On AWS I used this architecture to have a single bastion host in its own VPC, which was peered with 4 different VPCs (ex: dev/stage/prod). Only the bastion "management" VPC could communicate with any other VPC, there was no communication allowed between environments. I liked this setup since there was a single point of entry, and a single server to audit, for management access to our cloud resources.
GCP uses a different paradigm where a Project is somewhat akin to a VPC, but it doesn't appear to lend itself to the same kind of architecture as linked above. It looks like I may be able to cobble together something like AWS using Cross Project Networking (XPN) but it doesn't quite sound like the optimal solution.
So ultimately, is best practice on Google to create a separate bastion host for each of my 4 Projects, and have four points of entry and four servers to audit?
@Kamran's comment is the right way to go about it: VPC Network Peering.