A financial services company is building a batch Dataflow pipeline that reads encrypted files from a Cloud Storage bucket and writes the results to a BigQuery dataset in the same Google Cloud project. The security team has three mandatory controls: (1) all traffic must stay on Google's private backbone, (2) Dataflow workers must not have public IP addresses, and (3) any attempt to copy data to Google-managed services outside an approved boundary must be blocked automatically. Which architecture satisfies all requirements with the least operational overhead?
Use an organization policy to restrict external domains and rely on IAM conditions to block unauthorized copies, leaving the network configuration unchanged.
Create the Dataflow job in a subnet that has Private Google Access enabled and no public IP addresses, and place the project containing Dataflow, Cloud Storage, and BigQuery inside the same VPC Service Controls perimeter.
Apply an egress firewall rule that denies 0.0.0.0/0, keep public IP addresses on Dataflow workers, and use Cloud NAT so the workers can reach Cloud Storage and BigQuery over the internet.
Enable VPC Service Controls around Cloud Storage and BigQuery but allow Dataflow workers to keep their default public IP addresses to simplify networking.
Placing the project inside a VPC Service Controls perimeter stops Dataflow from writing to Google-managed services that are not included in the perimeter, preventing data exfiltration. Running the job in a subnet that has Private Google Access and creating the workers without public IP addresses keeps all traffic on Google's private network while still allowing the workers to call Cloud Storage and BigQuery APIs. No additional egress firewall rules or Cloud NAT gateway is required because the workers do not need outbound internet access once Private Google Access is enabled. The other options either leave public IP addresses enabled, rely only on firewall rules (which do not protect against calls to other Google services), or depend solely on organization policies and IAM, none of which alone prevent service-to-service exfiltration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Google Access?
Open an interactive chat with Bash
What are VPC Service Controls?
Open an interactive chat with Bash
Why should Dataflow workers avoid public IP addresses?
Open an interactive chat with Bash
What is Private Google Access, and how does it work with Dataflow?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter, and how does it enhance security?
Open an interactive chat with Bash
Why do Dataflow workers need to avoid public IP addresses, and how is this configured?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .