Google Cloud Professional Cloud Network Engineer — Question 8

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

Answer options

• A. Turn on Private Google Access at the subnet level.
• B. Turn on Private Google Access at the VPC level.
• C. Turn on Private Services Access at the VPC level.
• D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
• E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

Correct answer: A, D

Explanation

Enabling Private Google Access at the subnet level (Option A) allows instances without public IPs to access Google services directly, which is essential for your requirement. Option D is also correct because it involves creating routes to direct traffic appropriately. The other options either do not directly address the need for access without routing through the firewall or are not applicable in this context.