GCP Professional Cloud Security Engineer Practice Question
Your company connects its on-premises data center to a Shared VPC in Google Cloud by using Dedicated Interconnect. Security policy states that:
On-premises workloads must call BigQuery and Cloud Storage APIs without using public IP addresses.
Any Google service that is not supported by VPC Service Controls must be unreachable from on-prem.
The network team wants to allow-list a single internal IP address for all permitted Google API traffic. Which design meets these requirements while keeping management overhead low?
Create a Private Service Connect endpoint in the VPC by reserving an internal IP address and specifying the vpc-sc Google APIs bundle. Publish private DNS A records that map only the needed API hostnames to that IP and advertise the address to on-prem over Cloud Router.
Deploy Cloud NAT with manually allocated public NAT IPs, then allow on-prem workloads to reach BigQuery and Cloud Storage through the NAT gateway.
Configure a Serverless VPC Access connector and protect the APIs with Identity-Aware Proxy (IAP) so that only approved users can invoke them from on-prem.
Enable Private Google Access on every subnet, add a private DNS zone that maps restricted.googleapis.com to 199.36.153.4, and let on-prem traffic reach Google APIs through that public VIP.
Creating a Private Service Connect (PSC) endpoint whose target bundle is vpc-sc gives the VPC an internal forwarding rule that represents only the Google APIs supported by VPC Service Controls (including BigQuery and Cloud Storage). The forwarding rule can use a reserved internal IP address in a subnet that is already advertised to on-prem through Cloud Router. After you add private Cloud DNS records that map the required API hostnames (for example, storage.googleapis.com and bigquery.googleapis.com) to that IP address, on-premises workloads reach the services over the private Interconnect path. No other Google APIs are reachable because they are not part of the vpc-sc bundle.
Enabling Private Google Access or Cloud NAT would still expose public VIPs. Using the all-apis PSC bundle would allow every Google API, violating policy. Serverless VPC Access does not solve the requirement for on-prem connectivity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Service Connect (PSC) in Google Cloud?
Open an interactive chat with Bash
What are VPC Service Controls?
Open an interactive chat with Bash
What is the role of a Cloud Router in interconnect scenarios?
Open an interactive chat with Bash
What is Private Service Connect in Google Cloud?
Open an interactive chat with Bash
What is the vpc-sc Google APIs bundle?
Open an interactive chat with Bash
How does Cloud DNS play a role in managing private access to Google APIs?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .