VPC Peering & Shared VPC

As your GCP environment grows beyond a single VPC or project, you need ways to connect VPCs together. GCP offers two primary mechanisms: VPC Network Peering for connecting VPCs across projects or organisations, and Shared VPC for sharing a single VPC across multiple projects within an organisation. Each approach has distinct characteristics, use cases, and trade-offs.

VPC Network Peering

VPC Peering creates a direct network path between two VPC networks, allowing resources in each VPC to communicate using internal IP addresses. Traffic between peered VPCs stays on Google's network — it never traverses the public internet.

Key Characteristics

Decentralised — each VPC is managed independently in its own project.
Non-transitive — if VPC A peers with VPC B and VPC B peers with VPC C, VPC A cannot reach VPC C through VPC B (unless A-C peering is also established).
Bidirectional — once peering is established, both sides can communicate (but each side must accept the peering request).
No overlapping CIDR — the primary and secondary IP ranges of peered VPCs must not overlap.
Cross-project and cross-organisation — peering works across projects and even across GCP organisations.
No gateway or VPN — peering uses internal routing; there are no gateways, VPN tunnels, or additional hops.

Creating a Peering Connection

Peering requires configuration on both sides:

# In project-a: peer vpc-a with vpc-b
gcloud compute networks peerings create peer-a-to-b \
  --network=vpc-a \
  --peer-project=project-b \
  --peer-network=vpc-b

# In project-b: peer vpc-b with vpc-a
gcloud compute networks peerings create peer-b-to-a \
  --network=vpc-b \
  --peer-project=project-a \
  --peer-network=vpc-a

Peering Limits

Limit	Value
Peering connections per VPC	25 (can be increased)
Maximum peered group size (total VMs/endpoints)	15,500

Exchanging Custom Routes

By default, only subnet routes are exchanged. To share custom static routes or routes learned via Cloud Router:

gcloud compute networks peerings update peer-a-to-b \
  --network=vpc-a \
  --export-custom-routes \
  --import-custom-routes

Shared VPC

Shared VPC allows an organisation to share a single VPC network across multiple service projects. A host project owns the VPC, and service projects deploy resources (VMs, GKE clusters, etc.) into subnets of that shared VPC.

Key Concepts

Host project — the project that contains the Shared VPC. Network administrators manage subnets, firewall rules, and routes here.
Service projects — projects that are attached to the Shared VPC. Developers in service projects deploy resources into the shared subnets.
Centralised network management — network and security teams manage the VPC in the host project while application teams work independently in their service projects.

Setting Up Shared VPC

# Enable Shared VPC host project
gcloud compute shared-vpc enable host-project-id

# Attach a service project
gcloud compute shared-vpc associated-projects add service-project-id \
  --host-project=host-project-id

VPC Peering & Shared VPC

VPC Peering & Shared VPC

VPC Network Peering

Key Characteristics

Creating a Peering Connection

Peering Limits

Exchanging Custom Routes

Shared VPC

Key Concepts

Setting Up Shared VPC

IAM for Shared VPC

More in Cloud