The correct answer is B because network tags allow for more granular access control based on individually tagged instances. This method enables you to specify which virtual machines in 'subnet-a' can access 'subnet-b' without opening access to the entire subnet. Network tags are text attributes that can be added to Compute Engine virtual machine (VM) instances, allowing firewall rules and routes to be applied to specific VM instances. This approach is flexible, as tags can be edited at any time without stopping an instance. Options A, C, and D are incorrect because they either provide access to an entire subnet (contrary to the requirement), suggest an unnecessary explicit deny, or incorrectly state that individual VM access cannot be granted.