My vision is to create an intranet at, say, https://intra.sample.com without a firewall where users authenticate via IAP to an https load balancer and users anywhere on the internet (i.e., at home) can access multiple apps based on path mapping, e.g. intra.sample.com/hr and intra.sample.com/timesheet. These apps are in separate service projects, but are part of a shared VPC. Scalability is not important as these are just internal services for employees.
Benefits to this approach are that (1) client VPN software is not required and (2) a single external IP is accessible only through authentication, which users already use for access to GSuite.
My problem is that the Shared VPC docs say that all paths must map to a single project. ("All load balancing components must exist in the same project, either all in a host project or all in a service project. Creating some load balancer components in a host project and others in an attached service project is not supported.")
So what is the solution? Should my host project run a self-managed reverse proxy instance? And that reverse proxy would map paths to addresses for internal load balancers in each project (or directly to singleton hosts providing service)?
If so, will the project apps be able to retrieve the openid and profile for the authenticated user using the OAuth 2.0 API or is that information lost in the double hop?
