GCP Professional Cloud Security Engineer Practice Question
Your security team runs Linux VMs in two private subnets of the prod-vpc network in the us-central1 region. None of the instances have external IP addresses, yet they must regularly download security updates from public package repositories on the internet. An external software vendor also requires a single, stable source IP address (or very small, predictable set) to allowlist outbound traffic from this environment. The design must remain highly available across all zones in the region and demand minimal ongoing management. How should you configure egress so that you meet all requirements?
Establish VPC Network Peering to a Google-managed project and assign external IP addresses to the Cloud Router to provide outbound connectivity.
Enable Private Google Access on the subnets and deploy an internal HTTP(S) load balancer with serverless NEGs to proxy outbound traffic to the internet.
Reserve a regional static external address, create a single regional Cloud NAT gateway attached to a Cloud Router in us-central1, select both private subnets, and configure the gateway to use the reserved address with manual NAT IP allocation.
Create separate Cloud NAT gateways for each subnet using automatic NAT IP allocation so each VM uses the first available ephemeral external IP address.
A regional Cloud NAT gateway provides highly available egress for all subnets in every zone of the region because the service is fully distributed. When you reserve one or more regional static external addresses and configure the NAT gateway to use "manual" NAT IP allocation, every VM without an external IP in the selected subnets leaves the VPC through only those reserved addresses. This gives the vendor a single, predictable IP (or a small, fixed list) to allowlist and avoids per-instance public IPs. Creating separate gateways with automatically allocated addresses produces multiple, potentially changing egress IPs; Private Google Access secures only Google APIs, not arbitrary internet hosts; peering with another project does not provide NAT functionality. Therefore, reserving a static address and attaching it to a regional Cloud NAT that serves both subnets is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Cloud NAT gateway in GCP?
Open an interactive chat with Bash
Why is regional static IP allocation crucial for Cloud NAT?
Open an interactive chat with Bash
What are the advantages of Cloud NAT over enabling Private Google Access?
Open an interactive chat with Bash
What is Cloud NAT?
Open an interactive chat with Bash
How does a regional Cloud NAT gateway ensure high availability?
Open an interactive chat with Bash
What is the difference between manual NAT IP allocation and automatic NAT IP allocation?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .