Google Cloud Professional Cloud Network Engineer — Question 101

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?

Answer options

• A. Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.
• B. Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.
• C. Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.
• D. Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

Correct answer: A

Explanation

The correct answer is A because it creates a GKE private cluster with a private endpoint, ensuring secure access only through specific on-premises subnets. Options B and D are incorrect as they expose the control plane publicly, which does not meet the requirement for private connectivity. Option C lacks the necessary VPC Networking Peering configuration needed for proper routing.