A company has workloads in an on-premises server room that must only be accessible from its private internal network. You need to connect to these workloads from Compute Engine instances in a Google Cloud project.

Which two approaches can you use to meet this requirement? (Choose two.)