Your company has a Google Cloud organization with separate folders for "prod" and "dev" projects. Security mandates that no new Compute Engine VM in any project under the prod folder may receive an external IPv4 address, but development teams must remain free to create such VMs in their own folder. Which approach best meets these requirements with the least administrative overhead?
Delete the default VPC network in each prod project and require teams to create only custom subnets without any organization policy.
Apply the constraint constraints/compute.vmCanIpForward in Deny mode on the organization node to block external IPs for every VM.
Remove the roles/compute.networkUser IAM role from all service accounts in prod projects to prevent them from getting external IP addresses.
Apply the organization policy constraint constraints/compute.vmExternalIpAccess in Deny mode on the prod folder so it is inherited by all production projects.
Google Cloud Organization Policy lets you set constraints that are inherited by all descendants in the resource hierarchy unless an ancestor overrides them. The constraint constraints/compute.vmExternalIpAccess controls whether new VM instances can obtain external IPv4 addresses. By setting this constraint to Deny at the prod folder level, every current and future project inside that folder will automatically block external IP assignment, while projects in the dev folder remain unaffected because they inherit policies from their own (less-restricted) ancestors. Applying the policy at the organization level would also affect dev projects, and using other constraints or IAM changes would not reliably block external IP creation. Deleting default VPC networks does not prevent users from adding external addresses to new VMs in custom networks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an organization policy in Google Cloud?
Open an interactive chat with Bash
Can you explain `constraints/compute.vmExternalIpAccess` in detail?
Open an interactive chat with Bash
What is the difference between constraints and IAM roles in Google Cloud?
Open an interactive chat with Bash
What is the organization policy constraint `constraints/compute.vmExternalIpAccess`?
Open an interactive chat with Bash
What is the resource hierarchy in Google Cloud?
Open an interactive chat with Bash
How does `constraints/compute.vmExternalIpAccess` differ from `constraints/compute.vmCanIpForward`?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .