GCP Professional Cloud Architect Practice Question
Your company operates a private, VPC-native GKE cluster whose nodes have no external IP addresses. Application pods must call both an internal-IP Cloud SQL instance and the Vertex AI API. Security architects insist that traffic remain on Google's private network, your VPC's subnet CIDRs must not be exposed to Google-managed service networks, and each consumer project must get its own endpoint so usage and IAM controls stay isolated. Which connectivity approach best satisfies all requirements?
Create Private Service Connect endpoints for Cloud SQL and Google APIs in each consumer project's VPC subnet, and direct pod traffic to those internal IPs.
Enable Private Service Access by reserving an IP range and peering the VPC to the Google-managed service network that hosts Cloud SQL and Vertex AI.
Send traffic through Cloud NAT so pods reach Cloud SQL and Vertex AI over their public service endpoints, restricted by firewall rules.
Provision a Dedicated Cloud Interconnect VLAN attachment, advertise the cluster subnet, and route requests privately to Cloud SQL and Vertex AI through that path.
Private Service Connect creates a consumer-side endpoint (an internal IP in your subnet) that forwards traffic over Google's private backbone to producer services such as Cloud SQL and Google APIs, including Vertex AI. Because PSC uses Layer-4 proxies rather than VPC peering, the consumer VPC's routes and IP ranges are not shared with the Google-managed service network, satisfying the requirement to keep subnet CIDRs hidden. Endpoints are provisioned per consumer project, enabling separate billing and IAM scoping.
Private Service Access also keeps traffic on Google's network, but it relies on VPC Network Peering with the service producer, which exchanges subnet routes-violating the isolation requirement. Using public service endpoints over Cloud NAT exposes traffic to the public internet and fails the private-backbone constraint. A dedicated Cloud Interconnect attachment connects to Google's edge, not directly to managed services, and would still reveal routes; it also does not provide the per-project, per-service endpoint abstraction demanded.
Therefore, deploying Private Service Connect endpoints for Cloud SQL and Google APIs is the only option that meets every stated constraint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Service Connect in Google Cloud?
Open an interactive chat with Bash
How is Private Service Connect different from Private Service Access?
Open an interactive chat with Bash
Why is Cloud NAT not suitable for private connectivity in the given scenario?
Open an interactive chat with Bash
What is Private Service Connect in GCP?
Open an interactive chat with Bash
How does traffic stay private on Google's network using PSC?
Open an interactive chat with Bash
Why is Private Service Connect better than VPC Peering for this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing and provisioning a solution infrastructure
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .