Google Cloud Professional Cloud Network Engineer — Question 206

Your organization is developing a landing zone architecture with the following requirements:

• There should be no communication possible between production and non-production en-vironments.
• Communication between applications within an environment may be necessary.
• Network administrators should centrally manage all network resources, including subnets, routes, and firewall rules.
• Each application should be billed separately.
• Developers of an application within a project should have the autonomy to create their compute resources. They should not create or modify networking resources.
• Up to 1000 applications are expected per environment.

You need to create a design that accommodates these requirements. What should you do?

Answer options

• A. Create a design that has one Shared VPC host project for the production environment, and another Shared VPC host project for the nonproduction environment. Associate the various applications' service projects with the corresponding environment's host project.
• B. Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.
• C. Create a design that implements a single Shared VPUse VPC firewall rules with secure tags to enforce micro-segmentation between environments.
• D. Create a design where each project in each environment has its own VPC with its own subnets, routes, and firewall rules. Ensure all VPCs are added as spokes to a Network Connectivity Center hub.

Correct answer: A

Explanation

Option A is correct because it allows for the necessary isolation between production and non-production environments while enabling centralized management of network resources. Options B and C do not fulfill the requirement of strict isolation, as they allow for communication between environments. Option D, while providing isolation, complicates management due to the need for multiple individual VPCs and associated resources.