Your organization created an organization policy at the Organization level that sets the constraint constraints/compute.vmExternalIpAccess to deny all external IP addresses. A project owner in a child folder edits the same constraint at the project level to allow external IPs for specific VM instances, then deploys new Compute Engine VMs. What will be the effective outcome for those new VMs?
The project-level allow overrides the Organization policy, enabling external IPs for the specified VMs.
Google Cloud merges the two policies; only the specific VM instances named by the project owner can receive external IPs.
The Organization-level deny remains in force, so the project cannot assign external IP addresses to its new VMs.
The conflicting settings stop the project from creating any new VMs until the Organization Administrator removes the deny rule.
Organization policies are inherited from parent resources (Organization ➝ Folder ➝ Project) and can only be made more restrictive as they descend the hierarchy. A policy that denies the use of external IP addresses at the Organization level cannot be relaxed by a folder or project administrator. Any attempt to add an allow rule at the project level is ignored because it conflicts with the inherited Deny rule. Therefore, new VMs created in the project will not be able to obtain external IPv4 addresses. The other options are incorrect because lower-level policies never override a stricter parent policy, policies are not merged to create partial allowances in this case, and conflicting policies do not block resource creation-they simply result in the most restrictive effective policy being applied.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an organization policy in Google Cloud?
Open an interactive chat with Bash
What is the `constraints/compute.vmExternalIpAccess` policy constraint?