Google Cloud Digital Leader — Question 39

Your manager wants to restrict communication of all virtual machines with internet access; with resources in another network; or with a resource outside Compute
Engine. It is expected that different teams will create new folders and projects in the near future.
How would you restrict all virtual machines from having an external IP address?

Answer options

• A. Define an organization policy at the root organization node to restrict virtual machine instances from having an external IP address
• B. Define an organization policy on all existing folders to define a constraint to restrict virtual machine instances from having an external IP address
• C. Define an organization policy on all existing projects to restrict virtual machine instances from having an external IP address
• D. Communicate with the different teams and agree that each time a virtual machine is created, it must be configured without an external IP address

Correct answer: A

Explanation

The correct answer is A because defining an organization policy at the root organization node ensures that the restriction applies universally across all projects and folders, including future ones. Options B and C would only apply to existing folders or projects, failing to cover new resources. Option D relies on manual compliance, which is not a reliable method for enforcing such a policy.