GCP Professional Cloud Security Engineer Practice Question
Your company operates two private subnets in the us-central1 region that host auto-scaling managed instance groups (MIGs). None of the VMs have external IP addresses, but they must periodically connect to a third-party SaaS platform that only accepts traffic from allow-listed public IP addresses. The security team insists that the set of egress IP addresses remain stable, while the network team wants Cloud NAT to handle sudden bursts of outbound connections without manual intervention for port management. Which Cloud NAT configuration best meets these requirements?
Assign individual static external IP addresses to every VM in the MIGs and enable Private Google Access instead of Cloud NAT.
Deploy separate zonal Cloud NAT gateways for each subnet with automatic address allocation and update the SaaS allow-list whenever Cloud NAT adds new addresses.
Create a single regional Cloud NAT gateway, reserve a small set of static external IP addresses, configure the gateway for manual address allocation with those reserved addresses, and retain the default automatic port allocation to scale during traffic spikes.
Create a regional Cloud NAT gateway that uses automatic address allocation so it can add additional external IPs when port demand increases.
Using a Cloud NAT gateway with manually specified, reserved static external IP addresses guarantees that every egress connection from the private subnets uses only the IPs you own-so the SaaS provider's allow-list never changes. When you leave port allocation in its default automatic mode, Cloud NAT dynamically scales the number of NAT ports per VM as traffic grows, avoiding manual reconfiguration during bursts. Relying on automatic address allocation or allowing Cloud NAT to add new addresses would break the requirement for a fixed egress IP set, while assigning external IPs to every VM or deploying separate per-subnet gateways with automatic addresses would either violate the no-external-IP constraint or still risk unpredictable egress IP changes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud NAT in GCP?
Open an interactive chat with Bash
What is the difference between manual and automatic address allocation in Cloud NAT?
Open an interactive chat with Bash
How does automatic port allocation work in Cloud NAT?
Open an interactive chat with Bash
What is Cloud NAT and what makes it suitable for this scenario?
Open an interactive chat with Bash
Why is manual address allocation important in Cloud NAT for this scenario?
Open an interactive chat with Bash
What are the benefits of automatic port allocation in Cloud NAT?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .