Your company processes regulated healthcare data in a Dataflow batch pipeline that reads from Cloud Storage and writes to BigQuery. The security team mandates that no Dataflow worker VM may have an external IP address, yet the job must still reach Google APIs without manual proxy management. Which networking configuration best satisfies these requirements?
Start the Dataflow job with the no-public-IPs option and enable Cloud NAT or Private Google Access on the worker subnet so workers use only private addresses while accessing Google APIs.
Keep the default Dataflow network and place the project in a VPC Service Controls perimeter, accepting that each worker retains a public IP.
Migrate the pipeline to a private Dataproc cluster and expose the master node through TCP forwarding for API access.
Run the job in a shared VPC subnet that assigns external IPs by default, but block all 0.0.0.0/0 ingress with firewall rules.
Dataflow offers a built-in flag ("no public IPs" or "noUsePublicIps") that prevents the service from assigning external IP addresses to worker VMs. When you place those workers in a subnet that has either Cloud NAT or Private Google Access enabled, the instances keep private RFC-1918 addresses while still being able to call Google APIs such as Cloud Storage and BigQuery. Merely denying ingress with firewall rules does not remove public IPs, VPC Service Controls alone do not change interface addressing, and switching to Dataproc changes the product rather than meeting the stated Dataflow requirement. Therefore, disabling public IPs on the Dataflow job and enabling NAT or Private Google Access on the subnet is the correct approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud NAT and how does it work?
Open an interactive chat with Bash
What is Private Google Access and how is it different from Public IPs?
Open an interactive chat with Bash
How does the 'no-public-IPs' flag in Dataflow improve security?
Open an interactive chat with Bash
What is Cloud NAT and how does it work in GCP?
Open an interactive chat with Bash
What is Private Google Access and why is it important?
Open an interactive chat with Bash
How does the 'no public IPs' flag work in Dataflow?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .