GCP Professional Cloud Architect Practice Question
Your company processes protected health information on Google Cloud. Compliance requires that trained models and online prediction requests never traverse the public internet and that no other Google Cloud project can access them. A Cloud Run service in the same project will invoke the model for real-time inference. What architecture best meets these requirements while following the principle of least privilege?
Keep the default public Vertex AI endpoint, secure it with Cloud Armor rules that allow traffic only from Cloud Run egress IPs, and store the model in a multi-region Cloud Storage bucket with uniform bucket-level access.
Create a VPC Service Controls perimeter that includes the project. Deploy the model to a Vertex AI endpoint configured with a Private Service Connect network and disable public access. Grant the Cloud Run service account only the Vertex AI predict permission and call the endpoint over the PSC internal address.
Enable Cloud NAT for the VPC and configure firewall rules to block all egress except to the public Vertex AI predict service; authenticate from Cloud Run using a service account key stored in Secret Manager.
Expose the Vertex AI endpoint through Cloud Endpoints behind an internal HTTP(S) load balancer and protect it with an API key; store model artifacts in a private BigQuery dataset with row-level security.
Creating a Vertex AI endpoint that is reachable only through Private Service Connect keeps prediction traffic on your private VPC and prevents exposure to the public internet. Placing the entire project inside a VPC Service Controls perimeter stops other projects-even inside the same organization-from accessing model artifacts or the endpoint, addressing the data-exfiltration mandate. Granting the Cloud Run service account the minimal Vertex AI permission needed to invoke predict operations satisfies least-privilege IAM. NAT, public endpoints, API keys, Cloud Armor, and Cloud Endpoints do not prevent public exposure or cross-project access, nor do they secure the model artifacts as effectively as a service perimeter.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Service Connect (PSC) in Google Cloud?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter?
Open an interactive chat with Bash
What does the principle of least privilege mean in IAM?
Open an interactive chat with Bash
What is VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
What is Private Service Connect and how does it work?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .