To enable Private Google Access for specific subnets in your Virtual Private Cloud (VPC) while complying with your security team's requirements—where all internet-bound traffic is routed to an on-premises data center for inspection before egressing to the internet, and VPC Service Controls are implemented for API-level security—what additional configuration changes are needed beyond enabling Private Google Access on the subnets?