GCP Professional Cloud Security Engineer Practice Question

Your organization uses a Dedicated Cloud Interconnect to link its on-premises data center with a hub VPC in Google Cloud. Security policy requires that on-prem workloads reach Cloud Storage only over private IP addresses, and that no other Google-managed services be reachable from on-prem. The network team also wants to avoid deploying additional proxy or NAT appliances on-prem and to minimize ongoing operational overhead. Which design meets these requirements?

Configure Cloud NAT in the hub VPC and allow on-prem traffic to egress through the NAT gateway after whitelisting Cloud Storage public IP ranges.
Enable Private Google Access for on-premises hosts and advertise the Google-owned 199.36.153.8/30 prefix over BGP so on-prem systems can reach all Google APIs privately.
Provision a Private Service Connect endpoint in the hub VPC that targets storage.googleapis.com, assign it an internal IP address, create a private DNS record for storage.googleapis.com pointing to that IP, and add a static /32 route on the on-prem router to send the traffic over the Interconnect.
Place the hub project inside a VPC Service Controls perimeter, enable restricted.googleapis.com, and use Private Google Access for on-prem to limit reachable services.

Report Issue

Answer Description

Provisioning a Private Service Connect (PSC) endpoint in the hub VPC that specifically targets the Cloud Storage API satisfies every requirement. The PSC endpoint receives an internal RFC 1918 address from a chosen subnet and is bound only to storage.googleapis.com. You create a private DNS record so that storage.googleapis.com resolves to this internal IP for on-prem clients, and you configure a static /32 route on the on-prem router to forward traffic destined for that IP through the Dedicated Interconnect. Because only this single IP is routed and the PSC endpoint exposes just the Cloud Storage API, other Google services remain unreachable.

Private Google Access for on-prem would allow connectivity to all Google APIs, violating the restriction. Cloud NAT uses public egress IPs, so traffic would not remain private. A VPC Service Controls perimeter with restricted.googleapis.com still leaves numerous Google APIs accessible and doesn't provide a private in-VPC IP. Therefore, the PSC solution is the only option that meets all constraints without extra on-prem proxies or NAT devices.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.