Google Cloud Professional Cloud Network Engineer — Question 126

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

Answer options

• A. Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.
• B. Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.
• C. Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.
• D. Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Correct answer: B

Explanation

The correct answer is B because configuring the Resource Manager constraint allows you to specify which IP addresses can be used for VPN peer connections, effectively restricting it to just 203.0.113.1/32. Option A would allow connections from other IPs if they meet the firewall criteria, while options C and D involve security measures that do not directly enforce the same level of restriction on VPN peer IPs.