Google Cloud Associate Cloud Engineer — Question 124

Your company has workloads running on Compute Engine and on-premises. The Google Cloud Virtual Private Cloud (VPC) is connected to your WAN over a
Virtual Private Network (VPN). You need to deploy a new Compute Engine instance and ensure that no public Internet traffic can be routed to it. What should you do?

Answer options

• A. Create the instance without a public IP address.
• B. Create the instance with Private Google Access enabled.
• C. Create a deny-all egress firewall rule on the VPC network.
• D. Create a route on the VPC to route all traffic to the instance over the VPN tunnel.

Correct answer: A

Explanation

The correct choice, A, ensures that the Compute Engine instance does not receive a public IP address, thus blocking any public Internet traffic. Option B does not prevent public access, as Private Google Access is for accessing Google services privately. Option C only limits outbound traffic but does not stop inbound public traffic. Option D incorrectly assumes that routing traffic through the VPN tunnel will prevent public access, which it does not guarantee.