GCP Professional Cloud Architect Practice Question
An online retailer is migrating to Google Cloud and must process credit-card payments under PCI DSS. The payment microservice will run on Cloud Run, store cardholder data in Cloud SQL, and be consumed by separate marketing and analytics applications that must remain outside the Cardholder Data Environment (CDE). Which architecture most effectively limits PCI scope while still allowing the non-payment workloads to call the payment API?
Create a dedicated project and VPC for the Cloud Run payment service and its private Cloud SQL instance. Enable Private Service Connect for database access, wrap the project in a VPC Service Controls perimeter, expose the API through an external HTTPS load balancer, and deploy marketing and analytics workloads in separate projects that invoke the public URL.
Run all workloads in the default network; label payment instances with a firewall tag that only allows port 443 traffic to Cloud SQL via the Cloud SQL Auth proxy over the internet.
Use a Shared VPC whose host project contains all networks; place payment services in a service project attached to the same network and rely on IAM Conditions to prevent analytics service accounts from accessing payment resources.
Deploy payment, marketing, and analytics services in a single project but place them in separate subnets; use firewall rules to block non-payment subnets from reaching Cloud SQL and require SSL on the database's public IP.
Placing all components that handle cardholder data (Cloud Run service and Cloud SQL) in their own project and VPC creates a clear network and administrative boundary that defines the CDE. A VPC Service Controls perimeter prevents data exfiltration from that project, and Private Service Connect keeps database traffic off the public internet. Exposing the payment service through an external HTTPS load balancer allows marketing and analytics workloads in other projects to consume the API without joining the CDE, so those projects stay out of scope. The alternative designs either share the same project or VPC, rely only on firewall rules or IAM, or use public endpoints; each of those choices keeps the marketing and analytics resources inside-or at least connected to-the CDE, expanding PCI assessment scope and violating segmentation guidance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS and why is it important?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter in GCP?
Open an interactive chat with Bash
How does Private Service Connect enhance security in this architecture?
Open an interactive chat with Bash
What is PCI DSS and why is it important for organizations?
Open an interactive chat with Bash
How does VPC Service Controls improve security in Google Cloud?
Open an interactive chat with Bash
Why use Private Service Connect instead of a public database endpoint?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .