Google Cloud Professional Cloud Architect — Question 242

You are configuring the cloud network architecture for a newly created project in Google Cloud that will host applications in Compute Engine. Compute Engine virtual machine instances will be created in two different subnets (sub-a and sub-b) within a single region:
• Instances in sub-a will have public IP addresses.
• Instances in sub-b will have only private IP addresses.

To download updated packages, instances must connect to a public repository outside the boundaries of Google Cloud. You need to allow sub-b to access the external repository. What should you do?

Answer options

• A. Enable Private Google Access on sub-b.
• B. Configure Cloud NAT and select sub-b in the NAT mapping section.
• C. Configure a bastion host instance in sub-a to connect to instances in sub-b.
• D. Enable Identity-Aware Proxy for TCP forwarding for instances in sub-b.

Correct answer: B

Explanation

The correct answer is B because configuring Cloud NAT allows instances in a private subnet to access the internet while keeping their private IP addresses. Option A is incorrect as Private Google Access does not provide access to external repositories. Option C is not suitable as a bastion host is typically used for SSH access rather than for outbound internet access. Option D is unrelated to the requirement since Identity-Aware Proxy is used for securing access to applications rather than enabling internet access.