GCP Professional Cloud Architect Practice Question

Your fintech platform runs multiple microservices on Google Cloud. A new audit requires the Cardholder Data Environment (CDE)-made up of a payment-processing service and its Cloud SQL for PostgreSQL instance-to comply with PCI DSS v4. The CDE must be strictly segmented from other workloads, permit only the minimum traffic required from the public front-end service, and retain immutable audit logs for at least one year. Which architecture best meets these requirements while keeping operational overhead low?

Create a new Kubernetes namespace for the payment service in the existing GKE cluster, apply NetworkPolicy rules, keep the same project and VPC, enable Cloud SQL IAM authentication, and rely on Cloud Logging's default 400-day retention.
Move the payment service and Cloud SQL instance to a dedicated project that uses its own standalone VPC; peer no networks, allow only HTTPS traffic from the front-end project through tight ingress/egress firewall rules, and export all Admin Activity and Data Access logs to a Cloud Storage bucket protected with Bucket Lock in a central audit project.
Keep all workloads in the current project, wrap the Cloud SQL instance with a VPC Service Controls perimeter, restrict external access using Cloud Armor IP allowlists, and export logs to a BigQuery dataset with a 400-day table expiration.
Deploy the payment service to Cloud Run in the current project but tag it with a PCI label; enforce access using IAM Conditions, and publish all logs to Pub/Sub for downstream processing by a SIEM.

Report Issue

Answer Description

Creating a completely separate Google Cloud project and VPC for the CDE provides the strongest PCI-recommended segmentation boundary: IAM policies, service-level quotas, and VPC-level firewall rules do not bleed into other workloads. Peering or Shared VPC is avoided, so only explicitly whitelisted ingress and egress rules allow payment traffic from the front-end project. Exporting all Cloud Audit Logs from the CDE project to a centrally managed Cloud Storage bucket that uses Bucket Lock makes the logs immutable for the mandated retention period. This design directly addresses PCI's network segmentation and tamper-evident logging controls while requiring minimal day-to-day management. The other options fail key controls: keeping everything in one project (or even one VPC) does not create a true CDE boundary, VPC Service Controls do not isolate network paths inside a VPC, per-namespace or label-based isolation is insufficient for PCI, and BigQuery/Pub Sub sinks without Bucket Lock cannot guarantee immutability.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.