Your security team just defined a new control plane mandate: no Google Cloud service that processes customer data may expose public IP addresses or allow direct egress to the public internet.
You are designing a streaming Dataflow pipeline that reads from Pub/Sub, enriches the messages, and writes the results to BigQuery and Cloud Storage in the same Google Cloud project. The pipeline is expected to autoscale to hundreds of workers during traffic spikes.
Which network architecture will satisfy the security mandate while preserving Dataflow scalability?
Place the workers in a private subnet and use Cloud NAT for outbound access to Google APIs while disabling Private Google Access.
Enable public IPs on Dataflow workers and add firewall rules that deny inbound traffic except SSH; rely on IAM roles for resource access.
Keep the default Dataflow configuration with public IP addresses but enclose the project in a VPC Service Controls perimeter to block external traffic.
Run the pipeline on Dataflow workers that have no external IPs, attach them to a private subnet with Private Google Access enabled, and grant the Dataflow service account IAM access to Pub/Sub, BigQuery, and Cloud Storage.
Dataflow workers support a "no-public-IP" mode in which each VM is started in a private subnet without an external NIC. When Private Google Access is enabled on that subnet, the workers can still reach Google APIs and managed services such as Pub/Sub, BigQuery, and Cloud Storage over Google's private backbone instead of the public internet. Granting the Dataflow service account the required IAM roles allows access control without exposing the workers to any inbound or outbound public IP traffic.
Using Cloud NAT (as in the other options) violates the mandate because it allocates public egress IP addresses, even though it blocks unsolicited ingress. Simply placing workers in the default network or relying on firewall rules does not remove their public interfaces. VPC Service Controls can further restrict data exfiltration but do not by themselves eliminate the need to remove public IPs or provide private API access, so they are insufficient on their own. Therefore the architecture that provisions Dataflow workers without public IPs in a subnet that has Private Google Access enabled is the only option that meets all requirements while preserving autoscaling and service connectivity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Google Access, and why is it necessary for this architecture?
Open an interactive chat with Bash
How does Dataflow's 'no-public-IP' mode work, and why is it important?
Open an interactive chat with Bash
Why is using Cloud NAT not suitable in this scenario?
Open an interactive chat with Bash
What is Private Google Access?
Open an interactive chat with Bash
How does Dataflow autoscaling work without public IPs?
Open an interactive chat with Bash
Why is Cloud NAT not suitable in this scenario?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .