In Google Cloud, the best practice for micro-segmentation and tier isolation is to use a single VPC with multiple subnets and apply firewall rules using Service Accounts or Network Tags. Using Service Accounts is generally preferred over tags because they are identity-based and more secure.

According to the Google Cloud Security Foundations Guide:

"Segment your VPC networks into subnets to provide logical isolation. Use firewall rules to control traffic between tiers. Instead of relying on IP addresses, use service accounts to define source and destination for firewall rules. This ensures that even if an IP changes, the security policy remains enforced based on the identity of the workload."

Implementation Details:

Web Tier: Use a firewall rule allowing 0.0.0.0/0 (Internet) to the Service Account associated with the web VMs on port 80/443.

App Tier: Use a firewall rule allowing traffic ONLY from the Web Tier Service Account to the App Tier Service Account.

DB Tier: Use a firewall rule allowing traffic ONLY from the App Tier Service Account to the DB Tier Service Account.