[Solved] Given this VPC Service Controls perimeter configuration:perimeterType: 'SERVICE_PERIMETER' resources: - projects/project-abc restrictedServices: - storage.googleapis.com - bigquery.googleapis.... | GCP

GCP - Cloud IAM Advanced

Given this VPC Service Controls perimeter configuration:

perimeterType: 'SERVICE_PERIMETER'
resources:
  - projects/project-abc
restrictedServices:
  - storage.googleapis.com
  - bigquery.googleapis.com
enforce: true

What happens if a VM in project-abc tries to access compute.googleapis.com?

AAccess is allowed only if the VM has special IAM roles

BAccess is denied because all services are blocked inside the perimeter

CAccess is allowed because compute.googleapis.com is not restricted

DAccess is denied because compute.googleapis.com is implicitly restricted

Step-by-Step Solution

Solution:

Step 1: Understand restricted services in the perimeter
The perimeter restricts only storage.googleapis.com and bigquery.googleapis.com.
Step 2: Check access to compute.googleapis.com
Since compute.googleapis.com is not listed, access is allowed by default.
Final Answer:
Access is allowed because compute.googleapis.com is not restricted -> Option C
Quick Check:
Only listed services are restricted = Access is allowed because compute.googleapis.com is not restricted [OK]

Quick Trick: Only services listed in restrictedServices are blocked [OK]

Common Mistakes:

Assuming all services are blocked inside perimeter
Thinking IAM roles override perimeter restrictions
Believing unlisted services are implicitly blocked

Master "Cloud IAM Advanced" in GCP

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

More GCP Quizzes

Given this VPC Service Controls perimeter configuration:

Step 1: Understand restricted services in the perimeter

Step 2: Check access to compute.googleapis.com

Final Answer:

Quick Check:

Want More Practice?