Google Cloud Professional Cloud Security Engineer — Question 124

Your DevOps team uses Packer to build Compute Engine images by using this process:

1. Create an ephemeral Compute Engine VM.
2. Copy a binary from a Cloud Storage bucket to the VM's file system.
3. Update the VM's package manager.
4. Install external packages from the internet onto the VM.

Your security team just enabled the organizational policy, constraints/ compute.vmExternalIpAccess, to restrict the usage of public IP Addresses on VMs. In response, your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs; however, the build pipeline is failing due to connectivity issues.

What should you do? (Choose two.)

Answer options

• A. Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connections from the internet to your VM.
• B. Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM.
• C. Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.
• D. Update the VPC routes to allow traffic to and from the internet.
• E. Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.

Correct answer: B, C

Explanation

The correct answers are B and C because provisioning a Cloud NAT instance allows the VM to access the internet for downloading packages without needing a public IP. Enabling Private Google Access ensures the VM can reach Google services without a public IP as well. The other options either do not address the connectivity issue under the new policy or involve unnecessary configurations.