GCP Professional Cloud Security Engineer Practice Question
Your organization hosts an ERP stack on Compute Engine VMs inside the prod-vpc network. A new compliance mandate states that the Cloud SQL for PostgreSQL instance that backs the application must NEVER be reachable over the public internet, but it must stay accessible to
application VMs in prod-vpc, and
database administrators who connect from the corporate data-center through an existing Cloud VPN tunnel. What is the most operationally efficient configuration to meet this requirement?
Maintain the public IP and require all access to go through a hardened bastion VM that forwards traffic to the database.
Create the instance with Private IP enabled and delete or disable its public IP so that it is reachable only through the VPC network and connected VPN.
Expose the Cloud SQL endpoint behind an Internal TCP/UDP Load Balancer whose backend is the database instance.
Keep the public IP, but restrict it to the office's external CIDR by adding that range to the Cloud SQL authorized networks list.
Creating the Cloud SQL instance with only a Private IP address (and removing/disabling any Public IP) forces all traffic to stay within the VPC. Private-IP instances are reachable from resources in the same VPC and from on-prem environments that are connected by Cloud VPN or Cloud Interconnect, but they expose no routable address on the public internet. Relying on authorized networks or the Cloud SQL Auth proxy while keeping a public IP still permits internet-routable connectivity and therefore fails the mandate. Placing an internal load balancer in front of Cloud SQL is not supported, and a bastion host introduces additional maintenance without eliminating the public endpoint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Private IP in GCP Cloud SQL?
Open an interactive chat with Bash
What is Cloud VPN and how does it ensure secure connectivity?
Open an interactive chat with Bash
Why is exposing Cloud SQL via an internal load balancer not supported?
Open an interactive chat with Bash
What is a Private IP address in Cloud SQL?
Open an interactive chat with Bash
How does Cloud VPN enable connectivity between on-premise systems and GCP?
Open an interactive chat with Bash
Why is it operationally inefficient to use a hardened bastion host for Cloud SQL?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .