Answer: Grant the network security service agent service account the privateca.certificateRequester role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.

To enable TLS inspection with Cloud NGFW Enterprise, the correct steps involve granting the network security service agent service account the **privateca.certificateRequester** role to allow it to request certificates from the CA pool. Then, you need to create a TLS inspection policy that links to the CA pool, configure your VPC endpoint associations to use this TLS inspection policy, and finally, enable the TLS inspection flag in your firewall policy rules. Option A correctly outlines these steps. Option B is incorrect because the **privateca.poolReader** role does not provide the necessary permissions for certificate issuance. Options C and D are incorrect as they involve creating a trust config in Certificate Manager, which is not the correct approach for enabling TLS inspection with Cloud NGFW Enterprise.

Author: LeetQuiz Editorial Team