Your organization has established a Cloud VPN tunnel between your on-premises data center and a Google Cloud VPC . You now need to configure secure access from your on-prem servers (using RFC 1918 IP addresses ) to the Cloud Functions API , while meeting the following conditions: Data residency : Specific data must remain within its original project and must not be exfiltrated to other projects. No internet egress : On-prem servers should not use the internet to access Google APIs. On-prem DNS resolution : All DNS queries must be resolved by the on-premises DNS . Access limitation : Only allow access to APIs supported by VPC Service Controls . Which solution best satisfies these requirements?