Google Cloud Professional Cloud Security Engineer — Question 138

You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

What should you do?

Answer options

• A. Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.
• B. 1. Update the perimeter. 2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com. 3. Configure the egressFrom field to set identityType to ANY_IDENTITY.
• C. 1. Update the perimeter. 2. Configure the ingressFrom field to set identityType to ANY_IDENTITY. 3. Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.
• D. 1. Update the perimeter. 2. Configure the egressTo field to set identityType to ANY_IDENTITY. 3. Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

Correct answer: B

Explanation

The correct answer is B because it correctly configures the egress settings to allow the external project to access the disk image while adhering to the VPC Service Controls. Options A, C, and D do not appropriately set the necessary egress configurations required for allowing access to the external disk image needed for deployment.