GCP Professional Cloud Security Engineer Practice Question
Your on-prem data center connects to a Google Cloud VPC by HA VPN with dynamic routing via Cloud Router. On-prem DNS already maps storage.googleapis.com to 199.36.153.10, but packet captures still show egress to Cloud Storage's public IPs. Which Google Cloud configuration change will route this traffic through the VPN to the 199.36.153.8/30 Private Google Access range?
Deploy a Cloud NAT gateway in the VPC and assign 199.36.153.8/30 as one of its external IP addresses to handle outbound traffic.
Create a custom static route for 199.36.153.8/30 in the VPC with next hop set to default-internet-gateway, and let Cloud Router export it to the on-prem BGP peer.
Configure Cloud Router to advertise 199.36.153.8/30 to the on-prem router without adding any corresponding route in the VPC.
Enable Private Service Connect for Google APIs on the subnet used by the VPN so on-prem hosts obtain the private endpoint automatically.
On-prem routers choose the best route they learn through BGP. Cloud Router advertises only prefixes that exist in the VPC routing table. Creating a custom static route whose destination is 199.36.153.8/30 and whose next hop is default-internet-gateway inserts that prefix into the VPC table, causing Cloud Router to export it. On-prem devices then direct packets for 199.36.153.10 through the VPN. Private Service Connect, Cloud NAT, or attempting to advertise a prefix without a matching local route will not achieve this.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Cloud Router in Google Cloud?
Open an interactive chat with Bash
What is the purpose of the Private Google Access range 199.36.153.8/30?
Open an interactive chat with Bash
Why can't Cloud NAT handle outbound traffic for packets destined to 199.36.153.8/30?
Open an interactive chat with Bash
Why does Cloud Router only advertise prefixes that exist in the VPC routing table?
Open an interactive chat with Bash
What is the purpose of setting the next hop to default-internet-gateway in the static route?
Open an interactive chat with Bash
How does Private Google Access work, and why was it not suitable for this use case?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .