GCP projects for my organisation need to be inside a VPC-SC. Cloud Console access is through IAP. There is also Cloud Armour in use.

I am creating an Apigee X API product that is for internal use. The Apigee X is inside my gcp project that is inside the VPC-SC. Some of the API client applications are inside the VPC-SC and some others are in a different VPC-SC. I need a bridge for communication between the 2 vpc-scs.

My question is from a design point of view, where should Authentication sit?

Option 1. At IAP level like all other apps in the organisation. Or

Option 2. my API Proxy

Is the second option possible with Cloud Armour, IAP and VPC-SC constraints already in place?

Would it better to have authentication taken care of by IAP and network security by VPC-SC. What is the best way to make these dance together and yet have secure access to trusted internal (within the organisation but may be from different VPC-SC) api clients