You need to configure Private Google Access for VM instances in your VPC to access Google APIs while ensuring all other VM traffic routes back to your on-premises data center via Cloud Interconnect for scrubbing. The VMs have only private IPs and must access Cloud Storage. How should you set this up so that traffic to Google APIs stays within the VPC while other traffic is routed on-premises?