Google Cloud Professional Cloud Security Engineer — Question 253

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage.
Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

Answer options

• A. Configure Private Google Access on the Compute Engine subnet
• B. Avoid assigning public IP addresses to the Compute Engine cluster.
• C. Make sure that the Compute Engine cluster is running on a separate subnet.
• D. Turn off IP forwarding on the Compute Engine instances in the cluster.
• E. Configure a Cloud NAT gateway.

Correct answer: A, B

Explanation

Configuring Private Google Access allows Compute Engine instances to reach Google services without needing public IP addresses, ensuring they remain isolated from the internet. Avoiding public IP addresses also prevents direct internet access, further securing the workload. The other options do not directly contribute to isolating the workload from the internet.