You are the organization administrator for ExampleCorp's Google Cloud environment. Security mandates that no new Compute Engine VM in any project should obtain an external IPv4 address, except for the network-engineering team that works only in the vpc-test project. Which configuration best meets this requirement while preserving least-privilege and minimizing repetitive work?
Create an IAM Deny policy at the Organization level that blocks the compute.instances.create permission for all users, then add an allow rule in the vpc-test project.
Grant the network-engineering team the Compute Instance Admin role in the vpc-test project and remove that role from all other projects.
Delete the default VPC network from every project and create custom VPCs without Internet gateways; leave the default network intact in the vpc-test project.
Apply the compute.vmExternalIpAccess constraint at the Organization level with "enforce" set to true (deny all), then add a project-level policy on vpc-test that allows only the network-engineering service account to use external IP addresses.
The compute.vmExternalIpAccess organization-policy constraint controls whether VMs can be created with external IPv4 addresses. By setting a policy at the Organization node that denies all principals, every folder and project automatically inherits the restriction. Because policies are inherited but can be overridden lower in the hierarchy, you can add a second policy only on the vpc-test project that specifies the network-engineering service account in the allowed list (or simply clears the enforcement flag). This keeps the default deny posture everywhere, avoids per-project repetition, and follows the principle of least privilege. The other options either rely on IAM roles (which do not block external IP assignment), network topologies that do not stop users from requesting external IPs, or IAM Deny rules that do not offer the fine-grained exception handling provided by the organization-policy constraint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the compute.vmExternalIpAccess constraint in Google Cloud?
Open an interactive chat with Bash
How does policy inheritance work in Google Cloud Organization policies?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important in cloud security?
Open an interactive chat with Bash
What is an organization-policy constraint in Google Cloud?
Open an interactive chat with Bash
How does inheritance work for policies in Google Cloud?
Open an interactive chat with Bash
What is the compute.vmExternalIpAccess constraint in Google Cloud?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .