A company has a VPC with multiple subnets and wants to prevent data exfiltration by restricting access to a Cloud Storage bucket from only resources within a defined perimeter. Which Google Cloud service should they use to create an API perimeter around the bucket?
VPC Service Controls creates perimeters that restrict data movement across projects and networks.
Why this answer
VPC Service Controls allows you to define perimeters around Google Cloud services like Cloud Storage, preventing data exfiltration to networks outside the perimeter. VPC firewall rules control network traffic but not API access. Cloud Armor is for DDoS protection.
Cloud NAT is for outbound internet access.