Leave the network configuration of the VMs in scope unchanged.

Create a new project including a new VPC network “new-vpc”.

Deploy a network appliance in “new-vpc” to filter access requests and only allow egress connections from “dev-vpc” to 10.58.5.0/24.

Leave the network configuration of the VMs in scope unchanged.

Enable Cloud NAT for “dev-vpc” and restrict the target range in Cloud NAT to 10.58.5.0/24.

Attach external IP addresses to the VMs in scope.

Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.

Attach external IP addresses to the VMs in scope.

Configure a VPC Firewall rule in “dev-vpc” that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.