Your company is building a new data pipeline on Google Cloud that ingests HL7 messages from its on-premises hospital network over Dedicated Interconnect into Pub/Sub, processes them with Dataflow, and writes curated data to BigQuery. The compliance team mandates that no pipeline component be reachable from, or initiate traffic to, the public internet, and it wants guardrails that prevent accidental data exfiltration to other projects. You must propose a solution that requires the least ongoing operational work. Which networking approach best meets these requirements?
Expose Pub/Sub and BigQuery via Private Service Connect endpoints but allow Dataflow workers to retain external IPs, adding an egress firewall rule that blocks all destinations except Google APIs.
Place Dataflow workers in a subnet behind Cloud NAT while keeping external IPs enabled, rely on ingress-blocking firewall rules, and trust that traffic over Cloud Interconnect satisfies the no-internet requirement.
Use a Shared VPC with only private subnets, create Dataflow workers without external IPs, enable Private Google Access, and define a VPC Service Controls perimeter that includes Pub/Sub, Dataflow, Cloud Storage, BigQuery, and Cloud Composer.
Deploy the pipeline in the default VPC with public IPs and restrict access through Identity-Aware Proxy; protect BigQuery data with customer-managed encryption keys for compliance.
Running Dataflow workers without external IP addresses keeps them off the public internet. Enabling Private Google Access on the private subnet lets those workers call Google APIs (Pub/Sub, BigQuery, Cloud Storage) entirely over Google's internal network. Placing Pub/Sub, Dataflow, BigQuery, Cloud Storage, and the Cloud Composer environment inside a VPC Service Controls perimeter adds a managed exfiltration guardrail that blocks data movement to projects outside the perimeter while allowing normal service usage inside it. Because these features are fully managed and policy-based, they add minimal day-to-day operational overhead. Relying solely on Cloud NAT or firewall rules still exposes traffic to the public internet, and leaving external IPs on workers defeats the exfiltration and isolation goals, even if additional controls like IAP or CMEK are used.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Shared VPC, and why is it used in this solution?
Open an interactive chat with Bash
What is Private Google Access, and how does it work?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter, and how does it prevent data exfiltration?
Open an interactive chat with Bash
What is a Shared VPC in Google Cloud?
Open an interactive chat with Bash
What is Private Google Access and how does it work?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .