Google Cloud Professional Cloud Network Engineer — Question 225

You are implementing a Shared VPC network for your organization, which has distributed teams. One of the application developers works across several teams and notices that they can deploy applications in subnets that are reserved for another application's service projects. You want to ensure that developers can only deploy resources in the subnets that are reserved for their respective service project. What should you do?

Answer options

• A. Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint.
• B. Grant the compute.NetworkViewer role to the developer in the Shared VPC host project.
• C. Restrict another application's project from accessing specific subnets in the host project by using the constraints/compute.restrictSharedVpcHostProject organizational constraint.
• D. Grant the compute.NetworkUser role to the developer in the specific Shared VPC service project.

Correct answer: A

Explanation

The correct answer, A, ensures that each application's service projects can only access their designated Shared VPC subnets, thereby preventing cross-team resource deployment. Option B is incorrect as granting the compute.NetworkViewer role does not restrict deployment capabilities. Option C is not suitable because it focuses on restricting access to host projects, not subnets. Option D allows resource deployment but does not address the issue of restricting access to only specific subnets.