Crucial Exams

GCP Professional Cloud Architect Practice Question

Your retail startup is moving to Google Cloud. The payment processing microservice stores cardholder data and must be scoped as the PCI-DSS Cardholder Data Environment (CDE). Marketing dashboards and recommendation engines run in separate projects and need to call the payment API. Which design most effectively meets PCI isolation requirements while still permitting the other workloads to invoke the API?

  • Create a Shared VPC host project and attach both payment and marketing service projects to it, isolating the CDE in a separate subnet protected by firewall rules.

  • Place the payment service in a dedicated subnet inside the same VPC as marketing workloads, surround that subnet with VPC Service Controls, and expose the API through an internal HTTP(S) load balancer.

  • Host the payment microservice in a dedicated project with its own VPC and publish the service internally via Private Service Connect endpoints that are granted only to approved service accounts in the other projects.

  • Deploy the payment microservice and all other workloads in one project and VPC, using firewall rules and Cloud Armor policies to restrict access to cardholder data.

GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot