GCP Professional Cloud Security Engineer Practice Question
Your retail platform is migrating a three-tier application to Google Cloud. Customer browsers must reach the web tier over HTTPS via a single globally routable IP address. Application and database VMs must remain inaccessible from the internet but need to initiate outbound connections to a third-party payment API that only accepts traffic from a fixed IP range you provide. Which design satisfies these requirements while following Google-recommended use of public and private IPs?
Give every VM in all three tiers both internal and external IP addresses; block unwanted traffic to the application and database tiers using firewall rules; no load balancer or NAT required.
Deploy a regional internal HTTP(S) load balancer with a private front-end address, publish a DNS A record for it on the public internet; give the application and database VMs external IPs so they can reach the payment API without NAT.
Attach a global external IP to an external HTTP(S) load balancer front-end; place all web, application, and database instances in subnets with only private addresses; configure a Cloud NAT gateway with a statically reserved public IP for the subnets needing egress.
Provision an internal HTTP(S) load balancer and assign public IPs directly to the web tier VMs; leave application and database tiers on private addresses; create Cloud NAT with auto-assigned IPs for outbound calls.
An external HTTP(S) load balancer terminates HTTPS on a globally routable public IP, so only that address is exposed. Back-end instances can live on private RFC 1918 addresses because the load balancer forwards traffic over Google's private network. For egress, Cloud NAT lets instances without external IPs initiate outbound connections; reserving a manual NAT address gives the fixed source IP the payment provider requires. The other options either expose unnecessary public IPs, lack a static egress address, or omit the load balancer entirely, violating the stated constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an external HTTP(S) load balancer?
Open an interactive chat with Bash
What does Cloud NAT do?
Open an interactive chat with Bash
Why is RFC 1918 important in cloud network design?
Open an interactive chat with Bash
What is Google Cloud NAT, and why is it needed in this architecture?
Open an interactive chat with Bash
How does an external HTTP(S) load balancer work in Google Cloud?
Open an interactive chat with Bash
Why are private IP addresses recommended for application and database VMs in Google Cloud architecture?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .