VPC setup for (micro) services - shared vs. peering vs. one project - best practice

networking google-cloud-platform vpc-peering

Somewhat related to this and this. This is a very basic and probably noob question.

I want to set up a couple of services (mix of GCE, GAE, GCR and GCF) in the GCP (one org). Some of them need to communicate with one another, others don't. Of course, I don't want to expose any service to the internet without good reason, so they should communicate internally (via their internal IPs / DNS). Different services belong to different teams and thus I'd like to put them into different projects.

Of course, I did some research and the three options I see are:

A) put everything in one project
B) pick one project as the host project and use Shared VPC
C) use peering where required

There are pros and cons for each.

A - easy but also violates least privilege, no clear separation of services
B - also quite easy but everything can connect to everything else, not quite clear which project should be the host, the host decieds FW rules etc. alone - what if, e.g., I need to connect to a DB from my local machine?
C - seems good but is limited to 25 peers - what if a service needs to connect to more than that?

I feel like I'm missing something basic. Projects are isolated from one another by default, right? They start with the default VPC and if I were to create two VMs in two vanilla projects they'd receive the same internal IP. You may have noticed that I don't have a strong background in network design.

What's a good pick and what are some best practices for this scenario (and why)? Am I missing some options?


Solution 1:

For the stated circumstances, I would recommend shared VPC.

Usually the most centralized project is recommended to be used as a host project in shared VPC, but for a big organisation, it is also a good idea to create a separate project as a host project, which is then attached to one or more service projects.

Shared VPC enables excellent level of segregation, access control and data transfer when used in coalition with cloud IAM, firewall rules and Identity aware proxy.

Please refer to following links for detailed information on shared VPC -

https://www.youtube.com/watch?v=WotV3D01tJA

https://cloud.google.com/vpc/docs/shared-vpc

Shared VPC can also be used in tandem with VPC Peering to provide best of both world features, please refer to this link for detailed information on that -
https://cloud.google.com/vpc/docs/vpc-peering#shared_vpc

Related

Using Redis in an untrusted environment (multiple users)
Remote Desktop Connection: "This computer can't connect to the remote computer"
Restoring the partition table and a fsarchiver backup from a dead disk to a new one
Is it possible to close the gui of a virtualbox vm and return it to headlessly running without rebooting it with opensuse as host system
sudo prompts for password even though suders entry specifies NOPASSWD
LaTeX Equations in MS Word/OpenOffice?
Synergy Not Switching monitors correctly using dual monitors on host and client
Powershell - how to add number of files along size of the folder that contains the files, recursively
Windows 10 Enterprise will expire soon
I have no IP address after resetting my network
How to properly configure Virtual Box network settings?
How to limit download speed per port on the network?