GCP Professional Cloud Architect Practice Question

Your company runs an SAP ERP system in its on-premises data center and is deploying container-based order-processing microservices on GKE in europe-west1. The solution must exchange data with SAP over at least 10 Gbps using private RFC 1918 addresses, automatically fail over if the primary private link becomes unavailable, and publish public REST APIs to logistics partners that enforce API keys and per-partner quotas without exposing the internal network.

Which architecture meets all requirements while minimizing operational overhead?

Set up two Classic Cloud VPN tunnels and Cloud NAT to route traffic to GKE. Serve partner APIs through an external HTTP(S) load balancer protected by Cloud Armor and secured by API Gateway.
Create an HA Cloud VPN between the data center and the VPC, enable VPC Network Peering to the GKE cluster, and rely on BGP fail-over within the tunnels. Expose partner APIs through Apigee Edge SaaS.
Provision two 10-Gbps Dedicated Interconnect circuits to the VPC with global dynamic routing and attach an HA Cloud VPN advertising the same prefixes for automatic fail-over. Keep private IP addressing end-to-end. Deploy fully managed Apigee X to proxy the microservice behind an internal HTTP(S) load balancer and expose public endpoints secured by API keys and quotas.
Establish two 10-Gbps Partner Interconnect VLAN attachments in europe-west1 and configure Private Service Connect between SAP and GKE. Use a second Partner Interconnect in the same region for fail-over. Publish partner APIs with Cloud Endpoints running on Cloud Run.

Report Issue

Answer Description

Dedicated Interconnect delivers the required 10-Gbps private connectivity, using RFC 1918 addresses end-to-end. When an HA Cloud VPN is attached to the same Cloud Router and advertises identical on-premises prefixes, BGP prefers the Interconnect path but automatically fails over to the VPN if the Interconnect becomes unavailable. Apigee X is a fully managed platform that enforces API keys, per-partner quotas, and provides analytics, while proxying traffic to an internal HTTP(S) load balancer so partners never access the VPC directly.

Architectures that use Partner Interconnect still require coordination with a service provider and, when coupled with Cloud Endpoints, lack the same level of per-consumer quota management. Designs that rely only on Cloud VPN cannot guarantee sustained 10-Gbps throughput, and solutions that use Cloud NAT prevent unsolicited inbound traffic. Therefore, the proposed architecture meets all functional and non-functional requirements with minimal operational overhead.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.