Exam Professional Cloud Network Engineer topic 1 question 104 discussion

https://cloud.google.com/vpc-service-controls/docs/supported-products

For sure B.

ACL is the finest way to give permission..I think it is C

The correct answer is B. Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter. By configuring a VPC Service Controls perimeter around project XYZ, you can create a secure boundary around the project and restrict access to Cloud Storage to only those instances that are within the VPCs under project XYZ. You can include storage.googleapis.com as a restricted service in the service perimeter, which will ensure that only authorized VPCs can access the Cloud Storage bucket containing sensitive data.

Typical use case for mitigating the risk of data exfiltration

• B. Configure a VPC Service ***** Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter. Overview of VPC Service Controls VPC Service Controls improves your ability to mitigate the risk of data exfiltration from Google Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify. The following diagram shows a service perimeter that allows access from the internet to protected resources based on the configured access levels, such as IP address or device policy:

Agree on B. Typical use case of VPC Service Controls: https://cloud.google.com/vpc-service-controls/docs/overview

I also vote for B, the others dont make sense

For me, B is correct. https://cloud.google.com/vpc/docs/private-access-options https://cloud.google.com/vpc/docs/configure-private-service-connect-apis