Google Cloud Professional Cloud Network Engineer — Question 82

You recently deployed Compute Engine instances in regions us-west1 and us-east1 in a Virtual Private Cloud (VPC) with default routing configurations. Your company security policy mandates that virtual machines (VMs) must not have public IP addresses attached to them. You need to allow your instances to fetch updates from the internet while preventing external access. What should you do?

Answer options

• A. Create a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1.
• B. Create a single global Cloud NAT gateway and global Cloud Router in the VPC.
• C. Change the instances’ network interface external IP address from None to Ephemeral.
• D. Create a firewall rule that allows egress to destination 0.0.0.0/0.

Correct answer: A

Explanation

The correct answer is A because creating a Cloud NAT gateway allows private VMs to access the internet without needing public IPs, thus adhering to the security policy. Option B is incorrect as a global Cloud NAT does not apply to regional instances needing local routing. Option C violates the policy by assigning public IPs, and option D only permits outbound traffic but does not provide a means for the instances to access the internet without public IPs.