Google Cloud Associate Cloud Engineer — Question 290

You are deploying an application to Google Kubernetes Engine (GKE) that needs to call an external third-party API. You need to provide the external API vendor with a list of IP addresses for their firewall to allow traffic from your application. You want to follow Google-recommended practices and avoid any risk of interrupting traffic to the API due to IP address changes. What should you do?

Answer options

• A. Configure your GKE cluster with one node, and set the node to have a static external IP address. Ensure that the GKE cluster autoscaler is off. Send the external IP address of the node to the vendor to be added to the allowlist.
• B. Configure your GKE cluster with private nodes. Configure a Cloud NAT instance with static IP addresses. Provide these IP addresses to the vendor to be added to the allowlist.
• C. Configure your GKE cluster with private nodes. Configure a Cloud NAT instance with dynamic IP addresses. Provide these IP addresses to the vendor to be added to the allowlist.
• D. Configure your GKE cluster with public nodes. Write a Cloud Function that pulls the public IP addresses of each node in the cluster, Trigger the function to run every day with Cloud Scheduler. Send the list to the vendor by email every day.

Correct answer: B

Explanation

The correct answer, B, is the best approach because it utilizes private nodes and a Cloud NAT instance with static IP addresses, ensuring that the IPs provided to the vendor will remain constant. Option A risks service interruption due to autoscaler changes, while option C may lead to dynamic IP address changes, creating potential access issues. Option D is inefficient and could result in the vendor not having a reliable IP list due to daily changes.