You are configuring Private Google Access for VM instances in your Google Cloud VPC. These VMs have only private IP addresses and must access Google APIs such as Cloud Storage. Your security requirement mandates that all general outbound traffic from these VMs should route through your on-premises data center via an existing Cloud Interconnect connection for inspection. However, traffic to Google APIs should stay within Google Cloud. How should you set up your network to meet these requirements?