Google Cloud Professional Cloud Security Engineer — Question 219

Your company has deployed an artificial intelligence model in a central project. This model has a lot of sensitive intellectual property and must be kept strictly isolated from the internet. You must expose the model endpoint only to a defined list of projects in your organization. What should you do?

Answer options

• A. Within the model project, create an internal Application Load Balancer that points to the model endpoint. Expose this load balancer with Private Service Connect to a configured list of projects.
• B. Activate Private Google Access in both the model project and in each project that needs to connect to the model. Create a firewall policy to allow connectivity to Private Google Access addresses.
• C. Create a central project to host Shared VPC networks that are provided to all other projects. Centrally administer all firewall rules in this project to grant access to the model.
• D. Within the model project, create an external Application Load Balancer that points to the model endpoint. Create a Cloud Armor policy to restrict IP addresses to Google Cloud.

Correct answer: A

Explanation

The correct answer is A because it allows for a secure internal Application Load Balancer to connect the model endpoint while restricting access through Private Service Connect to only specified projects. Option B does not provide the necessary isolation as it uses Private Google Access, which could expose the model to more projects than desired. Option C introduces Shared VPC, which complicates access control instead of isolating it, and Option D exposes the model through an external load balancer, which contradicts the requirement for strict isolation from the internet.