VNet with a firewall and multiple spoke VNets. Traffic from a spoke to the internet is not working. The solution is to configure User-Defined Routes (UDRs) in the spoke VNet to force traffic through the hub firewall. Questions also test the difference between service endpoints and private endpoints, both of which are used in shared network architectures.
Finally, some questions test the conceptual distinction between Shared VPC and other networking models. For example, a question may ask: 'Which model allows multiple projects to use the same VPC while the VPC's lifecycle is managed by a single central admin?' The answer is Shared VPC. Another question may ask: 'Which model allows complete isolation between VPCs but still enables connectivity?' The answer is VPC Peering. Understanding these distinctions is key to getting the right answer. Practice exams should include a mix of these question types.
Practise Shared VPC Questions
Test your understanding with exam-style practice questions.
Example Scenario
A company called CloudRetail Inc. has three teams: Web, Database, and Analytics. Each team needs to deploy cloud resources like virtual machines and storage. The company's security policy requires that all traffic from the internet goes through a central firewall, and all outbound traffic to the internet must use a single NAT gateway. The network team wants to manage these central components, while each team should be able to launch their own resources independently.
In the past, each team created their own VPC, which resulted in three separate internet gateways, three separate NAT gateways, and three sets of firewall rules. The network team could not enforce consistent security policies, and costs were high. The company decides to implement a Shared VPC.
The network team creates one VPC in a central project (the host project) with a CIDR block of 10.0.0.0/16. They create three subnets: Web-Subnet (10.0.1.0/24), DB-Subnet (10.0.2.0/24), and Analytics-Subnet (10.0.3.0/24). They attach a single internet gateway and a single NAT gateway in the VPC. They configure firewall rules that allow only HTTP and HTTPS traffic from the internet to the Web-Subnet, and they block all inbound traffic from the internet to the DB-Subnet and Analytics-Subnet. These rules are enforced centrally and cannot be overridden by the teams.
Then, the network team uses the Shared VPC feature to attach the three teams' projects as service projects. They grant each team the IAM role to use their specific subnet but not to modify the VPC or the central firewall rules. Now, the Web team can launch web servers in the Web-Subnet. The Database team can launch database servers in the DB-Subnet, which has no public internet access. The Analytics team can launch analytics instances in the Analytics-Subnet, which also has no public access but can reach out to the internet through the NAT gateway.
The teams no longer worry about network setup. They focus on their applications. The network team is happy because they have full visibility and control. The company saves money because they pay for only one NAT gateway and one internet gateway instead of three. If a new team joins, the network team just creates a new subnet and attaches the project. This scenario exactly reflects the power of Shared VPC in real-world cloud adoption.
Common Mistakes
Confusing Shared VPC with VPC Peering.
VPC Peering connects two separate VPCs, allowing traffic to flow between them, but each VPC remains independently managed. Shared VPC is a single VPC that is used by multiple projects, with central management. They are different architectures.
Think of Shared VPC as one house with many rooms, and VPC Peering as two separate houses connected by a bridge.
Assuming all cloud providers implement Shared VPC the same way.
Google Cloud uses the host project/service project model with dedicated Shared VPC roles. AWS uses Resource Access Manager to share subnets across accounts but does not have a single concept called 'Shared VPC'. Azure uses VNet peering with hub-spoke, which is functionally similar but not the same. Assuming uniformity leads to incorrect answers.
Study each provider's specific implementation, terminology, and limitations separately.
Thinking that service projects can manage the VPC's route tables or firewall rules.
In a Shared VPC, only the host project admin can modify core network components like route tables, firewall rules, and subnets. Service project users can only launch resources into the subnets they are given access to. Granting them more access would defeat the purpose of centralized control.
Remember that Shared VPC separates network management from resource management. Service project admins manage resources, not the network.
Overlooking IP address planning when creating a Shared VPC.
If the VPC's CIDR block is too small, you will run out of IP addresses for future subnets. If you use overlapping CIDR ranges across projects, routing will break. Many organizations fail to plan for growth and have to re-IP later.
Start with a large CIDR block like /16, and allocate subnets conservatively, leaving room for expansion. Use a formal IP address management (IPAM) process.
Believing that Shared VPC implies all resources in the same security domain.
Even within a Shared VPC, you can (and should) isolate subnets using firewall rules and security groups. A shared VPC does not automatically open all traffic between projects. You must explicitly configure firewall rules to allow inter-subnet traffic if needed.
Always design security groups and firewall rules to enforce least privilege, even inside a Shared VPC. Treat each subnet as its own trust boundary unless a specific need for cross-subnet traffic exists.
Exam Trap — Don't Get Fooled
{"trap":"The exam asks: 'You want to allow two different AWS accounts to use the same VPC, but each account should manage its own security groups. What should you do?' Some learners incorrectly choose VPC Peering because it is a common networking feature."
,"why_learners_choose_it":"Learners often associate VPC Peering with connecting multiple accounts and think it is the only way to share a network. They also know that VPC Peering allows traffic between resources in different VPCs, so they assume it fits the requirement.","how_to_avoid_it":"Read the question carefully.
The key phrase is 'use the same VPC'. VPC Peering connects two separate VPCs. Shared VPC via Resource Access Manager allows multiple accounts to use subnets from the same VPC. Security groups in a Shared VPC can be managed by each account if they have the correct permissions, but the VPC itself remains centrally owned.
The correct answer is to share the VPC's subnets via RAM and then let each account create resources in the shared subnets."
Commonly Confused With
VPC Peering is a direct network connection between two separate VPCs. It allows traffic between them using private IP addresses, but each VPC remains independently managed. Shared VPC is a single VPC that multiple projects use, with central management. VPC Peering is used for connecting isolated VPCs, while Shared VPC is used for consolidating networking within one VPC.
Think of VPC Peering as two separate apartment buildings connected by a skybridge. Shared VPC is one apartment building with multiple units.
Transit Gateway is a central hub that connects multiple VPCs and on-premises networks together. It is a routing service, not a VPC itself. Shared VPC gives you a single VPC, while Transit Gateway connects many VPCs. Transit Gateway is used when you need to connect many independent networks, whereas Shared VPC is used when you want one network shared by many projects.
Transit Gateway is like a central train station connecting many different cities. Shared VPC is one city with many neighborhoods.
A VPC Endpoint (either Gateway or Interface Endpoint) allows you to privately connect your VPC to AWS services like S3 or DynamoDB without going through the internet. It is a feature you can use inside a VPC, not a way to share a VPC. Shared VPC is about multiple accounts using one VPC, while an endpoint is about accessing services privately within your VPC.
A VPC Endpoint is like having a private door in your building that leads directly to the grocery store, so you don't have to go outside. Shared VPC is about having many apartments in that building.
A multi-account strategy is the practice of using multiple cloud accounts to separate environments (dev, test, prod) or business units. Shared VPC is a networking model that can be part of a multi-account strategy, but it is not the same thing. You can have a multi-account strategy without Shared VPC (each account has its own VPC), and you can have Shared VPC within a single account with multiple projects.
Multi-account strategy is like having three separate buildings for different departments. Shared VPC is like having one building with separate rooms for each department.
Step-by-Step Breakdown
Plan IP Address Space
The first step is to decide the overall IP range for the Shared VPC. Typically, you choose a large CIDR block like 10.0.0.0/16 (65,536 addresses). This range must not overlap with your on-premises network if you plan to connect via VPN or Direct Connect. Planning ahead prevents future re-IP headaches.
Create the Host Project (GCP) or Central Account (AWS)
In GCP, you designate a project as the host project. In AWS, you choose an account (often the Network account) that will own the VPC. This project or account becomes the owner of the Shared VPC network. All central networking components will be created here.
Create the VPC and Subnets
Inside the host project, you create a VPC and define subnets. Each subnet should be sized appropriately for the teams that will use it. For example, /24 subnets (256 addresses) for smaller teams, /23 (512 addresses) for larger teams. You also create an internet gateway and a NAT gateway if needed.
Configure Central Firewall Rules and Route Tables
The host project admin sets up firewall rules that apply to all subnets. For example, you might block all inbound traffic from the internet except to a specific subnet. Route tables are configured to direct traffic through the NAT gateway or VPN. These rules are centrally enforced and cannot be modified by service projects.
Attach Service Projects (GCP) or Share Subnets (AWS)
In GCP, you attach service projects to the host project using the Shared VPC Admin console or gcloud command. In AWS, you use Resource Access Manager to share the subnets with other accounts in your organization. The service projects or consumer accounts can now see the shared subnets.
Grant IAM Permissions at Subnet Level
You assign specific IAM roles to users or service accounts in the service projects. In GCP, you typically grant roles/compute.networkUser on a subnet to allow launching instances. In AWS, you can use RAM to share with specific IAM roles or accounts. This step ensures that only authorized entities can use the subnets.
Test Connectivity and Deploy Resources
Teams in service projects can now launch virtual machines, databases, or containers into the shared subnets. The host project admin should test that traffic flows correctly, that internet access works (or is blocked) as intended, and that inter-subnet communication follows the firewall rules. Monitoring and logging should be enabled for visibility.
Manage and Audit
Ongoing management includes monitoring VPC flow logs, adjusting subnet sizes if teams grow, and auditing IAM permissions. The host project admin should regularly review which service projects are attached and whether they still need access. This step ensures the Shared VPC remains secure and efficient over time.
Practical Mini-Lesson
Shared VPC is a design pattern that every cloud professional should master because it directly impacts security, cost, and operational efficiency. In practice, setting up a Shared VPC is not just about clicking a button; it involves careful planning and understanding of the cloud provider's specific features. Let us walk through a real-world implementation on Google Cloud, as it is the most native implementation.
Start by creating a dedicated project that will serve as the host project. Name it something like 'prod-shared-networking'. In this project, create a VPC with a custom mode so you can manually create subnets. Avoid auto-mode because it uses non-RFC 1918 addresses and can conflict with on-premises IPs. Choose a CIDR block that is large enough, such as 10.0.0.0/16. Then, create subnets for each environment: 10.0.1.0/24 for dev, 10.0.2.0/24 for staging, 10.0.3.0/24 for production. Each subnet should be in a different zone for high availability. Also create a subnet for shared services like Active Directory or monitoring tools.
Next, create a firewall rule that blocks all incoming traffic from the internet except to a bastion host subnet. Create another rule that allows SSH from the bastion host to all other subnets. Configure the route table to have a default route (0.0.0.0/0) pointing to a centralized NAT gateway, which you also create in the host project. If you have an on-premises connection, add a route to the on-premises network through the VPN gateway.
Now, attach service projects. For example, a project called 'team-alpha-app' should be attached as a service project. Then, navigate to the subnet you want to share, and grant the service project's service account the role 'Compute Network User' (roles/compute.networkUser). You can do this at the subnet level for granularity. This allows users in team-alpha-app to see the subnet and create resources in it. They cannot delete the subnet or modify firewall rules.
What can go wrong? One common issue is that the service project users cannot see the subnet in the console if the project has not been enabled for Compute Engine API. Another issue is that they get permission errors if the IAM role is not propagated. Also, if you try to create a resource that requires a static IP, the service project may not have the compute.addresses.create permission on the shared subnet. You must ensure that the service project has the necessary compute permissions for the specific actions.
Another pitfall is overlapping firewall rules. The host project's firewall rules are evaluated before any firewall rules in the service project. If the host project blocks all inbound traffic, service project rules cannot override it. This is intentional for security, but it can cause confusion. Always test with a simple ping or SSH session.
Monitoring is crucial. Enable VPC flow logs on the shared subnets to capture traffic metadata. These logs are stored in the host project, and the central network team can analyze them for security incidents. Also configure alerts for any suspicious traffic patterns.
Shared VPC in practice is about balancing central control with team autonomy. The central team owns the network backbone, while teams own their applications. This model is used by most large enterprises adopting Google Cloud, and it is a cornerstone of the Google Cloud Well-Architected Framework's networking pillar. Understanding the IAM model, subnet delegation, and firewall rule precedence is essential for any cloud administrator.
Troubleshooting Clues
Service project cannot see shared subnets
Symptom: When trying to create a VM, the subnet list is empty or shows only non-shared subnets.
The subnet may not be shared with the service project, or the service project is not associated with the host project. The user may lack the compute.subnetworks.use permission.
Exam clue: Exams present this as: 'A developer in a service project cannot select any subnets for their VM. What is the most likely reason?' The answer is that the service project is not associated or IAM permissions are missing.
VMs in service project cannot access internet
Symptom: Instances have no external IP and cannot ping or reach external services.
The host project does not have a Cloud NAT or NAT gateway configured, or Private Google Access is not enabled on the shared subnet. Without these, instances without external IPs are isolated.
Exam clue: Exams often ask: 'Why can't my VM in a Shared VPC reach the internet?' The correct answer is that a NAT gateway is required, and it must be in the host project.
Firewall rules created by service project are ignored
Symptom: A user in a service project creates a firewall rule to allow SSH, but the VM is still unreachable.
In Google Cloud Shared VPC, all firewall rules must be created in the host project. Service projects do not have permission to create or modify firewall rules that affect shared subnets.
Exam clue: This is a classic exam trick: the user thinks their firewall rule should work, but they lack authority. The question: 'A team wants to allow HTTP traffic to their VMs in a Shared VPC. What should they do?' Answer: Request the host project admin to create the firewall rule.
DNS resolution fails for on-premises hosts
Symptom: VMs in service projects cannot resolve internal hostnames of on-premises servers, though they could before migration to Shared VPC.
Shared VPC uses the host project's DNS configuration. If the host project does not have a DNS zone or forwarding policy for on-premises, resolution fails. The service project cannot override this.
Exam clue: Exams test this by describing a scenario where after enabling Shared VPC, DNS breaks. The fix is to configure DNS in the host project (e.g., Cloud DNS forwarding).
Shared subnet runs out of IP addresses
Symptom: New VM deployments fail with an error: 'Insufficient IP addresses in subnet' or 'No available addresses'.
The subnet's CIDR range is too small for the number of resources being deployed. This usually happens when multiple service projects consume addresses without coordination.
Exam clue: Exams ask: 'What should you do to avoid subnet exhaustion in a Shared VPC?' The answer is to plan IP ranges carefully, use larger subnets, or create additional subnets with proper IP allocation.
Cross-project communication fails unexpectedly
Symptom: Two VMs in different service projects, both in the same Shared VPC, cannot ping each other.
Firewall rules in the host project may be blocking traffic between subnets or between service projects. By default, all traffic within a VPC is allowed, but explicit deny rules or misconfigured firewall rules can cause this.
Exam clue: Exams present this as a troubleshooting scenario: 'VMs in the same Shared VPC cannot communicate. What should you check?' The answer is to review the host project's firewall rules for any deny entries.
Unable to attach a service project to the host project
Symptom: When running gcloud compute shared-vpc associated-projects add, the command fails with a permissions error or project not found.
The user running the command does not have the Shared VPC Admin role (roles/compute.sharedVpcAdmin) on the host project, or the service project ID is incorrect. The service project must exist and be in the same organization.
Exam clue: Exams test this by asking: 'An administrator cannot attach a service project to a Shared VPC. What is the most likely cause?' The answer is insufficient IAM permissions.
Memory Tip
Think of 'Shared VPC' as 'Shared Building, Private Rooms', the central team manages the building (VPC), and each team gets a room (subnet) with their own key (IAM permissions).
Learn This Topic Fully
This glossary page explains what Shared VPC means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →CLF-C02CLF-C02 →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →CDLGoogle CDL →PCAGoogle PCA →AZ-900AZ-900 →SAA-C03SAA-C03 →DVA-C02DVA-C02 →220-1101CompTIA A+ Core 1 →Related Glossary Terms
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
The 8-pin CPU connector is a power cable from the power supply that delivers dedicated electricity to the processor on a computer's motherboard.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Quick Knowledge Check
1.In Google Cloud Shared VPC, which project is responsible for paying for a Cloud NAT gateway that provides internet access to VMs in all service projects?
2.A developer in a service project wants to create a firewall rule to allow inbound HTTPS traffic to their VM. What must they do?
3.You have just enabled a project as a Shared VPC host. What is the next step to allow a service project to use its subnets?
4.Which AWS service is used to share subnets from a VPC in one account with other accounts in the same organization?
5.An organization's VM in a Shared VPC service project cannot reach Google Cloud Storage APIs, even though it has no external IP. What is the most likely missing configuration?
6.After attaching a service project to a Shared VPC, a user reports they cannot see any shared subnets when trying to create a VM. What is the correct first troubleshooting step?