Google Cloud Professional Cloud Security Engineer — Question 304

Your organization hosts a financial services application running on Compute Engine instances for a third-party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances. You have the following requirements:
✑ The network connection must be encrypted.
✑ The communication between servers must be over private IP addresses.
What should you do?

Answer options

• A. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
• B. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
• C. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level.
• D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.

Correct answer: B

Explanation

The correct answer is B because a VPC peering connection allows private IP communication between two different VPC networks while ensuring encryption. Option A, Cloud VPN, would not meet the requirement for private IP address communication as it typically routes traffic over the public internet. Option C focuses on access control rather than establishing a network connection, and option D introduces unnecessary complexity by exposing the application as an API instead of creating a direct connection.