How should you design the topology?

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.

How should you design the topology?
A . Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
B . Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
C . Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
D . Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Answer: A

Explanation:

Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.

With Shared VPC and IAM controls, you can separate network administration from project administration. This separation helps you implement the principle of least privilege. For example, a centralized network team can administer the network without having any permissions into the participating projects. Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.

Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations