Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network.
Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. This model allows organizations to do the following:
Implement a security best practice of least privilege for network administration, auditing, and access control. Shared VPC Admins can delegate network administration tasks to Network and Security Admins in the Shared VPC network without allowing Service Project Admins to make network-impacting changes. Service Project Admins are only given the ability to create and manage instances that make use of the Shared VPC network.
Apply and enforce consistent access control policies at the network level for multiple service projects in the organization while delegating administrative responsibilities. For example, Service Project Admins can be Compute Instance Admins in their project, creating and deleting instances that use approved subnets in the Shared VPC host project.
Shared VPC connects projects within the same organization.
Linked projects can be in the same or different folders, but if they are in different folders the admin must have Shared VPC Admin rights to both folders
A project that participates in Shared VPC is either a host project or a service project:
a) A host project contains one or more Shared VPC networks. A Shared VPC Admin must first enable a project as a host project. After that, a Shared VPC Admin can attach one or more service projects to it.
b) A service project is any project that has been attached to a host project by a Shared VPC Admin. This attachment allows it to participate in Shared VPC. It's a common practice to have multiple service projects operated and administered by different departments or teams in your organization.
c) A project cannot be both a host and a service project simultaneously. Thus, a service project cannot be a host project to further service projects.
d) You can create and use multiple host projects; however, each service project can only be attached to a single host project.
A Shared VPC network is a VPC network defined in a host project and made available as a centrally shared network for eligible resources in service projects. Shared VPC networks can be either auto or custom mode, but legacy networks are not supported.
When a host project is enabled, all of its existing VPC networks become Shared VPC networks, and any new network created in it will automatically be a Shared VPC network as well. Thus, a single host project can have more than one Shared VPC network.
Shared VPC makes use of Identity and Access Management (IAM) roles for delegated administration. The following roles can be granted to IAM members, such as users, Google groups, Google domains, or GCP service accounts. If you need to contact any of these admins, you can look them up in your organization's or project's IAM policy
References
https://cloud.google.com/vpc/docs/shared-vpc
No comments:
Post a Comment