GCP Professional Cloud Architect Practice Question
Your security team mandates that no Compute Engine VMs receive external IP addresses. A managed instance group running in subnet "prod-us-central1-a" must fetch operating-system updates from public package repositories several times a day. The solution must block all unsolicited inbound connections from the internet, scale automatically as the group grows, and require minimal ongoing maintenance. Which approach best meets these requirements?
Launch a small Linux VM with an external IP in the subnet, configure it with IP forwarding and iptables NAT rules, and set it as the default gateway for the instance group.
Create a regional Cloud NAT gateway, attach it to the existing Cloud Router for the VPC, and configure it to serve the prod-us-central1-a subnet.
Enable Private Google Access on the subnet so the instances can reach external package repositories without needing public IP addresses.
Assign ephemeral external IP addresses to the instances during the update window, then remove the addresses afterward using an automation script.
Cloud NAT is a regional, managed network address translation service that lets instances without external IP addresses initiate outbound TCP, UDP, and supported ICMP traffic to the internet while never accepting inbound connections. A Cloud NAT gateway attaches to a Cloud Router so that the NAT IP ranges can be advertised, and the gateway automatically scales its address and port capacity as the number of instances grows.
Enabling Private Google Access would allow traffic only to Google APIs and services, not to external package repositories. Operating a self-managed Linux NAT VM introduces a single point of failure and ongoing maintenance overhead. Temporarily assigning external IP addresses violates the security mandate and still allows unsolicited inbound traffic while the addresses are present.
Therefore, deploying a regional Cloud NAT gateway that serves the prod-us-central1-a subnet is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Cloud NAT ensure security while allowing outbound internet access?
Open an interactive chat with Bash
What is the role of a Cloud Router in a Cloud NAT setup?
Open an interactive chat with Bash
Why doesn't enabling Private Google Access meet the requirements in this scenario?
Open an interactive chat with Bash
What is Cloud NAT and why is it used?
Open an interactive chat with Bash
How does Cloud NAT integrate with Cloud Router?
Open an interactive chat with Bash
Why is enabling Private Google Access not a sufficient solution here?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Managing and provisioning a solution infrastructure
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .