1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Implementing a GCP Virtual Private Cloud (VPC)

Creating a Shared VPC

Start course
Duration1h 15m


Please note: this course has been replaced with an updated version which can be found here.


This course guides you through the key steps to configure a Google Cloud Platform virtual private cloud (VPC), which allows you to connect your GCP services with one another securely.

After a brief introduction, the course begins with how to set up and configure VPCs, including VPC peering and shared VPC. You'll learn how to configure routes, set up cloud NAT (network address translation), and configure VPC-native clusters in Kubernetes, before rounding off the course by looking at VPC firewalls. The topics in this course are accompanied by demonstrations on the platform in order to show you how these concepts apply to real-world scenarios.

If you have any feedback, questions, or queries relating to this course, please feel free to contact us at support@cloudacademy.com.

Learning Objectives

  • Configure Google Cloud Platform VPC resources
  • Configure VPC peering and API access
  • Create shared VPCs
  • Configure internal static and dynamic routing, as well as NAT
  • Configure and maintain Google Kubernetes Engine clusters
  • Configure and maintain VPC firewalls

Intended Audience

This course is intended for:

  • Individuals who want to learn more about Google Cloud networking, who may also have a background in cloud networking with other public cloud providers
  • Individuals who simply want to widen their knowledge of cloud technology in general


To get the most from this course, you should already have experience in public cloud and networking as well as an understanding of GCP architecture.


I want to tell you exactly what a shared VPC is. A shared VPC allows you to centralize and control access to your enterprise network. And I focus on enterprise there because that's usually the intended audience for this type of setup, and is gonna be set up with an organization within GCP, meaning that if I had a network admin for a 10,000-user enterprise, with different teams throughout the company, and they all need GCP resources to access the network, virtual machines, Kubernetes clusters, what may have you, I could control access to the VPC network from one centralized project.

And so the way that works within GCP is you'll need to set up one host project and then you would attach several service projects to that one host project. Ultimately, that one host project has complete control over the entire network and all the service projects' access. The first thing we wanna focus on is what three roles you're gonna need within your organization to do this.

So number one, you're gonna have to have your organization admin assign the shared VPC admin role to someone, and that person who then has that role will then have to enable host projects and attach service projects to them, and I'll talk about those more here in a minute. And then lastly, the service project admin role, that role basically controls who can access the networks in those projects.

So if you only want certain resources to have access to certain subnets, or VPCs in general, that role allows you to do that. You have to have these three roles to really take advantage and set up shared VPC.

So for the next part here, we're gonna go to shared VPC under VPC Network, and we're gonna go and click Set Up Shared VPC. Now, the first screen here is pretty simple, it's pretty self-explanatory, you're gonna enable a host project, you're gonna select the subnet, and then you're gonna give permissions, so that's gonna be the order.

So we're gonna go ahead and enable the host project, which is the project right now, which is learn-gcp-vpc. And once that's set up, now you'll be able to see all of the networks are part of this, a part of this network. So this VPC, there's options that we can share. So for instance, you're looking at I can share all the subnets, or I can just share individual ones.

So if I wanna just share individual ones, I would just check which ones I wanted to share, I click Continue, and then now I can choose the service, giving them permission to which projects can access, so these are gonna be the service projects. So I'm just gonna use that learn-sandbox as a service project, and then I could choose the roles, which ones I wanna use, and I also can choose Kubernetes Engine access as well, if I wanna allow this to be shared with Kubernetes. So it's pretty cool.

As you can see, not only can you use shared VPC with Compute Engine, or just any type of project, but it also applies to Kubernetes network as well. And then once I hit Save, you're gonna see I'm gonna get an error because I don't have the Kubernetes Engine API enabled. So you have to have that API enabled if you choose to want to set up the Kubernetes Engine access.

So we're not gonna go ahead and enable that now, we're just gonna go ahead and set this up, and let's give it a minute. Okay, once that's set up, it's gonna show you at the top which project is the host, you're also gonna see the shared subnets and permission, you're gonna see the attached project, if I click on that, and you also see the option, I can attach more projects if I like, and then from this point, if I wanna change some more subnets and add some more things from the host, I can go ahead and do that as well, I can go in and make some more changes and modify permissions from a project, you could do that, and then at the bottom, you can look at the individual subnet permission.

So like I was saying earlier, you can choose who has access to what subnet, it doesn't even have to be the entire range of addresses. So if you've got several different ranges, you can have someone, let's say, you had a CIDR range of 24, or a site of 28, like, different folks can have access to those different ranges if needed.

Okay, so now what we've done, we've switched over to our learn-sandbox project, and what you're gonna see in here is now at the top, you're gonna see this is a service project, and it's telling you that the host project learn-gcp-vpc is sharing its subnets with this project. At the bottom, you could see the members who have permission to the shared subnets, and then once you click on the VPC networks of this project, at the top, you're gonna notice another option here to the right, networks in current project, that says networks shared to my project. And you're gonna see all the networks that have been shared to this project. And you're gonna see which project, it's been given to it.

Now, keep in mind these networks are shared to this project, but that doesn't necessarily you'll have access dependent on the rights in IM rows, that's been granted to you. So those are some of the main things to keep in mind when setting up a shared VPC.

About the Author

Mark has many years of experience working with Google Cloud Platform and also holds eight GCP certifications.