Google Cloud Professional Cloud Architect — Question 156

Your team needs to create a Google Kubernetes Engine (GKE) cluster to host a newly built application that requires access to third-party services on the internet.
Your company does not allow any Compute Engine instance to have a public IP address on Google Cloud. You need to create a deployment strategy that adheres to these guidelines. What should you do?

Answer options

• A. Configure the GKE cluster as a private cluster, and configure Cloud NAT Gateway for the cluster subnet.
• B. Configure the GKE cluster as a private cluster. Configure Private Google Access on the Virtual Private Cloud (VPC).
• C. Configure the GKE cluster as a route-based cluster. Configure Private Google Access on the Virtual Private Cloud (VPC).
• D. Create a Compute Engine instance, and install a NAT Proxy on the instance. Configure all workloads on GKE to pass through this proxy to access third-party services on the Internet.

Correct answer: A

Explanation

The correct answer, A, is appropriate because configuring the GKE cluster as a private cluster with Cloud NAT Gateway allows the cluster to access the internet without exposing any Compute Engine instances to public IPs. Option B does not provide internet access to third-party services, and options C and D do not effectively meet the requirement to avoid public IP addresses while allowing internet access.