Your organization is moving to Google Cloud and needs to ensure that sensitive resources are accessible only from devices connected to the internal corporate network. You will configure Access Context Manager to enforce this restriction, considering the following details: The internal network IP ranges are 10.100.0.0/16 and 192.168.0.0/16. Some employees work remotely and connect through a company-managed VPN that assigns IP addresses dynamically from 172.16.0.0/20. Access should be limited to a specific Google Cloud project that is already within an existing service perimeter. What is the best way to set this up?