GCP

A comprehensive guide to Google Cloud Platform project setup patterns, from single-project/single-VPC designs through multi-region active-active architectures and enterprise landing zones.

Architecture Patterns at a Glance

Pattern	Scope	Complexity	Typical Use Case
Single Project + Single VPC	One project, one VPC	Low	Small teams, prototypes, single-application workloads
Multi-VPC (Shared VPC)	Host project + service projects	Medium	Enterprise with centralized networking, multi-team isolation
Multi-VPC (VPC Peering)	Peer-to-peer VPC connections	Medium	SaaS offerings, inter-organization connectivity
Private Service Connect	Service-oriented private access	Medium	Consuming/producing managed services privately across VPC boundaries
Multi-Project + Folders	Organization hierarchy	High	Large enterprises with regulated environments
Multi-Zone / Multi-Region	Cross-zone and cross-region deployments	High	Production workloads requiring HA and DR
DR: Pilot Light	Minimal standby in secondary region	Medium	Cost-optimized DR, tolerates hours of downtime
DR: Warm Standby	Scaled-down full replica	Medium-High	Most enterprises; minutes-level RTO/RPO
DR: Active-Active	Full duplicate in multiple regions	Very High	Mission-critical apps requiring zero downtime
DMZ-Less (Google Recommended)	Private subnets + managed edge	Medium	Modern GCP deployments; no traditional DMZ needed
GCP Landing Zone	Org-wide foundation	Very High	Greenfield enterprise adoption of GCP

Key GCP Services

Networking

• VPC -- global virtual network with regional subnets
• Shared VPC -- centralized networking across projects via host/service model
• VPC Network Peering -- peer-to-peer internal connectivity between VPCs
• Private Service Connect -- service-oriented private access to managed services and Google APIs
• Cloud NAT -- managed outbound NAT for private resources
• Cloud Interconnect / Cloud VPN -- hybrid connectivity to on-premises
• Cloud Load Balancing -- global and regional L4/L7 load balancers (external LBs sit outside VPC)
• Cloud DNS -- managed DNS with health-check-based routing
• VPC Service Controls -- perimeter-based security for Google-managed APIs
• Cloud Armor -- DDoS protection and WAF for external load balancers

Compute and Orchestration

• Compute Engine -- VMs (zonal); Regional MIGs for cross-zone HA
• GKE / GKE Enterprise -- managed Kubernetes; fleet-level multi-cluster management
• Cloud Run -- serverless containers, multi-region deployment support

Data

• Cloud SQL -- managed relational DB with HA and cross-region read replicas
• Cloud Spanner -- globally distributed relational DB (multi-region, 99.999% SLA)
• AlloyDB -- PostgreSQL-compatible with cross-region replicas
• Cloud Bigtable -- wide-column NoSQL with built-in replication
• Cloud Storage -- dual-region and multi-region buckets for DR
• Firestore -- multi-region document DB (native mode)

Management and Governance

• Resource Manager -- organization, folder, project hierarchy with policy inheritance
• Organization Policies -- org-level constraints (location, OS Login, external IPs, etc.)
• IAM -- fine-grained identity-based access with roles, conditions, deny policies
• Security Command Center -- threat detection and security posture management
• Cloud Build / Cloud Deploy -- CI/CD for infrastructure and applications
• Terraform / Cloud Foundation Toolkit -- IaC for landing zone automation

Real-World Examples

Scenario	Pattern(s) Used
Startup running a monolithic web app	Single Project + Single VPC
Mid-size SaaS company with 10+ microservices teams	Shared VPC with service projects per team
Large bank migrating to GCP with regulatory requirements	Full Landing Zone: Folders, Shared VPC, VPC Service Controls, SCC Premium
E-commerce platform needing 99.99% uptime	Multi-zone deployment with Global HTTP(S) LB, Cloud SQL HA, Warm Standby DR
Global payments processor	Active-Active multi-region with Cloud Spanner, Global LB, GKE Enterprise fleet
Manufacturing company with on-premises data center	Hub-and-Spoke Shared VPC + Cloud Interconnect + Pilot Light DR

Questions

• When should you choose Shared VPC over VPC Peering for inter-project connectivity?
• What are the exact organization policies that should be set as baseline for any new GCP organization?
• How does Private Service Connect compare to VPC Peering for SaaS consumption patterns?
• What is the cost differential between Pilot Light, Warm Standby, and Active-Active DR for a typical 3-tier web application?

Sources

• Google Cloud -- Shared VPC Overview
• Google Cloud -- VPC Network Peering
• Google Cloud -- Private Service Connect
• Google Cloud -- VPC Service Controls Overview
• Google Cloud -- Resource Hierarchy
• Google Cloud -- Architecting DR for Cloud Infrastructure Outages
• Google Cloud -- Architecture Framework
• Google Cloud -- Landing Zone Accelerator (GitHub)
• Google Cloud -- Cloud Foundation Toolkit