GCP Associate Cloud Engineer Practice Question

Your team has deployed several Compute Engine instances in a custom VPC subnet that has no public IP addresses assigned to the VMs. The servers need to download operating-system updates from external repositories on the internet, but must remain inaccessible from the internet. You want a managed, highly available solution that requires the least ongoing maintenance. What should you do?

Deploy a single Compute Engine VM with two NICs, enable IP forwarding, and configure it as a manual NAT gateway for the subnet.
Reserve and assign static external IP addresses to each VM and rely on egress-only firewall rules to block inbound traffic.
Configure a Cloud NAT gateway on an existing Cloud Router and enable it for the subnet.
Enable Private Google Access on the subnet so the VMs can reach external update servers without external IP addresses.

Report Issue

Answer Description

Cloud NAT is a Google-managed network address translation service designed specifically for outbound connectivity from private VM instances. When you create a Cloud NAT gateway and attach it to a Cloud Router, every instance in the selected subnet can reach the public internet for software updates or other egress traffic without having an external IP address. Because Cloud NAT never accepts unsolicited inbound connections, the VMs remain unreachable from the internet, meeting the security requirement. Adding individual external IPs would satisfy outbound connectivity but violates the requirement to stay private and increases operational overhead. Building your own NAT instance introduces single-point-of-failure and patching tasks, while Private Google Access only allows access to Google APIs, not general internet repositories. Therefore, configuring a Cloud NAT gateway is the best option.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.