Google Cloud Professional Cloud Network Engineer — Question 214

Your organization's application is running on a VPC-native GKE Standard cluster with public IP addresses. You need to configure access to the remote address range 35.100.0.0/16 through Cloud NAT, instead of using the GKE nodes' external IP addresses. SNAT is enabled on the cluster and needs to be configured. What should you do?

Answer options

• A. Configure nonMasqueradeCIDRs in the ip-masq-agent ConfigMap. Include the 35.100.0.0/16 range in the list.
• B. Configure nonMasqueradeCIDRs in the ip-masq-agent ConfigMap. Remove the 35.100.0.0/16 range from the list.
• C. Configure Cloud NAT and create an exclusion rule for any SNAT address translation.
• D. Configure Cloud NAT with nonMasqueradeCIDRs, and enable SNAT with the same configuration to allow traffic to 35.100.0.0/16.

Correct answer: B

Explanation

The correct answer is B because removing the 35.100.0.0/16 range from the nonMasqueradeCIDRs allows traffic to be routed through Cloud NAT, preventing the GKE nodes' external IP addresses from being used. Option A is incorrect since including the range would result in traffic not being routed through Cloud NAT. Options C and D are also incorrect as they do not properly address the need to exclude the specified range from node IP usage.