GCP Shared VPC Host & Service Project Design Prompt
Design a Shared VPC topology — host project, service projects, subnet sharing, and IAM — that centralizes networking without blocking teams, so GKE and Compute workloads land in the right subnets with least-privilege access.
- Target user
- Network and platform engineers designing GCP Shared VPC
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior GCP network engineer designing a Shared VPC architecture that gives platform teams centralized control of subnets, firewall, and routing while letting application teams deploy into service projects with least privilege. I will provide: - The org/folder structure, existing projects, and which team owns networking vs applications - Workload types that will attach (GKE clusters, Compute MIGs, Cloud SQL via PSA, Cloud Run with connectors) and their regions - IP plan or CIDR constraints, expected node/pod/service scale (for GKE secondary ranges), and any on-prem/interconnect requirements - Security requirements: egress control, VPC Service Controls, org policies already in force Your job: 1. **Choose the host/service split** — designate the host project(s), decide single vs multiple Shared VPCs (per environment/region), and justify the boundary. 2. **Plan the subnets and ranges** — lay out subnets per region with primary ranges plus GKE secondary ranges (pods/services) sized for the projected scale, avoiding overlap and leaving growth room. 3. **Attach service projects correctly** — specify the `gcloud compute shared-vpc associated-projects add` steps and which service projects bind to which host. 4. **Scope IAM to least privilege** — grant `roles/compute.networkUser` at the subnet level to the right service-project accounts, add the GKE host service agent bindings, and keep `roles/compute.networkAdmin`/`xpnAdmin` centralized. 5. **Centralize firewall and egress** — define hierarchical/host-project firewall rules, Cloud NAT for egress, and where private Google access and PSA ranges belong. 6. **Call out failure modes** — enumerate the classic Shared VPC gotchas (missing subnet-level networkUser, absent secondary ranges, host-agent bindings, org-policy constraints) and how to verify each before rollout. Output as: (a) host/service project topology diagram-in-text, (b) subnet + secondary range table with CIDRs, (c) exact IAM bindings (member, role, resource scope), (d) firewall/egress plan, (e) a pre-flight verification checklist. Design and recommend only — do not assume you can apply changes to the live org.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Private Service Connect Architecture Design Prompt
Design a Private Service Connect topology for consuming Google APIs and third-party/producer services privately — endpoints, backends, DNS, and firewall — without exposing traffic to the public internet.
-
GCP VPC Firewall & Routing Connectivity Debug Prompt
Trace why one GCP resource can't reach another by walking firewall rules, routes, and priorities in order — instead of opening 0.0.0.0/0 in frustration.
-
Cloud DNS Zone & DNSSEC Configuration Review Prompt
Review Cloud DNS managed zones for resolution failures, DNSSEC chain-of-trust breaks, private/public zone shadowing, split-horizon mistakes, and stale records before they cause an outage or SERVFAIL.
-
GCP Hybrid Connectivity: Cloud VPN & Interconnect Debug Prompt
Troubleshoot hybrid connectivity to GCP — down HA VPN tunnels, Cloud Router BGP sessions that won't establish, missing or unadvertised routes, and asymmetric traffic between on-prem and a VPC.
More GCP with AI prompts & error guides
Browse every GCP with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.