Based on implementing Shared VPC for a similar multi-team environment, here’s a comprehensive design framework addressing IAM boundaries, quota management, and firewall rule scoping:
IAM Boundary Design:
The foundation is separating network administration from workload deployment. Create a dedicated host project owned by your central networking team with roles/compute.networkAdmin and roles/compute.securityAdmin. Service projects are organized by compliance boundary - separate projects for PCI, PHI, and general workloads.
Grant teams roles/compute.networkUser at the subnet level, not project level. This is crucial for IAM boundaries. Use IAM conditions to further restrict access based on resource tags or time windows if needed. For example, development teams get networkUser on dev subnets only, while operations teams get it on production subnets.
Implement a service account strategy where each team has designated SAs for their workloads. These SAs get roles/compute.instanceAdmin on their service project but not the host project. This prevents teams from modifying shared network infrastructure.
Quota Management Strategy:
Quotas in GCP are project-scoped, which creates challenges in Shared VPC. Implement these safeguards:
-
Set up quota monitoring using Cloud Monitoring metrics like compute.googleapis.com/quota/instances/usage. Create alerts at 70%, 85%, and 95% thresholds.
-
Establish a quota allocation policy - each service project gets baseline quotas based on team size and workload patterns. Document these allocations in a central registry.
-
Use resource quotas in Kubernetes (if using GKE) to prevent individual teams from consuming excessive resources within their service projects.
-
Implement a quota request workflow using Cloud Functions and Jira/ServiceNow integration for tracking and approval.
Firewall Rule Scoping:
This is where most organizations struggle. Use a three-tier approach:
-
Hierarchical firewall policies (organization/folder level): Common deny rules that apply everywhere - deny external RDP/SSH, block known malicious IPs, enforce egress restrictions for compliance zones.
-
VPC-level firewall rules (host project): Standard patterns like allow health checks, allow IAP tunneling, allow internal communication between subnets. Use network tags extensively - define a tagging taxonomy (e.g., tier-web, tier-app, tier-db, env-prod, env-dev).
-
Service project firewall rules: Teams can create limited rules within their service projects, but only affecting their tagged resources. Use IAM conditions to prevent teams from creating rules that impact other teams’ tags.
For your 12 teams, create firewall rule templates for common patterns (web tier, app tier, database tier) and require teams to use these templates. This prevents rule sprawl and ensures consistent security posture.
Governance Framework:
Document everything in a central repository - subnet assignments, CIDR allocations, firewall rule patterns, service account naming conventions, and escalation procedures. Run quarterly reviews of firewall rules to identify and remove unused rules. Use Config Connector or Terraform to manage infrastructure as code, which provides audit trails and prevents configuration drift.
The key success factor is balancing team autonomy with centralized control. Teams should feel empowered to deploy workloads quickly while the network team maintains security and compliance guardrails.