This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses.
By default, all VM instances are allowed to use external IP addresses.
The allowed/denied list of VM instances must be identified by the VM instance name, in the form:
projects/PROJECT_ID/zones/ZONE/instances/INSTANCE

Affected resources:

GCP GCE
GCP GKE
GCP GAE Flex

In Solvay...

VMs with external IP addresses are exposed to risks to be attacked.
In order to mitgate such scenarios, all VMs will be created without the capabilities to have external IP addresses.

You will have to review the solution with the Technical Board (which compromised of the Exterprise, Security, Cloud Architects).

If approved, exception will be added by the GCP's CloudOps.

The GCP project will be added with a tag to be excluded from this policy.