Answer-first summary for fast verification
Answer: 1. Update the perimeter. 2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com. 3. Configure the egressFrom field to set identityType to ANY_IDENTITY.
The correct answer is B because it properly configures egress rules to allow resources within the VPC Service Controls perimeter to access an external Compute Engine disk image. According to Google's VPC Service Controls documentation, egress refers to access where the client is inside the perimeter and the resource is outside, which matches this scenario where internal projects need to read an external disk image. Option B correctly sets the egressTo field to specify the external project and compute service, and egressFrom to ANY_IDENTITY. Option A is incorrect as it uses organizational policy for trusted images, which is for public images, not third-party private images. Option C incorrectly uses ingress rules, which control incoming access from outside to inside the perimeter. Option D misconfigures the egressTo field by setting identityType, which is not valid for egressTo.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have a single Google Cloud project that serves as a repository for company-approved compute images. This project is protected by VPC Service Controls and resides in a perimeter along with other projects in your organization, allowing those projects to deploy images from the repository. A team needs to deploy a third-party disk image that is stored in an external Google Cloud organization. You must grant read access to this external disk image so it can be deployed into your perimeter.
What should you do?
A
Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.
B
C
D