Exam Professional Cloud Architect topic 1 question 130 discussion

For the same project , same VPC, Network Admin role to the networking team, and Compute Admin role to the development team. What is the need for another project?

C. 1. Create a project with a Shared VPC and assign the Network Admin role to the networking team. 2. Create a second project without a VPC, configure it as a Shared VPC service project, and assign the Compute Admin role to the development team.

Solution B: No need for another project

A shared VPC is a better option in this case. https://cloud.google.com/vpc/docs/shared-vpc

Compute Network Admin (roles/compute.networkAdmin) Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.

We should use Option C, because following the documentation Network admin has a lot of compute instance permissions. So option C for sure

The key here is shared VPC service.

This is tricky. Both B & C could seem okay, but C is the right answer. The compute.networkAdmin role gives broad permissions on the project, which also affects compute instances. For instance, it gives "compute.instances.get" and "compute.instances.use" permissions. Even though this roles does not grant permissions to start/stop/create/delete instances, it still gives broad permissions on compute instances. This gets much clearer if we do the same analysis on the other role: compute.Admin. This role gives permissions on "compute.*", which also includes "compute.networks.*". That is exactly what we don't want to happen. If we spawn the VPC and the compute VMs in the same project, then compute admins will be able to mess around with the VPC. That is why we need to separate networks and compute within 2 projects, unless creating custom roles, etc. Shared VPC are aimed at that. Therefore, C is the right answer.

If it was compute instance admin instead of compute admin, then B would do it, But since They specifically mention Compute Admin, C is the only option. But that being said, there's nothing stopping the apps team from creating a vpc in the new project since they have all the required permissions for it, kind of an oversight

While IAM roles can technically achieve some separation in option B, Shared VPC (option C) offers a more secure, well-defined, and recommended approach for this scenario. It reduces the risk of accidental access and promotes a cleaner separation of duties between the networking and development teams.

Shared ~VPC provide a feature to have segregation of such roles.

The project I am part of follows exactly the same architecture as Option C.

C is ok.

No one is a valid answer (sorry for that) because all answers assign COMPUTE ADMIN to the developers. If Your company requires all network resources to be managed by the networking team you must NOT assigne COMPUTE ADMIN to the developers because you give them the power to managed the network. No matter the project they are assigned, they could do things forbidden for the requeriment.

Not B because Compute Admin has networking roles.

https://cloud.google.com/vpc/docs/shared-vpc When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network. Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.

Two reasons for me to select C: 1. Compute admin has network admin roles included 2. If Dev team adds more projects for testing/staging later, they can be centrally handled by the host project and Google also recommends separation of duties