Your company wants to protect sensitive data in BigQuery and Cloud Storage using VPC Service Controls. You have two projects: project-secure and project-public. You want to allow project-public to access BigQuery but not Cloud Storage inside the perimeter. How should you configure the perimeter?
AInclude both projects in resources, restrict only storage.googleapis.com
BInclude only <code>project-secure</code> in resources, restrict both storage.googleapis.com and bigquery.googleapis.com
CInclude both projects in resources, restrict both storage.googleapis.com and bigquery.googleapis.com
DInclude only <code>project-public</code> in resources, restrict storage.googleapis.com
Step-by-Step Solution
Solution:
Step 1: Determine which projects to include in the perimeter
To protect data in both projects but allow project-public access to BigQuery, include both projects in the perimeter.
Step 2: Set restricted services to block only Cloud Storage
Restrict storage.googleapis.com to block Cloud Storage access, but do not restrict bigquery.googleapis.com to allow BigQuery access from project-public.
Final Answer:
Include both projects and restrict only storage.googleapis.com -> Option A
Quick Check:
Both projects + restrict storage only = Include both projects in resources, restrict only storage.googleapis.com [OK]
Quick Trick:Restrict only storage to block Cloud Storage, include both projects [OK]
Common Mistakes:
Restricting both services blocks BigQuery access
Including only one project limits protection
Restricting BigQuery when access is needed
Master "Cloud IAM Advanced" in GCP
9 interactive learning modes - each teaches the same concept differently
