Google Cloud Professional Cloud Database Engineer — Question 111

You are writing an application that will run on Cloud Run and require a database running in the Cloud SQL managed service. You want to secure this instance so that it only receives connections from applications running in your VPC environment in Google Cloud. What should you do?

Answer options

• A. 1. Create your instance with a specified external (public) IP address. 2. Choose the VPC and create firewall rules to allow only connections from Cloud Run into your instance. 3. Use Cloud SQL Auth proxy to connect to the instance.
• B. 1. Create your instance with a specified external (public) IP address. 2. Choose the VPC and create firewall rules to allow only connections from Cloud Run into your instance. 3. Connect to the instance using a connection pool to best manage connections to the instance.
• C. 1. Create your instance with a specified internal (private) IP address. 2. Choose the VPC with private service connection configured. 3. Configure the Serverless VPC Access connector in the same VPC network as your Cloud SQL instance. 4. Use Cloud SQL Auth proxy to connect to the instance.
• D. 1. Create your instance with a specified internal (private) IP address. 2. Choose the VPC with private service connection configured. 3. Configure the Serverless VPC Access connector in the same VPC network as your Cloud SQL instance. 4. Connect to the instance using a connection pool to best manage connections to the instance.

Correct answer: D

Explanation

The correct answer is D because it ensures that the Cloud SQL instance is created with an internal IP address, which restricts access to only the VPC and requires the use of a Serverless VPC Access connector for Cloud Run to connect securely. Options A and B use an external IP address, which exposes the instance to the public internet and does not meet the security requirement. Option C doesn’t use a connection pool, which is beneficial for managing multiple connections efficiently.