GCP Professional Cloud Security Engineer Practice Question
Your organization uses a Shared VPC whose host project contains a regional Cloud Router named cr-hub-us in us-central1. Two subnets exist in the same region: web-subnet (10.10.1.0/24) that must be able to reach the public internet, and db-subnet (10.10.2.0/24) that must never initiate internet egress. Network engineers also want to be sure that any new subnet added to the region will not automatically gain internet access. Which Cloud NAT configuration satisfies these requirements with the least operational overhead?
Create a Cloud NAT gateway on cr-hub-us in Specify subnet IP ranges mode and select only the primary range of web-subnet. Do not include db-subnet or any other subnet.
Create two Cloud NAT gateways: one on cr-hub-us for web-subnet and a second on a new Cloud Router dedicated to db-subnet, then add a custom black-hole route for 0.0.0.0/0 in db-subnet.
Create a Cloud NAT gateway on cr-hub-us in Auto mode (apply to all current and future subnets), then add a VPC egress firewall rule that denies 0.0.0.0/0 from db-subnet.
Enable Private Google Access on both subnets and omit Cloud NAT; workloads in web-subnet will automatically use Private Google Access for all outbound internet traffic.
When you create a Cloud NAT gateway you can choose how it is applied:
"All subnet IP ranges" automatically covers every existing and future subnet in the region.
"Specify subnet IP ranges" lets you pick individual subnets and, if needed, only their primary or secondary address ranges.
Attaching a single NAT gateway to the existing Cloud Router and explicitly selecting only the web-subnet's primary IP range meets the requirement: outbound internet access is granted to the frontend instances, db-subnet is excluded, and any future subnets remain untouched until they are explicitly added. Adding deny-all egress firewall rules or extra routers/NAT gateways is unnecessary complexity, and Private Google Access does not provide general internet egress. Therefore, the correct choice is the configuration that uses one Cloud NAT on the existing router in manual (specified subnet) mode, targeting only web-subnet.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud NAT and how does it work in GCP?
Open an interactive chat with Bash
What is the difference between 'All subnet IP ranges' and 'Specify subnet IP ranges' modes in Cloud NAT?
Open an interactive chat with Bash
What role does Private Google Access play in internet connectivity for VMs in GCP?
Open an interactive chat with Bash
What is a Shared VPC in Google Cloud?
Open an interactive chat with Bash
How does Google Cloud NAT work, and why choose Specify Subnet IP Ranges mode?
Open an interactive chat with Bash
What is Private Google Access, and why doesn’t it replace Cloud NAT here?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .