A customer is running an analytics workload on Google Cloud where Compute Engine instances access data stored in Cloud Storage. Your team needs to ensure this workload cannot access, nor be accessed from, the internet. Which two strategies should your team implement? (Choose two.)

Exam-Like

Configure Private Google Access on the Compute Engine subnet

Avoid assigning public IP addresses to the Compute Engine cluster.

Make sure that the Compute Engine cluster is running on a separate subnet.

Turn off IP forwarding on the Compute Engine instances in the cluster.

Configure a Cloud NAT gateway.

Google Professional Cloud Security Engineer