VPC setup for (micro) services - shared vs. peering vs. one project - best practice

Somewhat related to this and this. This is a very basic and probably noob question.

I want to set up a couple of services (mix of GCE, GAE, GCR and GCF) in the GCP (one org). Some of them need to communicate with one another, others don't. Of course, I don't want to expose any service to the internet without good reason, so they should communicate internally (via their internal IPs / DNS). Different services belong to different teams and thus I'd like to put them into different projects.

Of course, I did some research and the three options I see are:

A) put everything in one project
B) pick one project as the host project and use Shared VPC
C) use peering where required

There are pros and cons for each.

A - easy but also violates least privilege, no clear separation of services
B - also quite easy but everything can connect to everything else, not quite clear which project should be the host, the host decieds FW rules etc. alone - what if, e.g., I need to connect to a DB from my local machine?
C - seems good but is limited to 25 peers - what if a service needs to connect to more than that?

I feel like I'm missing something basic. Projects are isolated from one another by default, right? They start with the default VPC and if I were to create two VMs in two vanilla projects they'd receive the same internal IP. You may have noticed that I don't have a strong background in network design.

What's a good pick and what are some best practices for this scenario (and why)? Am I missing some options?


Solution 1:

For the stated circumstances, I would recommend shared VPC.

Usually the most centralized project is recommended to be used as a host project in shared VPC, but for a big organisation, it is also a good idea to create a separate project as a host project, which is then attached to one or more service projects.

Shared VPC enables excellent level of segregation, access control and data transfer when used in coalition with cloud IAM, firewall rules and Identity aware proxy.

Please refer to following links for detailed information on shared VPC -

https://www.youtube.com/watch?v=WotV3D01tJA

https://cloud.google.com/vpc/docs/shared-vpc

Shared VPC can also be used in tandem with VPC Peering to provide best of both world features, please refer to this link for detailed information on that -
https://cloud.google.com/vpc/docs/vpc-peering#shared_vpc