Answer-first summary for fast verification
Answer: Add the host project containing the Shared VPC to the service perimeter.
The correct answer is A because when using Shared VPC with VPC Service Controls, the host project must be included in the service perimeter along with any service projects that need to access protected resources. This is explicitly stated in Google Cloud documentation and supported by the highest upvoted comments (13 upvotes) in the community discussion. Option B is insufficient on its own as it only adds the service project but not the host project. Option C is incorrect because it suggests creating a new perimeter rather than adding the existing host project to the existing perimeter. Option D (perimeter bridge) is not the optimal solution here since perimeter bridges are for connecting different perimeters, not for resolving Shared VPC access issues within the same perimeter context. The consensus from the community and official documentation confirms that for Shared VPC scenarios, the host project must be part of the service perimeter to allow proper communication between resources.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are troubleshooting access denied errors between Compute Engine instances in a Shared VPC and BigQuery datasets. The datasets are in a project protected by a VPC Service Controls perimeter. What steps should you take?
A
Add the host project containing the Shared VPC to the service perimeter.
B
Add the service project where the Compute Engine instances reside to the service perimeter.
C
Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
D
Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.