Google Cloud Associate Cloud Engineer — Question 269

You are deploying an application to Cloud Run. Your application requires the use of an API that runs on Google Kubernetes Engine (GKE). You need to ensure that your Cloud Run service can privately reach the API on GKE, and you want to follow Google-recommended practices. What should you do?

Answer options

• A. Deploy an ingress resource on the GKE cluster to expose the API to the internet. Use Cloud Armor to filter for IP addresses that can connect to the API. On the Cloud Run service, configure the application to fetch its public IP address and update the Cloud Armor policy on startup to allow this IP address to call the API on ports 80 and 443.
• B. Create an ingress firewall rule on the VPC to allow connections from 0.0.0.0/0 on ports 80 and 443.
• C. Create an egress firewall rule on the VPC to allow connections to 0.0.0.0/ on ports 80 and 443.
• D. Deploy an internal Application Load Balancer to expose the API on GKE to the VPC. Configure Cloud DNS with the IP address of the internal Application Load Balancer. Deploy a Serverless VPC Access connector to allow the Cloud Run service to call the API through the FQDN on Cloud DNS.

Correct answer: D

Explanation

The correct answer is D because deploying an internal Application Load Balancer allows for private communication between Cloud Run and the GKE API without exposing it to the internet. The other options either expose the API unnecessarily to the internet or do not establish the required private connectivity between the services.