While preparing for the GCP Professional Cloud Architect (PCA) exam, many candidates get confused by network/resource boundary design involving IAM and multi-team administration. In the real world, this is fundamentally a decision about project and network resource isolation balanced against operational complexity and security boundaries. Let’s drill into a simulated scenario.
The Scenario #
TechNova Gaming is a fast-growing global gaming platform with two core teams: the Networking Operations team and the Game Development team. Developers deploy game server instances on Google Compute Engine that process sensitive player data requiring tight confidentiality. The development team needs administrative permissions on Compute Engine to manage their workloads effectively. Meanwhile, company policy mandates that all network infrastructure must be managed exclusively by the Networking Operations team. Crucially, the Networking team must not have access to the sensitive data on Compute Engine instances.
Key Requirements #
Design a GCP project and network architecture to enforce these separation-of-duty requirements while preserving secure, efficient connectivity between networking and compute resources.
The Options #
-
A)
- Create a project with a standalone VPC and assign the Network Admin role to the Networking Operations team.
- Create a second project with a standalone VPC and assign the Compute Admin role to the Game Development team.
- Connect the two VPCs with Cloud VPN.
-
B)
- Create a single project with a standalone Virtual Private Cloud (VPC).
- Assign the Network Admin role to the Networking Operations team and the Compute Admin role to the Game Development team within the same project.
-
C)
- Create a host project with a Shared VPC and assign the Network Admin role to the Networking Operations team.
- Create a second project configured as a Shared VPC service project without its own VPC.
- Assign the Compute Admin role to the Game Development team in the service project.
-
D)
- Create a project with a standalone VPC and assign the Network Admin role to the Networking Operations team.
- Create a second project with a standalone VPC and assign the Compute Admin role to the Game Development team.
- Connect the two VPCs with VPC Peering.
Correct Answer #
Option C.
Step-by-Step Winning Logic #
Option C embraces Google’s recommended Shared VPC architecture pattern, which enables strong separation of concerns:
- The Networking Operations team exclusively manages network resources in the host project, maintaining control over firewalls, routes, and subnets.
- The Game Development team manages Compute Engine instances in service projects that use Shared VPC networks, preventing them from altering network infrastructure but allowing them to fully administer compute resources within the policy boundaries.
- IAM role assignment respects the principle of least privilege, ensuring networking and compute permissions do not overlap and sensitive data is isolated.
- It avoids the operational complexity and cost of maintaining cross-VPC VPN or peering links and retains centralized logging and monitoring over network activities by networking.
This architecture also aligns with SRE best practices by reducing blast radius and clarifying ownership boundaries, facilitating smoother incident response and compliance audits.
馃拵 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
馃攼 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
馃攼 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not Option A?
While this separates network and compute in different projects and VPCs, using Cloud VPN adds operational complexity, higher latency, and additional egress costs. More importantly, it does not leverage the cleaner, scalable network model provided by Shared VPC. -
Why not Option B?
Assigning both Network Admin and Compute Admin roles in the same project risks overlapping permissions and increases the attack surface. The Networking team would inherit Compute Engine access, violating the data access policy and principle of least privilege. -
Why not Option D?
VPC Peering provides low-latency connectivity but does not centralize network management and requires managing multiple independent VPCs. It also involves additional configuration overhead and lacks centralized firewall enforcement compared to Shared VPC.
馃攼 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs鈥攁nd the failure points of simpler options鈥攊mmediately clear.
flowchart TB
NetworkingOps["Networking Ops Team\nHost Project\n(Shared VPC Network)"] -->|Network Admin Role| HostProject["VPC Host Project"]
GameDev["Game Dev Team\nService Project"] -->|Compute Admin Role| ServiceProject["Shared VPC Service Project"]
ServiceProject -- Uses --> HostProject
HostProject -->|"Shared VPC Network"| ComputeInstances["Compute Engine Instances"]
classDef blueTeam fill:#1a73e8,stroke:#333,stroke-width:2.5px,color:#fff,font-size:17px
classDef service fill:#4285F4,stroke:#333,stroke-width:2.5px,color:#fff,font-size:17px
class NetworkingOps,HostProject blueTeam
class GameDev,ServiceProject,ComputeInstances service
Diagram Note: The Networking Operations team manages the shared VPC network centrally in the host project; the Game Development team administers Compute Engine instances in the service project using the Shared VPC network without direct access to network infrastructure.
馃攼 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A | Medium | Medium (VPN egress + ops) | Logical separation; dedicated VPCs per team | VPN adds latency, cost, operational complexity |
| B | Low | Low | Simple project structure | Violates least privilege; Networking team sees sensitive data |
| C | Medium | Low (shared infra) | Clear separation; centralized network; least privilege | Requires understanding Shared VPC setup |
| D | Medium | Medium (VPC peering cost) | Separate VPCs with low-latency peering | Decentralized network control; operational overhead |
馃攼 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made鈥攁nd often misjudged鈥攊n practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
For PCA, apply Shared VPC when you have distinct teams managing network and compute resources but need tight security and operational boundaries.
Real World #
In practical deployments, Shared VPC improves scalability and reduces administrative overhead versus VPN or peering between independent VPCs while enforcing strict IAM boundaries. However, it requires developers and network teams to coordinate roles and quotas carefully, enforcing service-level agreements for network changes.