Your company's Google Cloud Organization has two top-level folders: Prod and Dev. Security policy states that, by default, new Compute Engine VM instances must not receive external IPv4 addresses, but developers working in the Dev folder occasionally need to create test instances with public IPs. What is the most efficient way to satisfy these requirements while minimizing ongoing administration?
Individually set the constraints/compute.vmExternalIpAccess policy to DENY on each Prod project and leave it unset on Dev projects.
Apply the constraints/compute.vmExternalIpAccess organization policy with a DENY rule at the Organization node, and add an ALLOW policy override on the Dev folder.
Disable the Compute Engine API in all Prod projects and enable it only in Dev projects when external IPs are required.
Create a VPC firewall rule in every Prod project that blocks egress to 0.0.0.0/0 while leaving Dev projects unchanged.
The Organization Policy Service lets you define constraints that are inherited down the resource hierarchy and selectively overridden lower in the tree. By setting the constraints/compute.vmExternalIpAccess constraint to DENY at the Organization level, all descendant folders, projects, and resources will, by default, be prevented from assigning external IPv4 addresses to new VMs. You can then create an override policy on the Dev folder that allows external IP assignment, enabling teams in that folder to create public VMs without affecting the stricter default applied to Prod. Applying individual project-level policies or manipulating firewall rules, routes, or API enablement would require more effort to maintain and would not reliably prevent the assignment of external IP addresses.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Organization Policy Service in GCP?
Open an interactive chat with Bash
What is the `constraints/compute.vmExternalIpAccess` policy?
Open an interactive chat with Bash
How do policy overrides work in GCP?
Open an interactive chat with Bash
What is the Organization Policy Service in GCP?
Open an interactive chat with Bash
How does the `constraints/compute.vmExternalIpAccess` policy work?
Open an interactive chat with Bash
Why is setting the policy at the Organization level better than project-level configuration?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .