Your web application has several VM instances running within a VPC. You want to restrict communications between instances to only the paths and ports you authorize, but you don`t want to rely on static IP addresses or subnets because the app can autoscale. How should you restrict communications? 

Answer options:

A. Use separate VPCs to restrict traffic
B. Use firewall rules based on network tags attached to the compute instances
C. Use Cloud DNS and only allow connections from authorized hostnames
D. Use service accounts and configure the web application to authorize particular service accounts to have access

B