GCP Professional Cloud Architect Practice Question
A Cloud Run (fully managed) service deployed in europe-west1 must connect to an internal-only PostgreSQL VM that listens on 10.20.4.5 inside the project's custom VPC subnet 10.20.4.0/24. Security policy forbids assigning external IP addresses to either workload or allowing any outbound traffic over the public internet. The service currently times-out when it opens a TCP connection to 10.20.4.5. What single configuration change will enable the service to reach the database while satisfying the policy and without modifying the container image?
Create a Serverless VPC Access connector in europe-west1 using a non-overlapping /28 CIDR, attach it to the Cloud Run service, and add a firewall rule that permits traffic from the connector's IP range to 10.20.4.5.
Enable Private Google Access on the subnet that hosts the PostgreSQL VM so Cloud Run can resolve and reach the VM's private address.
Configure VPC Network Peering between the Cloud Run service and the custom VPC and rely on the default egress range.
Enable Cloud NAT on the subnet and set the Cloud Run service's egress setting to All traffic so the service can reach the VM via the NAT gateway.
Cloud Run instances run on Google-managed infrastructure that is not automatically part of your VPC. To reach private RFC 1918 addresses you must route traffic through a Serverless VPC Access connector located in the same region as the service. The connector allocates a dedicated /28 (or larger) address range that must not overlap existing subnets; packets from Cloud Run appear to originate from this range. After attaching the connector to the Cloud Run service and permitting traffic from the connector range to the database subnet, the connection stays on the private network and no external IPs or public internet paths are used.
Network peering is unsupported for Cloud Run's underlying service project, Private Google Access only affects access to Google APIs, and Cloud NAT handles outbound internet traffic rather than traffic to internal VM addresses, so those alternatives would not meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Serverless VPC Access connector, and how does it work?
Open an interactive chat with Bash
Why is configuring a firewall rule necessary when using Serverless VPC Access?
Open an interactive chat with Bash
Why can't alternatives like VPC Network Peering or Cloud NAT be used in this scenario?
Open an interactive chat with Bash
Why does Cloud Run need a Serverless VPC Access connector to connect to private IPs within a VPC?
Open an interactive chat with Bash
How does the Serverless VPC Access connector allocate IP ranges, and why does it require a /28 or larger CIDR block?
Open an interactive chat with Bash
Why is a firewall rule necessary after attaching the Serverless VPC Access connector?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing and provisioning a solution infrastructure
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .