VPC firewall rules control network traffic to/from instances, but they cannot directly restrict access to Cloud Storage APIs. However, they can restrict which instances can reach the external IP of Cloud Storage. To achieve the goal, the engineer must allow egress traffic from the instances to the Cloud Storage IP ranges and deny all other egress.
But more importantly, access to Cloud Storage is controlled by IAM, not firewall rules. However, the question specifically asks about VPC firewall rules. The typical approach is to use Private Google Access and firewall rules to restrict egress to Google API IPs.
The correct answers are: allow egress to the Google API IP ranges (which include Cloud Storage) and deny all other egress. But the question might also consider using service accounts and firewall rule targets. Firewall rules can target service accounts, but that does not restrict access to Cloud Storage itself.
The most direct answer is that to limit which instances can access Cloud Storage, you can create an egress rule that allows traffic to the Cloud Storage IP ranges only from instances with a specific service account or tag, and then deny all other egress. But the question asks for two configurations. The most reasonable answers: (1) Create an egress allow rule for the Cloud Storage IP ranges with a target tag or service account that matches the instances. (2) Create a deny all egress rule with lower priority.
However, since Cloud Storage uses Google APIs, the IP ranges are from the published list. The correct choices are likely: A and D.