Google Cloud Professional Cloud Security Engineer — Question 17

Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

Answer options

• A. Compute Network User Role at the host project level.
• B. Compute Network User Role at the subnet level.
• C. Compute Shared VPC Admin Role at the host project level.
• D. Compute Shared VPC Admin Role at the service project level.

Correct answer: B

Explanation

The correct answer is B because granting the Compute Network User Role at the subnet level allows Engineering Group A to attach instances specifically to the 10.1.1.0/24 subnet. The other options either grant permissions at the host project level, which is too broad, or provide administrative privileges that are unnecessary for this specific task.