A healthcare analytics team must run a Dataflow batch pipeline that processes protected health information (PHI). The compliance officer mandates that the worker VMs must never have public IP addresses and must be blocked from initiating any outbound traffic to the public internet, while still allowing the pipeline to read from Pub/Sub and write to Cloud Storage in the same project. Which networking configuration will satisfy all requirements with the least operational overhead?
Launch the workers without public IPs in a custom subnet and configure Cloud NAT so they can reach Google APIs through the internet.
Place the workers in a subnet that has Private Google Access enabled and start the pipeline with the flag that disables public IPs; add a high-priority egress deny rule for 0.0.0.0/0 and a lower-priority allow rule for the 199.36.153.8/30 Google API range, with no Cloud NAT configured.
Create a custom network, enable VPC flow logs, and use IAM policies to block internet egress for the Dataflow service account.
Disable Private Google Access, launch the workers with public IPs, and rely on VPC Service Controls to prevent outbound internet connections.
Running Dataflow workers without public IPs prevents unsolicited inbound traffic but leaves them unable to reach Google APIs unless connectivity is provided. Enabling Private Google Access on the subnet lets those private-only VMs reach Google APIs (including Pub/Sub and Cloud Storage) over Google's internal network, avoiding the public internet. Because Private Google Access uses the 199.36.153.8/30 destination range, you allow that range and then deny all other egress, eliminating the need for Cloud NAT. The other options either keep public IPs, rely on Cloud NAT (which still traverses the public internet), or attempt to use IAM/flow logs-which cannot block network egress-so they fail the compliance requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Google Access, and how does it help meet compliance requirements?
Open an interactive chat with Bash
Why use an egress deny rule for 0.0.0.0/0 and an allow rule for 199.36.153.8/30?
Open an interactive chat with Bash
Why is Cloud NAT not needed for connecting to Google APIs?
Open an interactive chat with Bash
What is Private Google Access and how does it work?
Open an interactive chat with Bash
Why is 199.36.153.8/30 important for Private Google Access?
Open an interactive chat with Bash
How does the `no Cloud NAT` configuration enhance security in this setup?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .