An organization needs to restrict access to Google Cloud APIs such that only traffic from a specific set of VMs inside a VPC can reach the APIs, and all other traffic (including from other VPCs) must be denied. The VMs do not have external IPs. Which combination of services should they use?
Private Google Access enables VMs without external IPs to reach Google APIs; VPC Service Controls restrict to the specified VPC.
Why this answer
Private Google Access allows VMs without external IPs to reach Google APIs. VPC Service Controls can create a service perimeter that restricts access to APIs from only authorized VPCs.