Open in app

Sign in

Write

Sign in

A centralized approach to multi-project networking with Pulumi

Fermin Blanco
Google Cloud - Community
Published in
3 min readApr 22, 2024

--

Multi-project networking needed an approach for better security and management of networking resources. That’s what a Shared VPC is, a mechanism for enhancing the security posture of your networking resources scattered through projects. Also it comes with lower latency communication 😱.

STOP THIS MADNESS AND SHOW ME THE CODE

Pulumi is a Infrastructure as Code tool that we’ll use to allow consistency between deployments.

Shared VPC

Centralized Multi-Project Networking

There are a few ways to implement multi-project networking but for a centralized approach you need to use a Shared VPC.

A Shared VPC enhances the security posture of your multi-project resources by enabling communication through internal IP addresses.

Networking resources

  • Virtual Private Cloud: Software-define network that provides connectivity for Google Cloud resources (VMs, GKE clusters, SQL instances)
  • Subnets: Smaller network segments within a VPC network that can be used to isolate resources and control access to them
  • Firewall Rules: Security rules that govern traffic flow between network resources, based on IP addresses, ports and protocols.
  • Load Balancing: Service that distribute network traffic across multiple resources to improve performance and availability.
  • and a few more.

The network administration model

Based on the concept of a centralized approach to network management, a common VPC is shared across multiple projects inside an organization. This model enables the creation of a common network infrastructure that can be used by multiple projects. It simplifies network management, improves resource utilization and allows better control over network configurations and access policies.

Communication is made through their internal IP addresses. Private IP networking results in lower latency since connections does not have to leave the network. Services are not exposed to the public Internet, consequently incurring in no egress bandwidth charges.

The components

Participating host and service projects cannot belong to different organizations.”

Host Project

The host project will need ownership to the service projects. The host project could be reachable from the Internet and therefore provide services to Internet users (a web application?).

Service Projects

Provide services to the host project and other service projects. Services running in a service project can use Shared VPC to reach resources running in the other service projects (Microservices?).

a service project cannot be a host project to further service projects.”

Infrastructure as Code with Pulumi

Automating the provisioning and management of the cloud resources. So we can create the infrastructure, configure the infrastructure and push it to production in a predictable and consistent way.

What we create

  • Host and service projects
  • Shared VPC.
  • Compute Instances

Step by Step

  1. Host project creation
  2. Enabling the compute engine Shared VPC feature on the host project
  3. Service projects creation
  4. Service projects attachment.

Pullumi

First of all, we need to initialize our pulumi project (Go)

pulumi new go -y

Basically the command just define a new GCP stack with no resources.

Google Cloud Organizations

Organizations allows creation and management of GCP projects. So we’ll use the gcp.organizations module from Pulumi to create our host and service projects.

// Create the host project for the shared VPC
hostProject, err := organizations.NewProject(ctx, "hostProject", &organizations.ProjectArgs{
   Name:      pulumi.String("hostProject"),
   ProjectId: pulumi.String("your-project-id"),
   OrgId:     pulumi.String("1234567"),
})
if err != nil {
   return err
}

From the gcp.compute module we’ll use the compute.NewSharedVPCHostProject and compute.NewSharedVPCServiceProject for host and service project definition.

Let’s enable the Google Compute Engine Shared VPC feature (former XPN)

// Enable the Shared VPC feature for host project
_, err = compute.NewSharedVPCHostProject(ctx, "sharedVPCHostProject", &compute.SharedVPCHostProjectArgs{
   Project: hostProject.ProjectId,
})
if err != nil {
   return err
}

Cool, we are left to define our service projects.

_, err = compute.NewSharedVPCServiceProject(ctx, "sharedVPCServiceProject1", &compute.SharedVPCServiceProjectArgs{
  HostProject:    projectId,
  ServiceProject: serviceProject1.ProjectId,
})
if err != nil {
  return err
}

Pulumi AI

Have you tried, Pulumi AI? Use it with the following prompt:

A shared VPC. One host project and two service project. Each Service project has a virtual machine. The host project has also a virtual machine.

Resources

Importing and exporting custom routes | Google Cloud Skills Boost

Qwiklabs provides real Google Cloud environments that help developers and IT professionals learn cloud platforms and…

www.cloudskillsboost.google

Google Cloud

Pulumi offers full support for Google Cloud, with two providers, 2 components, and multiple templates.

www.pulumi.com

Project

Documentation for the gcp.organizations.Project resource with examples, input properties, output properties, lookup…

www.pulumi.com

Google Cloud Platform
Pulumi
Go
Golang
Gcp Networking

--

--

Fermin Blanco
Google Cloud - Community

Written by Fermin Blanco

88 Followers

I write to fill my gaps not to show yours.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams