Answer-first summary for fast verification
Answer: Compute Network User Role at the subnet level.
The correct answer is B because it follows the principle of least privilege by granting the Compute Network User role specifically at the subnet level for the 10.1.1.0/24 subnet. This allows Engineering Group A to attach Compute Engine instances only to that specific subnet without accessing other subnets in the Shared VPC. Option A (Compute Network User Role at the host project level) would grant access to all subnets, which exceeds the requirement. Options C and D (Compute Shared VPC Admin Role) provide administrative privileges that are unnecessary and violate least privilege. The community discussion shows strong consensus for B (71% of votes), with multiple comments citing Google documentation that supports subnet-level grants for targeted access, while the minority supporting A misunderstands the granularity available in Shared VPC implementations.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your team has set up a Shared VPC with co-vpc-prod as the host project, where firewall rules, subnets, and a VPN gateway are configured. To allow Engineering Group A to attach a Compute Engine instance exclusively to the 10.1.1.0/24 subnet, what specific permission should your team grant to the group?
A
Compute Network User Role at the host project level.
B
Compute Network User Role at the subnet level.
C
Compute Shared VPC Admin Role at the host project level.
D
Compute Shared VPC Admin Role at the service project level.
No comments yet.