GCP Professional Cloud Architect Practice Question

You manage a Shared VPC host project that contains a custom-mode network named prod-vpc (10.20.0.0/16). An existing Google Kubernetes Engine Standard cluster in the service project analytics-proj is VPC-native and uses subnet 10.20.10.0/24 in prod-vpc. A new Cloud Run (fully managed) service will be deployed in another service project (svc-proj).

The Cloud Run service must

call an internal HTTP endpoint exposed by one of the GKE micro-services without traversing the public internet,
keep all traffic between Cloud Run and the GKE workload on Google's private backbone (no public IP addresses on either workload),
continue to call external SaaS APIs on the public internet, and
minimize ongoing network administration effort and avoid maintaining custom gateway VMs.

Which architecture meets these requirements?

Deploy a Compute Engine NAT gateway VM in svc-proj and configure Cloud Run to forward all egress traffic to that VM, which then routes requests to the GKE cluster over the Shared VPC.
Expose the GKE micro-service with a Service of type LoadBalancer to obtain an external IPv4 address, restrict its firewall to Cloud Run egress IP ranges, and invoke it directly from Cloud Run without using a connector.
Set up Cloud VPN tunnels between svc-proj and analytics-proj, assign a static external IP to Cloud Run using a custom egress feature, and expose the GKE workload through an external passthrough Network Load Balancer.
In svc-proj, create a regional Serverless VPC Access connector that uses a /28 secondary range in the shared prod-vpc subnet; configure the Cloud Run service to route only private-range traffic through the connector. Expose the GKE micro-service with an Internal HTTP(S) Load Balancer backed by a container-native NEG. No additional gateways or VMs are required.

Report Issue

Answer Description

Creating a regional Serverless VPC Access connector in the svc-proj service project and attaching it to a small (/28) secondary range in the Shared VPC subnet allows the Cloud Run instances to place private traffic onto prod-vpc. Exposing the target GKE micro-service through an Internal HTTP(S) Load Balancer backed by a container-native NEG assigns it a private virtual IP that is reachable from any project that uses the Shared VPC. Configure the Cloud Run service to send only private-range (RFC 1918) traffic through the connector; calls to the load balancer will therefore remain on Google's private backbone with no public IPs involved. Because public internet requests are not routed through the connector in this mode, Cloud Run can still reach external SaaS APIs without requiring additional NAT gateways, thereby avoiding the need to deploy or manage any custom VMs. The other options either expose public IP addresses, require unnecessary peering or VPN setup, or introduce extra operational overhead.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.