Google Cloud Professional Cloud Network Engineer — Question 112

You deployed a hub-and-spoke architecture in your Google Cloud environment that uses VPC Network Peering to connect the spokes to the hub. For security reasons, you deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed. When you attempt to reach the GKE control plane from a different spoke project, you cannot access it. You need to allow access to the GKE control plane from the other spoke projects. What should you do?

Answer options

• A. Add a firewall rule that allows port 443 from the other spoke projects.
• B. Enable Private Google Access on the subnet where the GKE nodes are deployed.
• C. Configure the authorized networks to be the subnet ranges of the other spoke projects.
• D. Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.

Correct answer: D

Explanation

The correct answer is D because deploying a proxy allows you to route requests to the GKE control plane securely from the other spoke projects. Option A is incorrect as simply allowing port 443 without proper authorization won't grant access. Option B does not address the access issue directly since Private Google Access pertains to accessing Google services privately, not inter-project communication. Option C is also not suitable as modifying authorized networks does not resolve the connectivity limitations imposed by the private endpoint.