A customer is running an analytics workload on Google Cloud where Compute Engine instances access data stored in Cloud Storage. Your team needs to ensure this workload cannot access, nor be accessed from, the internet. Which two strategies should your team implement? (Choose two.)