This approach is a good fit when Shared VPCs are used across multiple application/infrastructure teams. A central repository keeps environment/team specific folders with firewall definitions in `yaml` format. This is the high level diagram:
| *project_services* | Service APIs enabled by default in new projects. | <codetitle="list(string)">list(string)</code> | | <codetitle="[ "container.googleapis.com", "dns.googleapis.com", "stackdriver.googleapis.com", ]">...</code> |