GCP Professional Cloud Security Engineer Practice Question
Your company's on-premises data-center network connects to a Google Cloud VPC through two HA VPN tunnels that exchange custom dynamic routes with a Cloud Router. For compliance reasons, the on-premises application servers must invoke Google Cloud Storage over private IP addresses-traffic must never traverse the public internet or use public source IPs. You must implement this requirement without changing application code or proxy configuration and without adding new connectivity products. Which actions will achieve the goal while keeping traffic on the existing VPN connection?
Deploy Cloud NAT for the VPN-terminating subnet, advertise a default route (0.0.0.0/0) to on-prem via BGP, and leave DNS unchanged so Google API hostnames resolve to public IPs.
Export a custom route for 199.36.153.8/30 through the Cloud Router and configure the on-premises DNS servers to resolve Google API hostnames (for example, storage.googleapis.com) to 199.36.153.8. Ensure VPC firewall rules allow egress from the VPN-terminating subnet to 199.36.153.8/30.
Enable Private Service Connect for Google APIs, allocate a regional internal address, and modify all application calls to use https://googleapis.internal/ endpoints.
Introduce a third-party proxy appliance in the VPC, expose its external IP to the data-center network, and configure applications to proxy HTTPS requests to Google Cloud Storage through it.
Private Google Access for on-premises hosts allows resources that reach a Google Cloud VPC over Cloud VPN or Cloud Interconnect to call Google APIs using the private VIP 199.36.153.8/30. A correct design therefore includes three key steps:
Configure the Cloud Router to advertise a custom route for the 199.36.153.8/30 prefix to the on-premises network so that packets destined for Google APIs are steered into the VPN.
Ensure that on-premises DNS resolvers return 199.36.153.8 for Google API hostnames such as storage.googleapis.com; this can be done with an override on the on-prem DNS servers or by forwarding to Cloud DNS private zones that supply the private.googleapis.com records.
Verify that VPC firewall rules allow egress from the VPN gateway's subnet to 199.36.153.8/30. Enabling Cloud NAT or modifying application URLs is unnecessary because traffic stays on private IP addresses.
The option that exports the 199.36.153.8/30 route through Cloud Router and updates on-prem DNS-without adding Cloud NAT, changing endpoints, or introducing a proxy-meets all requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Google Access for on-premises hosts?
Open an interactive chat with Bash
How does the Cloud Router export custom routes?
Open an interactive chat with Bash
Why is DNS configuration important for private API access?
Open an interactive chat with Bash
What is a Cloud Router in Google Cloud?
Open an interactive chat with Bash
What does the private VIP 199.36.153.8/30 represent for Google APIs?
Open an interactive chat with Bash
How does DNS resolution impact compliance with Private Google Access?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .