Answer-first summary for fast verification
Answer: Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
Option C is correct because it uses the organization policy constraint 'compute.vmExternalIpAccess' to explicitly allow only front-end Compute Engine instances to have public IPs while denying all others. This provides centralized enforcement at the project level, preventing engineers with Editor roles from assigning public IPs to unauthorized instances. The community discussion confirms this approach, with high upvotes and references to the specific constraint. Option A (Private Access) doesn't control public IP assignment. Option B (IAM role changes) doesn't enforce the IP restriction policy. Option D (VPC subnets) relies on network design but doesn't prevent engineers from assigning public IPs to instances in the private subnet.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your team needs to ensure that Compute Engine instances in your production project cannot have public IP addresses, except for the frontend application instances which require them. The product engineers have the Editor role and can modify resources. How can your team enforce this requirement?
A
Enable Private Access on the VPC network in the production project.
B
Remove the Editor role and grant the Compute Admin IAM role to the engineers.
C
Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
D
Set up a VPC network with two subnets: one with public IPs and one without public IPs.