GCP Associate Cloud Engineer Practice Question

Your company's security team wants to guarantee that, by default, no new Compute Engine VM instances in any project can obtain an external IPv4 address. However, they also want the flexibility to grant an exception later for a specific project used by the penetration-testing team. Which Google Cloud feature best satisfies these requirements and what action should you take first?

Grant only the Compute Engine internal access IAM role to project owners and rely on VPC Service Controls to block public endpoints.
Create an Organization Policy at the Organization node that sets the constraint constraints/compute.vmExternalIpAccess to Deny.
Apply a VPC firewall rule at the Organization level that blocks all egress traffic from external IP addresses.
Attach a Cloud Armor security policy to every project's default network that denies traffic from 0.0.0.0/0.

Report Issue

Answer Description

An Organization Policy provides centralized, hierarchy-aware controls over resources. Setting the constraint constraints/compute.vmExternalIpAccess to Deny at the Organization node blocks the creation of VMs with external IP addresses in every folder and project that inherits the policy. Because policies are inherited downward but can be overridden lower in the tree, the security team can later create a less restrictive policy on the penetration-testing project to permit external addresses. VPC firewall rules, IAM roles, Cloud Armor, or VPC Service Controls cannot universally prevent the assignment of external IPs across all projects; they operate at different layers or scopes and do not enforce this configuration setting during VM creation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.