GCP Professional Cloud Architect Practice Question
A healthcare provider must migrate a latency-sensitive microservices workload to Google Kubernetes Engine in a new project. The services will store protected health information (PHI) in Cloud Storage. Compliance rules require that:
encryption at rest must use keys controlled and rotated by the provider,
all network traffic between the on-premises data center and GKE must be encrypted,
the link must sustain at least 5 Gbps while keeping operational overhead low. Which architecture satisfies these requirements?
Configure Cloud Storage buckets with a customer-managed key in Cloud KMS and establish a Dedicated Interconnect circuit with HA VPN tunnels running over the Interconnect VLAN attachments.
Encrypt objects client-side with self-managed keys before uploading to Cloud Storage and use standalone Cloud VPN tunnels over the public internet for connectivity.
Use Cloud Storage buckets with Google-managed default encryption and connect the data center with a Dedicated Interconnect circuit that carries traffic in clear text.
Enable bucket-level default CMEK encryption and connect the data center via Partner Interconnect without any additional encryption because the circuit is private.
Customer-managed encryption keys (CMEK) for Cloud Storage satisfy the requirement that the customer controls and rotates the keys that protect data at rest. Creating a Dedicated Interconnect provides the needed 5 Gbps (and higher) bandwidth, while adding HA VPN tunnels over the Interconnect VLAN attachments encrypts every packet in transit without sacrificing throughput or requiring the application to handle encryption itself. The other options fail one or more constraints: relying on Google-managed keys does not give the customer key control; client-side encryption with standalone Cloud VPN over the public internet cannot guarantee 5 Gbps and increases operational burden; Partner or Dedicated Interconnect links without an accompanying VPN leave traffic unencrypted on the physical circuit, violating the in-transit encryption mandate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CMEK in Google Cloud?
Open an interactive chat with Bash
How does Dedicated Interconnect ensure high bandwidth connectivity?
Open an interactive chat with Bash
What is HA VPN in Google Cloud, and why use it with Dedicated Interconnect?
Open an interactive chat with Bash
What is CMEK in Google Cloud?
Open an interactive chat with Bash
What is Dedicated Interconnect in Google Cloud?
Open an interactive chat with Bash
Why use HA VPN with Dedicated Interconnect?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing and planning a cloud solution architecture
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .