Explanation:
The correct approach is to use the organizational policy constraint constraints/compute.restrictSharedVpcSubnetworks. This constraint allows specifying which subnets each service project can access, ensuring developers can only deploy resources in their designated subnets. Option A addresses the requirement directly by restricting subnets per service project. Granting the compute.NetworkUser role (Option D) is necessary for deployment but does not restrict subnet access. Since the developer already has deployment capabilities, the root issue is unrestricted subnet access, which Option A resolves. Other options either grant insufficient permissions (B), restrict host projects (C, irrelevant), or do not enforce subnet restrictions (D).
Ultimate access to all questions.
No comments yet.
To enforce subnet deployment restrictions for developers in a Shared VPC environment, ensuring they can only deploy resources in subnets allocated to their specific service projects, what configuration should you implement?
A
Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint.
B
Grant the compute.NetworkViewer role to the developer in the Shared VPC host project.
C
Restrict another application's project from accessing specific subnets in the host project by using the constraints/compute.restrictSharedVpcHostProject organizational constraint.
D
Grant the compute.NetworkUser role to the developer in the specific Shared VPC service project.