Your company has a networking team and a development team. The development team runs applications on Compute Engine instances that contain sensitive data. The development team requires administrative permissions for Compute Engine. Your company requires all network resources to be managed by the networking team. The development team does not want the networking team to have access to the sensitive data on the instances. What should you do?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a project with a Shared VPC and assign the Network Admin role to the networking team. 2. Create a second project without a VPC, configure it as a Shared VPC service project, and assign the Compute Admin role to the development team..
Why this is the answer
The correct solution uses Shared VPC to separate network administration from compute administration while allowing the development team to deploy instances onto a network managed by the networking team. The host project (with the Shared VPC) is managed by the networking team, who have the Network Admin role. The service project (without its own VPC) is managed by the development team, who have the Compute Admin role and can deploy instances into the host project's network. This design prevents the networking team from accessing sensitive data on the instances, as they lack Compute Admin permissions. Incorrect options: Using standalone VPCs with Cloud VPN or VPC Peering would require the development team to manage their own network resources, which contradicts the requirement that all network resources be managed by the networking team. Assigning both Network Admin and Compute Admin roles within a single project would grant the networking team access to the instances, violating the data access requirement.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed