Google Cloud Professional Cloud Network Engineer — Question 194

You have several VMs across multiple VPCs in your cloud environment, which require access to internet endpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use Cloud NAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. You want to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoid any unintentional configuration issues caused by other administrators, and align to Google-recommended practices. What should you do?

Answer options

• A. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure all primary and secondary subnet source ranges.
• B. Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
• C. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure a custom source range that includes the allowed subnets.
• D. Deploy Cloud NAT in each VPC, and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.

Correct answer: B

Explanation

The correct answer is B because it implements an organizational policy constraint that restricts Cloud NAT usage to only the specified subnets, ensuring adherence to best practices and minimizing configuration errors. Option A and C focus on firewall rules but do not address the organizational policy aspect, which is crucial for preventing unintended changes by other administrators. Option D lacks the necessary policy constraint and solely relies on NAT rules, which may not adequately prevent access from unintended subnets.