Your enterprise has a strict policy that no public IP addresses can be assigned to Compute Engine instances, and all resources must be deployed in the europe-west1 region. How can you enforce these rules organization-wide? (Select TWO)

Apply an Organization Policy constraint to disable external IP addresses for Compute Engine.

Create a VPC Firewall rule to block all outbound traffic to 0.0.0.0/0.

Apply an Organization Policy constraint to restrict resource locations to europe-west1.

Use IAM conditions to remove the compute.instances.create permission if the region is not europe-west1.

Configure Cloud NAT to translate all public IPs to private IPs.