To reference on-premises resources connected via Dedicated Interconnect without internet traversal, a hybrid network endpoint group (NEG) must be used. Hybrid NEGs are designed for backends outside GCP, such as on-premises systems connected via VPN or Interconnect. The Application Load Balancer (ALB) uses Envoy proxies in a proxy-only subnet to forward traffic to the on-premises backend. Therefore, the on-premises firewalls must allow traffic originating from the proxy-only subnet's IP range. Options A and B are incorrect because internet/zonal NEGs are for public or zonal GCP resources. Option D is for Private Service Connect, which is unrelated to on-premises backends.