Answer-first summary for fast verification
Answer: Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint.
The correct approach is to use the organizational policy constraint `constraints/compute.restrictSharedVpcSubnetworks`. This constraint allows specifying which subnets each service project can access, ensuring developers can only deploy resources in their designated subnets. Option A addresses the requirement directly by restricting subnets per service project. Granting the `compute.NetworkUser` role (Option D) is necessary for deployment but does not restrict subnet access. Since the developer already has deployment capabilities, the root issue is unrestricted subnet access, which Option A resolves. Other options either grant insufficient permissions (B), restrict host projects (C, irrelevant), or do not enforce subnet restrictions (D).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
To enforce subnet deployment restrictions for developers in a Shared VPC environment, ensuring they can only deploy resources in subnets allocated to their specific service projects, what configuration should you implement?
A
Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint.
B
Grant the compute.NetworkViewer role to the developer in the Shared VPC host project.
C
Restrict another application's project from accessing specific subnets in the host project by using the constraints/compute.restrictSharedVpcHostProject organizational constraint.
D
Grant the compute.NetworkUser role to the developer in the specific Shared VPC service project.