GCP Professional Cloud Architect Practice Question
Your organization has grown to three geographically distinct engineering divisions (EMEA, APAC, Americas). Dozens of projects currently hang directly under the Organization node. Each division must be able to create and manage only its own projects, while the central security team needs to apply a "no-external-ip" Organization Policy constraint exclusively to development workloads without affecting production. Which approach best satisfies both requirements with the least administrative overhead?
Move projects into separate Google Workspace organizational units for each region and apply group-based IAM and security settings at the OU level.
Create a folder for each region under the Organization and a Development and Production sub-folder inside each. Delegate Project Creator and IAM administration to division admins on their regional folder and apply the "no-external-ip" Organization Policy to the Development folders.
Create a dedicated shared VPC network per region and use subnet-level IAM bindings plus firewall rules to prevent external IPs in development subnets.
Rely on project labels that indicate region and environment, then use Cloud Asset Inventory and automation to detect and remediate policy violations.
Folders provide an intermediate node in the resource hierarchy that inherits both IAM and Organization Policy settings. By creating a folder for each engineering division and nested folders for environment types (for example, Development and Production), you can:
Grant each division's admin group the Project Creator role on its regional folder, limiting their scope to that folder's descendants.
Attach the "compute.vmExternalIpAccess" constraint only to the Development sub-folders so it propagates to dev projects but not to Production. Labels alone do not enforce IAM or Organization Policy. VPC design and shared VPC host projects do not control project-level IAM or policy inheritance. Google Workspace OUs do not map to Google Cloud's resource hierarchy for access control. Therefore, introducing a hierarchical folder structure is the most effective and least complex solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the function of a folder in Google Cloud's resource hierarchy?
Open an interactive chat with Bash
What is the `no-external-ip` Organization Policy constraint?
Open an interactive chat with Bash
How does IAM delegation work with hierarchical folders in Google Cloud?
Open an interactive chat with Bash
What is the purpose of the Organization node in the GCP resource hierarchy?
Open an interactive chat with Bash
How do folders help in resource organization and policy application in GCP?
Open an interactive chat with Bash
What does the 'compute.vmExternalIpAccess' organization policy constraint do in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .