GCP Professional Cloud Architect Practice Question
Your retail company is moving its payment API containers and a Cloud SQL for PostgreSQL instance that store card-holder data into Google Cloud. PCI DSS requires the Cardholder Data Environment (CDE) to be isolated from other workloads and to expose the smallest possible attack surface. Several other Google Cloud projects need to receive hourly, aggregated sales data, but must never initiate network connections back into the CDE. Which network design best meets PCI segmentation requirements while still allowing the data to flow to the consumer projects?
Host all payment services in a dedicated project and VPC protected by a VPC Service Controls perimeter. Use Cloud NAT and an organization-level hierarchical firewall rule that blocks all inbound traffic except Identity-Aware Proxy, and have an internal service account publish sanitized sales data to a Pub/Sub topic in an analytics project.
Deploy payment services in one project and peer its VPC with the analytics project's VPC; allow traffic from the analytics subnet to the payment subnet on TCP 443 via custom firewall rules and Cloud Router-advertised routes.
Place payment and analytics workloads in separate subnets of the same Shared VPC; restrict access with firewall rules allowing the analytics subnet to reach the database over TCP 5432 and use Cloud NAT for outbound traffic.
Run all workloads in a single project; enable Private Google Access for the payment services to export data directly to BigQuery, relying on IAM Conditions instead of network isolation to meet PCI DSS requirements.
Placing all CDE resources in their own project and VPC cleanly separates them from non-CDE workloads. Wrapping that project in a VPC Service Controls perimeter prevents unintended access to Google managed services from outside the CDE. An organization-level hierarchical firewall rule that denies all ingress to the CDE VPC (except IAP's managed proxy ranges) ensures no direct inbound paths exist, satisfying PCI's requirement to restrict inbound traffic to the CDE. Instances inside the CDE use Cloud NAT to reach external Google APIs so no external systems can initiate sessions back. Exporting pre-aggregated sales figures with a Pub/Sub push, where the CDE's service account publishes to a topic in another project, keeps the data-flow one-way; consumer projects subscribe but cannot open connections into the CDE, preserving segmentation. The alternative designs leave the CDE in the same project or VPC, use peering that permits bidirectional private RFC 1918 traffic, or rely only on IAM without strong network isolation-all of which violate PCI DSS segmentation guidance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS, and why is segmentation critical for compliance?
Open an interactive chat with Bash
How does VPC Service Controls help meet PCI DSS requirements?
Open an interactive chat with Bash
What is the role of Cloud NAT in PCI DSS-compliant network design?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .