GCP Professional Cloud Architect Practice Question
Your security team wants to centralize network administration while allowing dozens of application teams to continue deploying Compute Engine VMs and GKE clusters in their own projects. They have provided these requirements:
All workloads must use a common set of RFC 1918 subnets that are defined only once.
Security engineers, and no one else, must manage firewall rules and routing.
Application teams must not be able to create new subnetworks or modify firewall rules.
Network egress charges should be consolidated on a single, centrally managed project to simplify cost governance. Which design best satisfies these requirements with the least operational overhead?
Build a central VPC with Cloud Routers that export custom routes to each application project over Dedicated Interconnect VLANs, allowing teams to retain full network-admin rights.
Maintain separate VPCs for each application project, deploy individual Cloud NAT gateways, and use VPC Service Controls to restrict traffic.
Peer every application project VPC with a central security VPC and rely on organization-level hierarchical firewall policies for rule enforcement.
Create a Shared VPC host project that owns the common VPC. Attach each application project as a service project and grant developers only the compute.networkUser (and, if needed, compute.subnetworkUser) roles; security engineers manage all firewall rules and routes in the host project.
A Shared VPC lets you create a single host project that owns the VPC and its subnetworks. Security engineers administer firewall rules and routes in that host project; these rules automatically apply to all resources in attached service projects. Granting application teams the compute.networkUser role (and, when needed, compute.subnetworkUser) in their own service projects lets them attach VM instances and GKE node pools to the existing subnetworks without permission to create or modify networks, subnetworks, or firewall rules. Because outbound traffic from service-project resources is billed to the host project that owns the VPC, egress costs are consolidated as required. The other options either fail to centralize subnet and firewall management (VPC peering), require every team to operate its own networking and NAT (separate VPCs), or add unnecessary complexity without meeting all constraints (central VPC with Dedicated Interconnect).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Shared VPC and how does it work?
Open an interactive chat with Bash
What roles are essential in a Shared VPC setup to meet security requirements?
Open an interactive chat with Bash
Why are network egress costs consolidated in the host project of a Shared VPC?
Open an interactive chat with Bash
What is a Shared VPC in GCP?
Open an interactive chat with Bash
What are compute.networkUser and compute.subnetworkUser roles?
Open an interactive chat with Bash
How does Shared VPC help consolidate network egress costs?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing and planning a cloud solution architecture
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .