Google Cloud Associate Cloud Engineer — Question 187

You have an application that runs on Compute Engine VM instances in a custom Virtual Private Cloud (VPC). Your company’s security policies only allow the use of internal IP addresses on VM instances and do not let VM instances connect to the internet. You need to ensure that the application can access a file hosted in a Cloud Storage bucket within your project. What should you do?

Answer options

• A. Enable Private Service Access on the Cloud Storage Bucket.
• B. Add storage.googleapis.com to the list of restricted services in a VPC Service Controls perimeter and add your project to the list of protected projects.
• C. Enable Private Google Access on the subnet within the custom VPC.
• D. Deploy a Cloud NAT instance and route the traffic to the dedicated IP address of the Cloud Storage bucket.

Correct answer: C

Explanation

The correct answer is C, as enabling Private Google Access on the subnet allows VM instances with only internal IP addresses to access Google services like Cloud Storage without needing external internet access. Option A is incorrect because Private Service Access is not applicable to Cloud Storage access. Option B is not suitable as it restricts access rather than facilitating it, and option D is incorrect because Cloud NAT is not needed when Private Google Access is available.