GCP Professional Data Engineer Practice Question

Your analytics team has deployed a Cloud Data Fusion Enterprise edition instance in the us-central1 region. The instance was provisioned with a private IP so that its management UI and the Dataproc ephemeral clusters it creates have no public IPv4 addresses.
You now need to allow the pipelines that run inside the Data Fusion tenant project to read and write data in Cloud Bigtable tables that reside in a VPC network (prod-analytics-vpc) in your customer project. The security team requires that all traffic stay on Google's private backbone; the Bigtable instances must remain reachable only over internal IP addresses, and no inbound firewall openings in prod-analytics-vpc are allowed.
Which networking approach meets the requirements while following Google-recommended architecture for Cloud Data Fusion private deployments?

Create a Cloud NAT gateway in the tenant project and route traffic from the Dataproc subnet to the internet; whitelist the gateway's public IP range on Bigtable.
Convert the tenant project into a service project of the customer's Shared VPC host so that Dataproc clusters obtain IP addresses directly inside prod-analytics-vpc.
Expose the Cloud Bigtable instances through Private Service Connect and have the Data Fusion instance consume the published PSC endpoints over the internet.
Peer the tenant project's default network with prod-analytics-vpc by using VPC Network Peering and rely on existing firewall egress rules for the Dataproc workers.

Report Issue

Answer Description

Cloud Data Fusion instances that use the Private IP option create their control plane in a Google-managed tenant project. Runtime resources such as Dataproc clusters run in that tenant project's default network. To let these private workers reach services that live in a customer VPC (for example, Cloud Bigtable with only internal IPs), Google recommends creating a VPC-network-peering connection between the tenant project's network and the customer project's VPC. Peering keeps the traffic on Google's private backbone, requires no public IPs, and honours existing firewall rules from both sides; no ingress holes have to be opened because Dataproc workers initiate the outbound connections.
Other options fail to satisfy one or more constraints:

Using Cloud NAT would still expose Dataproc workers to the public internet.
Private Service Connect endpoints are not supported for Bigtable yet and would still require deploying PSC back-ends in the customer VPC.
Shared VPC is not possible because the tenant project is Google-managed and cannot be attached as a service project under your host project.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.