• Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.”

• For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration.

• Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”

• Enable Identity Aware Proxy in the new projects.

• Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range.

• Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”

• Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.”

• Specify the two new projects as “Resources to protect” in the service perimeter configuration.

• Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage.

• Edit the existing access level to add a “Geographic locations” condition set to “US.”

• Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization.

• Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range.

• Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”