If you require complex or custom routing, and have Infrastructure-as-Code for your deployments already, this is where you will find the key information. Terraform junkies pick this option.
For a 5-minute deployment, assuming secure defaults, from within the marketplace console itself. This will totally lock down your VPC from the get-go unless appropriate FQDN-based egress firewall rules exist for outbound connections, and VMs needing to bypass discrimiNAT completely are network-tagged with
Pertaining to the Quick Start only. If you go down the DIY route, the architecture will be as per your design.
A discrimiNAT firewall becomes the NAT solution for your VPC, making the use or presence of other NAT gateways redundant.
The discrimiNAT firewall is listed on the Google Cloud Marketplace. The architecture discussed above is available as a Deployment Manager template to launch on subsequent steps from the marketplace subscription.