Your company has established a Cloud VPN tunnel between your on-premises data center and Google Cloud VPC. You must configure access to the Cloud Functions API for on-premises servers while adhering to these requirements:

• Data must remain within its originating project and not be exfiltrated to other projects.
• Traffic from on-premises servers with RFC 1918 addresses must access Google Cloud APIs without traversing the public internet.
• DNS resolution must be handled exclusively on-premises.
• The solution must only permit access to APIs supported by VPC Service Controls.

What is the correct configuration approach?