Project isolation is one of those topics on the Professional Cloud Architect exam where the question looks simple until you realize there are two completely different layers of the stack you can isolate at. The exam will hand you a scenario about keeping projects from talking to each other, and you have to pick the right tool for the layer the scenario actually cares about.
I want to walk through the two techniques side by side so you can tell them apart on exam day.
The first technique is the simplest one. You put each project in its own VPC and you do not configure any peering or shared routing between them. That is it. If there is no network path connecting VPC Network A in Project A to VPC Network B in Project B, traffic cannot flow between them.
This is isolation at the network layer. You are drawing a boundary at the level of IP routing. The subnets in Project A have no route to the subnets in Project B because you never created the relationship that would allow one. No VPC peering, no shared VPC configuration, no Cloud VPN or Interconnect tying them together.
This works well for separating environments or departments. If you want production and development in different projects with no possibility of network traffic crossing between them, separate VPCs with no peering gives you that. It also satisfies a lot of compliance requirements because the boundary is structural rather than policy based.
VPC Service Controls operate at a different layer entirely. Instead of controlling whether packets can traverse the network, they control whether one project's resources can call into another project's Google Cloud services.
You define a security perimeter around a project. Inside that perimeter, your services can talk to each other normally. Outside the perimeter, requests get blocked even when the underlying network would technically allow them. The perimeter is a service-layer construct, not a routing construct.
The classic problem this solves is data exfiltration. A user with permissions to read data from a Cloud Storage bucket in Project A could in principle copy that data to a bucket in Project B. Network controls do not stop this because the user is just calling Google APIs from their workstation. VPC Service Controls do stop it because the destination bucket sits outside the perimeter.
You can also configure access levels on a perimeter. An access level lets requests through when they meet conditions you specify, things like a particular IP range, a specific identity, or device attributes from BeyondCorp. This is how you allow your office network or a managed device pool to reach services inside the perimeter while still blocking everything else.
The Professional Cloud Architect exam tests this distinction by describing a scenario and asking which technique fits. The trick is to listen for what the scenario is actually trying to prevent.
If the scenario talks about packets, routing, peering, or network reachability between workloads, you want separate VPCs. The concern is at the network layer.
If the scenario talks about preventing someone from copying data out of a project, restricting which users or devices can call Google Cloud APIs, or stopping cross-project access to managed services like BigQuery or Cloud Storage, you want VPC Service Controls. The concern is at the service layer.
The two techniques are not mutually exclusive. A serious isolation design uses both. Separate VPCs prevent network paths from existing in the first place, and VPC Service Controls prevent service calls from crossing project boundaries even when the network would allow them. Layering them gives you defense in depth, which is why questions about sensitive workloads often have an answer that involves both.
The Professional Cloud Architect exam wants to know that you understand isolation is not a single concept. It is a layered concept, and the layer matters. A wrong answer on these questions usually comes from picking the right idea at the wrong layer, like reaching for VPC Service Controls when the scenario was really about preventing network connectivity, or reaching for separate VPCs when the scenario was about API-level data movement.
Read the scenario carefully and identify which layer of the stack the threat is operating at. The technique follows from that.
My Professional Cloud Architect course covers project isolation alongside the rest of the networking material.
