GCP Professional Cloud Security Engineer Practice Question

Your company has two Google Cloud projects: prod-app hosts several GKE clusters, and prod-data hosts internal REST services on Compute Engine VMs. The clusters must call the services over private IPs with high throughput and low latency. Security wants each team to keep project-level IAM separation, but networking must centrally manage subnets, routes, and firewall policies and avoid the non-transitive routing limitation if new projects are added later. Which connectivity design best meets these requirements?

Create a VPC Network Peering connection between the prod-app and prod-data VPCs and add custom routes for the service CIDRs.
Expose the prod-data services through a Private Service Connect service attachment and have prod-app create PSC endpoints to consume them, keeping the VPCs separate.
Create an HA VPN connection between the two projects with dynamic routing to exchange private routes.
Migrate both projects to a Shared VPC by designating a new host project and attaching prod-app and prod-data as service projects that deploy resources into centrally managed subnets.

Report Issue

Answer Description

Moving both projects into a Shared VPC meets all stated requirements. By creating a new host project and attaching prod-app and prod-data as service projects, networking administrators own and manage the single VPC's subnets, routes, and firewall rules, achieving centralized control. Resources in both projects communicate over Google's private backbone using internal IP addresses, providing high-performance, low-latency connectivity. Because all service project networks become part of the same VPC, connectivity is inherently transitive, so adding future projects does not require additional peering links.

VPC Network Peering would allow private connectivity but keeps routing and firewall control decentralized and remains non-transitive, violating both the central-admin and future-scalability requirements. HA VPN tunnels introduce unnecessary encryption overhead, rely on public internet paths, and still leave routing split between projects. Publishing the services with Private Service Connect keeps project isolation but does not give the networking team control of prod-app's subnets or firewall rules, and each new service or project would need additional setup, complicating scalability.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.