Your company operates a shared-VPC architecture with a host project named prod-vpc. You must design a batch Dataflow pipeline that reads Parquet files from Cloud Storage and loads the results into a BigQuery dataset. Finance regulations state that the worker VMs may not have public IP addresses and that all traffic between the workers and Google APIs must stay on Google's private network. Which approach meets the requirements while adding the least operational overhead?
Replace the batch job with Cloud Functions that read from Cloud Storage and write to BigQuery, because Cloud Functions execute in a serverless environment without public IPs.
Create a Cloud NAT gateway in prod-vpc, run Dataflow workers without external IPs, and let the NAT gateway provide internet egress to Cloud Storage and BigQuery.
Run the Dataflow job with the --no_use_public_ips flag and specify a subnet in prod-vpc that has Private Google Access enabled; do not configure Cloud NAT or external IPs.
Provision a separate VPC in the data project, peer it with prod-vpc, run Dataflow in its default (public) mode, and restrict egress traffic using firewall rules that allow 0.0.0.0/0 only over HTTPS.
Running the pipeline in Dataflow's private IP mode satisfies both constraints with minimal extra components. By launching the job with the --subnetwork (or --network) parameter that points to a subnet in the shared VPC where Private Google Access is enabled, and adding the --no_use_public_ips flag, the worker VMs are created without external (public) IP addresses. Private Google Access lets these internal-only VMs reach Google APIs such as Cloud Storage and BigQuery over Google's private backbone, so no Cloud NAT, VPN, or additional interconnect is needed. The other options either leave the workers with public addresses, introduce NAT (which allocates public egress IPs), rely on Cloud Functions (which does not replace Dataflow batch processing and may still egress publicly), or add unnecessary separate VPCs and public routing-none of which meet both the security requirement and the goal of low operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Google Access?
Open an interactive chat with Bash
What does the --no_use_public_ips flag do in Dataflow?
Open an interactive chat with Bash
How does using a shared VPC benefit this Dataflow setup?
Open an interactive chat with Bash
What is Private Google Access?
Open an interactive chat with Bash
How does the --no_use_public_ips flag work in Dataflow?
Open an interactive chat with Bash
What is the shared VPC architecture in Google Cloud?
Open an interactive chat with Bash
What is Private Google Access?
Open an interactive chat with Bash
How does --no_use_public_ips work in Dataflow?
Open an interactive chat with Bash
What is a shared VPC and how is it used in this setup?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .