This chapter covers VPC Peering and Shared VPC, two fundamental networking connectivity models in Google Cloud. Understanding when to use each is critical for the ACE exam, as questions on this topic appear in roughly 5-8% of the exam, often in scenario-based form. You'll learn the internal mechanisms, default limits, configuration steps, and key differences that the exam tests. By the end, you'll be able to choose the right model for any given requirement.
Jump to a section
Imagine two companies in the same city: Company A operates from a single office building with multiple floors, while Company B has two separate buildings across town. In Company A's building, internal departments (projects) on different floors can share a common elevator bank and lobby (the Shared VPC host project's network). Each department gets its own floor (service project) but uses the same main entrance, security desk (firewall rules), and internal mail system (internal DNS). This is efficient because the company only pays for one building's maintenance (VPC management) and can easily add new floors (service projects) without new external infrastructure. Company B, on the other hand, has two separate buildings. To allow employees from Building 1 to visit Building 2, they must walk outside and enter the other building's separate lobby (VPC Peering). Each building has its own security desk, so visitors need separate badges (firewall rules). The walk between buildings is like network latency across peering links. If Building 1 wants to share a conference room (subnet) with Building 2, they can't—each building has its own conference rooms. They'd have to build a dedicated hallway (peering connection) between them, but that hallway doesn't allow them to share the same physical resources. The key difference: in Shared VPC, all projects are tenants in one building; in VPC Peering, each project has its own building with a dedicated external connection.
What VPC Peering Is and Why It Exists
VPC Peering is a networking connection that allows two VPC networks (in the same or different projects, even across organizations) to communicate using internal RFC 1918 IP addresses. It is not a VPN or a gateway; it is a direct layer-3 connection that routes traffic between the two VPCs without traversing the public internet. The primary use case is connecting independently managed VPCs that need to exchange traffic—for example, a production VPC in one project and a database VPC in another.
How VPC Peering Works Internally
When you create a VPC peering connection from VPC A to VPC B, Google Cloud's Andromeda software-defined networking (SDN) stack installs routing rules in both VPCs. Specifically, each VPC learns the subnets of the peered VPC as if they were directly connected subnets. This is not a BGP-based route exchange; it is an implicit route advertisement. The routes are automatically generated and have a priority of 1000 (default). Traffic between peered VPCs flows through Google's internal backbone, not over the internet. The connection is stateful at the firewall level—if VPC A initiates a connection to VPC B, return traffic is allowed automatically. However, firewall rules in both VPCs must permit the traffic; peering alone does not open any ports.
Key Components, Values, and Defaults
Peering connection: A unidirectional relationship. You must create a peering connection from VPC A to VPC B, and then from VPC B to VPC A for bidirectional communication. This is often called 'active peering' on both sides.
Subnet overlap: VPCs with overlapping CIDR ranges cannot be peered. The ranges must be unique across all peered VPCs. The exam tests this heavily—if two VPCs use 10.0.0.0/16, peering will fail with an error.
Transitive peering: Not supported. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C through VPC B. This is a common exam trap.
Maximum peering connections per VPC: 25 (default, can be increased by quota request).
Export/Import custom routes: Optional feature that allows you to exchange custom dynamic routes (e.g., from Cloud VPN or Cloud Router) across the peering. By default, only subnet routes are exchanged.
DNS: By default, peered VPCs cannot resolve each other's internal DNS names. You must use DNS peering or Cloud DNS forwarding to enable name resolution.
Latency: Peering adds minimal latency (sub-millisecond) because traffic stays within Google's network.
Cost: Egress traffic between peered VPCs is charged at the VPC Peering egress rate, which is lower than internet egress but higher than internal traffic within the same VPC.
Configuration and Verification Commands
To create a VPC peering connection using gcloud:
gcloud compute networks peerings create PEERING_NAME \
--network=VPC_A \
--peer-project=PROJECT_B \
--peer-network=VPC_B \
--auto-create-routesOn the other side (VPC B):
gcloud compute networks peerings create PEERING_NAME \
--network=VPC_B \
--peer-project=PROJECT_A \
--peer-network=VPC_A \
--auto-create-routesVerification commands:
gcloud compute networks peerings list --network=VPC_A
gcloud compute networks peerings describe PEERING_NAME --network=VPC_AYou can also check routes:
gcloud compute routes list --project=PROJECT_ALook for routes with nextHopPeering set to the peering name.
How VPC Peering Interacts with Related Technologies
Cloud VPN: You can peer a VPC with another VPC that has a Cloud VPN tunnel to on-premises. However, the on-premises routes are not automatically propagated across the peering unless you enable custom route export/import.
Firewall Rules: Each VPC has its own firewall rules. Peering does not merge firewall policies. You must ensure that both VPCs have ingress rules allowing traffic from the peered VPC's subnets.
Private Google Access: Works independently in each VPC. Peered VPCs do not inherit Private Google Access from each other.
VPC Flow Logs: Can be enabled per subnet in each VPC, independent of peering.
What Shared VPC Is and Why It Exists
Shared VPC (formerly called 'XPN') allows an organization to create a common VPC network in a host project and share its subnets with service projects. This is ideal for centralized network administration, where a network team manages the VPC, firewall rules, and VPN connections, while application teams deploy resources in their own service projects using the shared subnets. Shared VPC is an organizational policy feature that requires an organization node (Google Workspace or Cloud Identity).
How Shared VPC Works Internally
A Shared VPC consists of one host project and one or more service projects. The host project owns the VPC, subnets, firewall rules, and routes. Service projects are attached to the host project and are granted access to specific subnets via IAM roles (e.g., compute.networkUser). When a user in a service project creates a VM, they select a subnet from the host project. The VM's VNIC is attached to that subnet, and the VM's internal IP is allocated from the subnet's CIDR. From a network perspective, all VMs in the Shared VPC (across service projects) are in the same L2 domain (if in the same subnet) or can communicate via routing (if in different subnets). Firewall rules are defined in the host project and apply to all VMs, regardless of service project.
Key Components, Values, and Defaults
- Host project: Must have an organization policy. You cannot create a Shared VPC without an organization node.
- Service projects: Can be in the same or different organization (if allowed by policy).
- Subnet sharing: You can share all subnets or selected subnets. IAM roles at the subnet level control which service projects can use which subnets.
- IAM roles:
- roles/compute.xpnAdmin – administer Shared VPC (host project).
- roles/compute.networkUser – allows a service project to use subnets (granted at host project or subnet level).
- roles/compute.securityAdmin – manage firewall rules in host project.
- Maximum number of service projects per host project: 1000 (default quota).
- Maximum number of subnets per VPC: 1000 (default).
- Resource isolation: VMs in different service projects but same subnet can communicate directly without any additional peering. They share the same broadcast domain.
- Firewall rules: Defined in host project; apply to all VMs in the Shared VPC. Service projects cannot create their own firewall rules that affect the shared VPC (unless granted appropriate IAM).
- Cost: There is no additional charge for using Shared VPC. You pay for the resources (VMs, etc.) in the service projects and the network resources (VPN, etc.) in the host project.
Configuration and Verification Commands
To enable a host project:
gcloud compute shared-vpc enable HOST_PROJECT_IDTo attach a service project:
gcloud compute shared-vpc associated-projects add SERVICE_PROJECT_ID \
--host-project HOST_PROJECT_IDTo grant a service project access to a subnet:
gcloud compute networks subnets update SUBNET_NAME \
--region=REGION \
--add-iam-member=serviceAccount:SERVICE_PROJECT_NUMBER@cloudservices.gserviceaccount.com \
--role=roles/compute.networkUserVerification:
gcloud compute shared-vpc list-associated-projects HOST_PROJECT_ID
gcloud compute networks subnets get-iam-policy SUBNET_NAME --region=REGIONHow Shared VPC Interacts with Related Technologies
Cloud NAT: Can be configured in the host project to provide outbound internet access for all VMs in the Shared VPC.
Cloud VPN/Direct Interconnect: Terminated in the host project. All service projects benefit from the VPN connection to on-premises.
Private Google Access: Enabled per subnet in the host project; all VMs on that subnet can access Google APIs privately.
VPC Flow Logs: Enabled per subnet in the host project; logs are written to the host project.
Firewall Rules: Centralized in host project. Service projects can view but not modify (unless granted compute.securityAdmin).
Comparison Summary
VPC Peering is for connecting independent VPCs with potential organizational boundaries, while Shared VPC is for centralizing network management within an organization. The exam will ask you to choose between them based on requirements like centralized firewall management, subnet sharing, transitive peering needs, and organizational structure.
Identify Organizational Requirements
Before choosing between VPC Peering and Shared VPC, assess the organizational structure and network management model. If the organization has a centralized network team that needs to control all network resources (firewall rules, VPNs, NAT) across multiple projects, Shared VPC is the right choice. If projects are managed independently with separate network teams and only need selective communication, VPC Peering is appropriate. The exam often presents a scenario where a company has multiple business units that need to communicate but maintain separate network administration. In that case, VPC Peering is correct because Shared VPC would require a single administrative domain.
Check for Subnet Overlap
For VPC Peering, verify that the VPCs have non-overlapping CIDR ranges. If any subnet ranges overlap, peering will fail. For Shared VPC, all subnets are within the same VPC, so overlap is impossible by design. The exam loves to test this: if a question says 'two VPCs both use 10.0.0.0/16', peering is not possible. Candidates often forget this and choose peering. Also note that Shared VPC requires unique subnet ranges within the host VPC.
Determine Need for Transitive Connectivity
If you need transitive routing (e.g., VPC A to VPC C via VPC B), VPC Peering does not support this. You would need a VPN or a third-party appliance. Shared VPC inherently supports transitive communication because all service projects are in the same VPC. However, if you have multiple host projects, they are isolated. The exam often tests this: a question with three VPCs that need full mesh connectivity will rule out VPC Peering unless you create individual peerings (which may exceed limits).
Evaluate Firewall and Security Requirements
Shared VPC centralizes firewall rules in the host project, which is ideal for security compliance. VPC Peering requires each VPC to manage its own firewall rules, which can lead to inconsistent policies. The exam may ask: which solution ensures that the security team can enforce a single set of rules across all resources? Answer: Shared VPC. However, if different teams need independent firewall control, VPC Peering is better.
Consider Resource Sharing and Isolation
Shared VPC allows VMs from different service projects to share the same subnet, enabling direct L2 communication. VPC Peering keeps VPCs separate; VMs cannot share subnets. If applications need to communicate via internal DNS names, Shared VPC automatically provides resolution within the VPC, while VPC Peering requires additional DNS configuration. The exam tests this: if two projects need to use the same subnet, Shared VPC is the only option.
Scenario 1: Centralized Network for a Large Enterprise
A multinational corporation with 500 projects across 10 business units wants to enforce network security centrally. They use Shared VPC: one host project per region (e.g., us-central1, europe-west1) and attach service projects for each business unit. The network team manages Cloud NAT, Cloud VPN to on-premises, and firewall rules in the host project. Each business unit deploys VMs in their service projects using shared subnets. This setup simplifies compliance because all traffic policies are uniform. However, a challenge arises when a business unit needs a custom firewall rule that conflicts with the central policy—they must request an exception. Misconfiguration: if the host project's firewall rules are too restrictive, application teams may experience connectivity issues and waste time debugging. The network team uses VPC Flow Logs to monitor traffic and adjust rules.
Scenario 2: Mergers and Acquisitions
Company A acquires Company B. Both have existing VPCs in Google Cloud with overlapping IP ranges (10.0.0.0/16). They need to connect their environments for a limited time during migration. VPC Peering is not possible due to overlap. Instead, they use Cloud VPN with NAT to translate addresses, or they re-IP one VPC. In production, they set up a temporary VPN tunnel between the VPCs using overlapping CIDR with destination NAT (DNAT) on a third-party appliance. The exam might present this as a scenario: 'Two VPCs with overlapping IPs need to communicate. What solution?' The answer is not VPC Peering; it's Cloud VPN with NAT or re-IP.
Scenario 3: Multi-Tenant SaaS Platform
A SaaS provider hosts customer environments in separate projects. Each customer needs isolation but must communicate with a shared backend (e.g., database). The provider uses VPC Peering: each customer project's VPC is peered with a central backend VPC. This ensures customers cannot see each other's traffic. However, they must manage 25+ peerings per VPC (limit). They request a quota increase. They also use custom route export/import to propagate routes from the backend to customers. Misconfiguration: if they forget to enable custom route export on the backend, customers cannot reach the database. The exam tests this: 'A company needs to peer 30 VPCs with a central VPC. What is the first step?' Answer: request a quota increase for peering connections.
What the ACE Tests
The ACE exam objectives under '2.1 Planning Solutions' include: 'Determine which VPC connectivity option to use: VPC Peering, Shared VPC, or VPN.' You should expect 2-4 questions on this topic. The exam focuses on:
Recognizing scenarios that require Shared VPC (centralized management, subnet sharing, organization node required).
Recognizing scenarios that require VPC Peering (independent VPCs, different projects/organizations, non-overlapping CIDRs).
Understanding transitive peering limitation.
Knowing default quotas (25 peerings per VPC, 1000 service projects per host).
Understanding firewall rule implications.
Common Wrong Answers
Choosing VPC Peering when Shared VPC is needed: Candidates see 'multiple projects' and think peering, but if the requirement includes centralized firewall management or subnet sharing, Shared VPC is correct.
Assuming transitive peering works: A question might say 'VPC A peered with B, B peered with C. Can A talk to C?' Many say yes, but the correct answer is no.
Selecting VPC Peering for overlapping CIDRs: Candidates forget that peering requires non-overlapping ranges. They choose peering and fail.
Using Shared VPC without an organization node: Shared VPC requires an organization. If the scenario lacks an organization (e.g., multiple standalone projects), Shared VPC is not possible.
Specific Numbers and Terms
25: Maximum VPC peering connections per VPC (default).
1000: Maximum service projects per host project (default).
1000: Maximum subnets per VPC (default).
roles/compute.networkUser: IAM role for service project to use subnets.
roles/compute.xpnAdmin: Admin role for Shared VPC.
auto-create-routes: Flag used when creating peering to automatically exchange subnet routes.
Transitive peering: Not supported.
Edge Cases and Exceptions
Cross-organization peering: VPC Peering can be set up across organizations if both sides agree. Shared VPC requires both projects to be in the same organization (or allowed by policy).
Custom route exchange: By default, only subnet routes are exchanged in peering. Custom routes (e.g., from VPN) are not exchanged unless you enable export/import. This is a common exam trick.
DNS resolution: Peered VPCs cannot resolve each other's internal DNS names by default. The exam may ask how to enable it (answer: Cloud DNS peering or forwarding).
How to Eliminate Wrong Answers
If the scenario mentions a single network team managing all firewall rules and VPNs, eliminate VPC Peering.
If the scenario mentions overlapping IP ranges, eliminate VPC Peering.
If the scenario requires transitive routing (A to C via B), eliminate VPC Peering (unless using VPN or appliance).
If the scenario mentions an organization node, Shared VPC is possible; if not, it is not.
If the scenario requires sharing a subnet across projects, eliminate VPC Peering.
VPC Peering is a direct layer-3 connection between two VPCs; it does not support transitive routing.
Shared VPC requires an organization node; standalone projects cannot be host projects.
VPC Peering requires non-overlapping subnet CIDRs; overlapping ranges prevent peering.
Shared VPC centralizes firewall rules, VPNs, and NAT in the host project.
Default maximum VPC peering connections per VPC is 25.
Default maximum service projects per host project is 1000.
Use `gcloud compute networks peerings create` to set up VPC Peering.
Use `gcloud compute shared-vpc enable` to designate a host project.
Custom routes are not exchanged in VPC Peering by default; enable export/import to share them.
In Shared VPC, service projects need `roles/compute.networkUser` on subnets to deploy resources.
These come up on the exam all the time. Here's how to tell them apart.
VPC Peering
Connects independent VPCs across projects or organizations.
Requires non-overlapping subnet CIDRs.
No support for transitive routing.
Each VPC manages its own firewall rules.
DNS resolution requires additional configuration.
Shared VPC
Single VPC shared across multiple projects within an organization.
All subnets are in one VPC, so no overlap possible.
Inherently supports transitive communication within the VPC.
Firewall rules are centralized in the host project.
Internal DNS resolves across all service projects automatically.
Mistake
VPC Peering supports transitive routing like a hub-and-spoke.
Correct
VPC Peering does NOT support transitive routing. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C through VPC B. Each pair must be directly peered. This is a fundamental limitation.
Mistake
Shared VPC requires all projects to be in the same organization.
Correct
Shared VPC requires the host project to be in an organization, but service projects can be in the same organization or in a different organization if the organization policies allow. However, the host project must be part of an organization; standalone projects cannot be host projects.
Mistake
VPC Peering automatically resolves DNS names between VPCs.
Correct
By default, peered VPCs do not resolve each other's internal DNS names. You must configure DNS peering or use Cloud DNS forwarding to enable name resolution. The exam often tests this.
Mistake
Shared VPC allows service projects to create their own firewall rules.
Correct
By default, only the host project can create firewall rules for the Shared VPC. Service projects can be granted the `compute.securityAdmin` role to manage firewall rules, but this is not the default.
Mistake
VPC Peering is free.
Correct
VPC Peering itself has no cost, but egress traffic between peered VPCs is charged at the VPC Peering egress rate. In contrast, traffic within a Shared VPC (between service projects in the same VPC) is not charged egress fees.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. VPC Peering requires the peered VPCs to have non-overlapping internal IP ranges. If they overlap, the peering creation will fail. You must re-IP one VPC or use a VPN with NAT to translate addresses.
By default, peered VPCs cannot resolve each other's internal DNS names. To enable this, you can use Cloud DNS peering (create a peering zone in one VPC that forwards to the other) or set up DNS forwarding. The exam may ask about this.
The default limit is 25, but you can request a quota increase via the Google Cloud Console or by contacting support. For large-scale hub-and-spoke topologies, you may need to request a higher limit.
No. Shared VPC requires an organization node (Google Workspace or Cloud Identity). If you have standalone projects without an organization, you cannot use Shared VPC. In that case, you would use VPC Peering or VPN.
Yes. For example, you can have a Shared VPC in one organization and peer it with a VPC in another organization. The Shared VPC's host project can initiate peering connections to other VPCs.
Each VPC maintains its own firewall rules. Peering does not automatically allow traffic; you must create ingress firewall rules in each VPC to permit traffic from the peered VPC's subnets. Failure to do so is a common misconfiguration.
Yes. A Shared VPC can have subnets in multiple regions. Service projects can use any subnet they have been granted access to, regardless of region. However, VMs must be in the same region as the subnet they use.
You've just covered VPC Peering vs Shared VPC — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?