Google Cloud Professional Cloud Architect — Question 189

Your organization uses separate Google Cloud projects for shared services, development, testing, and production.
• The shared services project hosts your private CI/CD runners and a central Artifact Registry
• The development, testing, and production projects host the GKE clusters where applications are deployed.

You need to design an architecture that allows the CI/CD runners to connect to the GKE clusters and the clusters to pull images from Artifact Registry, all using private IP addresses. However, direct network traffic between the development, testing, and production environments must be strictly prohibited. What should you do?

Answer options

• A. Create a separate VPC in each of the four projects. Connect each environment's VPC to the shared services VPC through VPC Network Peering.
• B. Expose the resources in the shared services project using an external load balancer. Implement a firewall rule to limit access.
• C. Create a separate VPC in each project. Use VPC Network Peering to create a full mesh, connecting every VPC directly to every other VPC.
• D. Configure the shared services project as a Shared VPC host. Create a single VPC in this host project and attach the environment projects as service projects.

Correct answer: A

Explanation

Option A is the correct choice because it allows for private IP connectivity between the CI/CD runners and GKE clusters in a controlled manner, while preventing direct traffic between the development, testing, and production environments. Option B exposes shared services unnecessarily to the public, which contradicts security requirements. Option C creates a full mesh network that would violate the strict separation required between environments. Option D, while enabling shared services, does not meet the requirement for isolating the different environments effectively.