Internet access is not allowed so it should be A. CMIIW

Should be A https://cloud.google.com/vpc/docs/configure-private-services-access Note: Even though the IP addresses for Google APIs and services are public, the traffic path from instances that are using Private Google Access to the Google APIs remains within Google's network.

A. Upload the required installation files to Cloud Storage. Configure the VM on a subnet with a Private Google Access subnet. Assign only an internal IP address to the VM. Download the installation files to the VM using gsutil.

Those who are opting for B, Can please explain without Internet access and without Private Google Access enabled how will they communicate with Cloud Storage ? :)

The correct answer is A: Upload the required installation files to Cloud Storage. Configure the VM on a subnet with a Private Google Access subnet. Assign only an internal IP address to the VM. Download the installation files to the VM using gsutil. To install specific software on a Compute Engine instance in a highly secured environment where public Internet access is not allowed, you can follow these steps: Upload the required installation files to Cloud Storage. Configure the VM on a subnet with a Private Google Access subnet. This will allow the VM to access Google APIs and services, such as Cloud Storage, without requiring a public IP address or internet access. Assign only an internal IP address to the VM. This will ensure that the VM is not accessible from the public internet. Download the installation files to the VM using gsutil, which is a command-line tool that allows you to access Cloud Storage from the VM.

Eliminate B&D as it connect via public networks despite it being a Google Cloud service.

ok for A

With private Google access subnet, the vm can reach external network. With this setting, it violates “public Internet access from the Compute Engine VMs is not allowed”. Can someone explain why it’s not B instead?

A is good

A. Upload the required installation files to Cloud Storage. Configure the VM on a subnet with a Private Google Access subnet. Assign only an internal IP address to the VM. Download the installation files to the VM using gsutil.

Configuring Private Google Access is the best way to access Google Services for VM that does not have access to the internet. In order to access Google Private APIs egress should be opened to the following IP Address restricted.googleapis.com (199.36.153.4/30). VM will leverage internal networking to access Cloud Storage https://cloud.google.com/vpc/docs/configure-private-google-access

C because Cloud repositories is a private Git within Google cloud. Hence it is ideal for simple pull, push, clone type "git" operations. As this is within Google cloud and is a private git, you do not need public internet access

C&D we are all eliminating becoz of source storage repo Between A& B B looks more tempting to select because it mentions fire wallrule But the problem with B is the statement is wrong the access will happen from VM to storage and the statement mentions traffic from storage to Vm. Hence A

You have to set Private Google Access for communicating between VM and Storage

Unfortunately the question it's poorly designed. B is correct: https://cloud.google.com/vpc/docs/configure-private-google-access

A is the correct answer

It cannot be B because I don’t think anything like “restricted IP range for GCS” exists, at best we can use the private access feature. So while I agree the answer is A, can someone explain why it’s not C please?