Google Cloud Professional Cloud Network Engineer — Question 245

You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

Answer options

• A. 1. Delete the default route in your VPC. 2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30. 3. Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.
• B. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP). 2. Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30. 3. Create a static route in your VPC for the range 199 .36.153.8/30 with the default internet gateway as the next hop.
• C. 1. Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route. 2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199 .36.153.8/30. 3. Create a static route in your VPC for the range 199.36. 153.8/30 with the default internet gateway as the next hop.
• D. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP). 2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30. 3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

Correct answer: D

Explanation

Option D is correct because it effectively removes the default route, directs traffic through the on-premises data center, and sets up Private Google Access correctly via DNS and static routing. The other options either misconfigure DNS settings or do not ensure that API traffic stays within the VPC, which is critical for this scenario.