Your security team requires that worker nodes in a new Google Kubernetes Engine (GKE) cluster never receive public IP addresses. The cluster's control-plane must be reachable only from the company's on-premises network (10.1.0.0/16) over an existing Cloud VPN tunnel. Workloads must still be able to pull container images from Artifact Registry and send logs to Cloud Logging. Which configuration will meet all of these requirements?
Create a private GKE cluster but leave the public control-plane endpoint enabled with a master-authorized-network entry for 10.1.0.0/16, and disable Private Google Access on the subnet.
Create a standard (public) GKE cluster, remove external IPs from the node pool template, and restrict SSH access with firewall rules. Use Cloud NAT so nodes can reach Artifact Registry and Cloud Logging.
Create a private GKE cluster, disable the private endpoint, and enable Cloud NAT for the subnet so nodes can reach Google APIs while the control-plane is accessed through its public endpoint.
Create a private GKE cluster, enable the private control-plane endpoint and disable the public endpoint, and enable Private Google Access on the cluster's subnet. Use the existing Cloud VPN to reach the private endpoint from 10.1.0.0/16.
A private GKE cluster assigns only internal IP addresses to nodes, satisfying the "no public IP" requirement. Enabling the cluster's private endpoint and disabling the public endpoint ensures the control-plane is reachable only inside the VPC; traffic from the on-premises network can reach that endpoint through the Cloud VPN. Because the nodes have no external IPs, Private Google Access must be enabled on the subnet so they can reach Google APIs such as Artifact Registry and Cloud Logging without traversing the public internet. The other options fail at least one requirement: a standard (public) cluster gives nodes external IPs; leaving the control-plane's public endpoint enabled exposes it beyond on-prem; omitting Private Google Access prevents image pulls and telemetry; and disabling the private endpoint removes the only path the VPN can use.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a private GKE cluster and how does it differ from a public one?
Open an interactive chat with Bash
What is Private Google Access and why is it needed for a private GKE cluster?
Open an interactive chat with Bash
How does a Cloud VPN enable connectivity between an on-premises network and a private GKE cluster?
Open an interactive chat with Bash
What is Private Google Access and why is it necessary in this configuration?
Open an interactive chat with Bash
Why does the control-plane need a private endpoint and how does Cloud VPN make it accessible?
Open an interactive chat with Bash
How does a private GKE cluster differ from a standard GKE cluster in terms of node IP addresses?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .