A global bank organizes its Google Cloud resources under two top-level folders: Finance and Sandbox. Security mandates that absolutely no Compute Engine VM in the Finance folder-existing or future-may obtain a public IPv4 or IPv6 address, while Sandbox projects must retain the ability to create publicly reachable test VMs. Network administrators want a single control that is inherited by all Finance projects and cannot be relaxed by individual project owners. What is the most appropriate solution?
Move all Finance projects into a Shared VPC that exposes only internal subnets and disallow individual projects from creating their own VPC networks.
Add a firewall rule in every Finance project that denies egress to the internet and rely on Cloud NAT for outbound private traffic.
Create a VPC Service Controls perimeter around all Finance projects and block the 0.0.0.0/0 and ::/0 address ranges.
Enforce the constraints/compute.vmExternalIpAccess organization policy at the Finance folder with a deny-all rule so no service account can attach an external IP, inheriting the policy to every Finance project.
The compute.vmExternalIpAccess organization policy constraint lets administrators control which service accounts are permitted to attach external IP addresses to Compute Engine VMs. Applying the policy high in the resource hierarchy makes it effective for every descendant project. Setting the policy at the Finance folder with an empty allowed list (or an explicit deny on "all") prevents any VM in those projects from receiving a public address. Because organization policies are hierarchical and additive, project owners cannot override a more restrictive parent policy, satisfying the compliance requirement with minimal ongoing effort.
VPC Service Controls protect data plane access to Google APIs but do not stop a VM from getting an external IP. Shared VPC design or firewall rules require per-project or per-network configuration and can be changed by project owners. Therefore, enforcing the compute.vmExternalIpAccess constraint at the folder level is the correct and most operationally efficient choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the compute.vmExternalIpAccess organization policy constraint?
Open an interactive chat with Bash
How do organization policies work in Google Cloud?
Open an interactive chat with Bash
Why is Shared VPC or firewall rules not sufficient for compliance in this scenario?
Open an interactive chat with Bash
What is an organization policy in GCP?
Open an interactive chat with Bash
How does the compute.vmExternalIpAccess constraint work?
Open an interactive chat with Bash
What are the limitations of VPC Service Controls compared to organization policies?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .