You are managing a web application that runs on several VM instances within a VPC on Google Cloud. To ensure security and efficient networking, you need to restrict communications between these instances to only the authorized paths and ports. Given that the application can autoscale, you want to avoid relying on static IP addresses or subnets. How should you effectively manage and restrict inter-instance communications?