Exam Professional Cloud Architect topic 1 question 130 discussion

For the same project , same VPC, Network Admin role to the networking team, and Compute Admin role to the development team. What is the need for another project?

C. 1. Create a project with a Shared VPC and assign the Network Admin role to the networking team. 2. Create a second project without a VPC, configure it as a Shared VPC service project, and assign the Compute Admin role to the development team.

This is tricky. Both B & C could seem okay, but C is the right answer. The compute.networkAdmin role gives broad permissions on the project, which also affects compute instances. For instance, it gives "compute.instances.get" and "compute.instances.use" permissions. Even though this roles does not grant permissions to start/stop/create/delete instances, it still gives broad permissions on compute instances. This gets much clearer if we do the same analysis on the other role: compute.Admin. This role gives permissions on "compute.*", which also includes "compute.networks.*". That is exactly what we don't want to happen. If we spawn the VPC and the compute VMs in the same project, then compute admins will be able to mess around with the VPC. That is why we need to separate networks and compute within 2 projects, unless creating custom roles, etc. Shared VPC are aimed at that. Therefore, C is the right answer.

If it was compute instance admin instead of compute admin, then B would do it, But since They specifically mention Compute Admin, C is the only option. But that being said, there's nothing stopping the apps team from creating a vpc in the new project since they have all the required permissions for it, kind of an oversight

While IAM roles can technically achieve some separation in option B, Shared VPC (option C) offers a more secure, well-defined, and recommended approach for this scenario. It reduces the risk of accidental access and promotes a cleaner separation of duties between the networking and development teams.

Shared ~VPC provide a feature to have segregation of such roles.

The project I am part of follows exactly the same architecture as Option C.

C is ok.

No one is a valid answer (sorry for that) because all answers assign COMPUTE ADMIN to the developers. If Your company requires all network resources to be managed by the networking team you must NOT assigne COMPUTE ADMIN to the developers because you give them the power to managed the network. No matter the project they are assigned, they could do things forbidden for the requeriment.

Not B because Compute Admin has networking roles.

https://cloud.google.com/vpc/docs/shared-vpc When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network. Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.

Two reasons for me to select C: 1. Compute admin has network admin roles included 2. If Dev team adds more projects for testing/staging later, they can be centrally handled by the host project and Google also recommends separation of duties

Option B suggests creating a single project with a standalone VPC, and assigning both the Network Admin and Compute Admin roles to the respective teams. However, this solution does not enforce the required separation of duties between the networking and development teams. Option C suggests using a Shared VPC. A Shared VPC allows for separation of duties between teams while sharing network resources. The networking team can manage the Shared VPC, and the development team can create Compute Engine instances in the Shared VPC without the networking team having access to the sensitive data on the instances. The development team can be assigned the Compute Admin role for the Shared VPC service project, and the networking team can be assigned the Network Admin role for the Shared VPC host project.

Can this be handled with IAM roles? Yes. Why go through extra effort, in the event you want to add a feature or couple other services, would you still continue tweaking?

to prevent dev team from having network admin (same project will mean dev team with compute admin will also have network permission). That's my take on this one.

It talks about managing all network resources in a company. Google always recommends having a shared VPC to maintain network resources in an organization. The separation of roles adds to the favour of having a shared vpc.

C is not correct as it doesn't make sense to have 2 vpcs for managing roles