Somewhat related to this and this. This is a very basic and probably noob question.
I want to set up a couple of services (mix of GCE, GAE, GCR and GCF) in the GCP (one org). Some of them need to communicate with one another, others don't. Of course, I don't want to expose any service to the internet without good reason, so they should communicate internally (via their internal IPs / DNS). Different services belong to different teams and thus I'd like to put them into different projects.
Of course, I did some research and the three options I see are:
A) put everything in one project
B) pick one project as the host project and use Shared VPC
C) use peering where required
There are pros and cons for each.
A - easy but also violates least privilege, no clear separation of services
B - also quite easy but everything can connect to everything else, not quite clear which project should be the host, the host decieds FW rules etc. alone - what if, e.g., I need to connect to a DB from my local machine?
C - seems good but is limited to 25 peers - what if a service needs to connect to more than that?
I feel like I'm missing something basic. Projects are isolated from one another by default, right? They start with the default VPC and if I were to create two VMs in two vanilla projects they'd receive the same internal IP. You may have noticed that I don't have a strong background in network design.
What's a good pick and what are some best practices for this scenario (and why)? Am I missing some options?
