Designing Network Topology for Department Isolation

A.

Use Shared VPC to connect to a common VPC network.

Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs.

You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.

With Shared VPC and IAM controls, you can separate network administration from project administration.

This separation helps you implement the principle of least privilege.

For example, a centralized network team can administer the network without having any permissions into the participating projects.

Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

To design a network topology that provides network connectivity between two departments while keeping the third department isolated, there are multiple ways to approach this problem. However, to minimize operational overhead, we should opt for a design that is easy to manage and scale in the future.

Option A: Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments. This approach involves creating a Shared VPC Host Project and separate Service Projects for each department. The Shared VPC Host Project acts as a centralized point of management for networking resources, while the Service Projects contain the VMs and other resources for each department. By creating separate Service Projects for each department, we can isolate the resources and administrative domains for each department. Additionally, we can establish network connectivity between the two appropriate VPCs by using VPC peering, which allows us to connect two VPCs using private IP addresses.

Option B: Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs. This approach involves creating three separate VPCs, with two VPCs connected using Cloud VPN to establish network connectivity. We can create a custom route to prevent the third department from accessing the connected VPCs. However, this approach can be more complex to manage, as we need to configure and manage VPN tunnels, route tables, and firewall rules.

Option C: Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs. This approach is similar to Option B, but instead of using Cloud VPN, we use VPC peering to establish network connectivity between the two appropriate VPCs. This approach is easier to manage, as VPC peering automatically routes traffic between the VPCs, and we do not need to configure and manage VPN tunnels.

Option D: Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments. This approach involves creating a single project and using firewall rules to isolate network traffic between departments. We can use network tags to define which resources are allowed to communicate with each other. However, this approach can be challenging to scale, as we need to add new firewall rules and update network tags whenever a new department is added.

In conclusion, the most optimal approach for minimizing operational overhead and creating separate network administrative domains between departments is Option A: Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments. By using VPC peering, we can establish network connectivity between the appropriate VPCs while keeping the third department isolated.