Google Cloud Professional Cloud Security Engineer — Question 103

You need to set up a Cloud Interconnect connection between your company’s on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

Answer options

• A. Enable Private Google Access on the regional subnets and global dynamic routing mode.
• B. Create a CNAME to map *.googleapis.com to restricted.googleapis.com, and create A records for restricted.googleapis.com mapped to 199.36.153.8/30.
• C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
• D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Correct answer: D

Explanation

The correct answer is D because using restricted.googleapis.com ensures that access to Google APIs is limited to IP addresses that are routable only within Google Cloud, enhancing security. Option A does not specifically restrict API access to the Cloud Interconnect, while option B does not utilize the correct endpoint for restricted access. Option C fails to provide the necessary restrictions provided by the restricted.googleapis.com endpoint.