Google Cloud Professional Cloud Developer — Question 199

Your team is building an application for a financial institution. The application's frontend runs on Compute Engine, and the data resides in Cloud SQL and one Cloud Storage bucket. The application will collect data containing PII, which will be stored in the Cloud SQL database and the Cloud Storage bucket. You need to secure the PII data. What should you do?

Answer options

• A. 1. Create the relevant firewall rules to allow only the frontend to communicate with the Cloud SQL database 2. Using IAM, allow only the frontend service account to access the Cloud Storage bucket
• B. 1. Create the relevant firewall rules to allow only the frontend to communicate with the Cloud SQL database 2. Enable private access to allow the frontend to access the Cloud Storage bucket privately
• C. 1. Configure a private IP address for Cloud SQL 2. Use VPC-SC to create a service perimeter 3. Add the Cloud SQL database and the Cloud Storage bucket to the same service perimeter
• D. 1. Configure a private IP address for Cloud SQL 2. Use VPC-SC to create a service perimeter 3. Add the Cloud SQL database and the Cloud Storage bucket to different service perimeters

Correct answer: C

Explanation

The correct answer is C because configuring a private IP for Cloud SQL and using VPC Service Controls (VPC-SC) to create a service perimeter for both resources enhances security by limiting access to only trusted services. Options A and B focus on firewall rules and IAM settings, which are important but do not provide the same level of isolation as service perimeters. Option D incorrectly suggests placing the resources in different perimeters, which does not effectively protect the PII data as they would not be subject to the same security controls.