Google Cloud Professional Cloud Network Engineer — Question 39

You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your
Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.
How should you design this topology?

Answer options

• A. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
• B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
• C. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
• D. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

Correct answer: D

Explanation

The correct answer is D because creating a single VPC within the shared VPC Host Project and sharing specific subnets allows for more granular control over network access while adhering to Google's best practices. Options A and B suggest creating multiple shared VPCs which complicates the architecture unnecessarily, and option C incorrectly places the shared VPCs in the Service Project instead of the Host Project.