Google Cloud Professional Cloud Network Engineer — Question 97

You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team’s requirements?

Answer options

• A. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. 2. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.
• B. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. 2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.
• C. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range. 2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.
• D. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range. 2. Create a custom route that points Google's private API address range to the default internet gateway as the next hop.

Correct answer: A

Explanation

The correct answer is A because it ensures that the API access is routed through the appropriate restricted IP ranges which meet the security requirements. Options B and C incorrectly suggest changing the default route to the internet gateway, which would bypass the inspection process, while D also fails to address the need for routing the restricted API address range correctly.