Google Cloud Professional Cloud Security Engineer — Question 69

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on- premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

Answer options

• A. Enable Private Google Access on the regional subnets and global dynamic routing mode.
• B. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.
• C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
• D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Correct answer: D

Explanation

Option D is the correct answer because using restricted googleapis.com ensures that the access to Google APIs is restricted to the private network and not exposed to the public internet. Options A and B do not provide the necessary level of restriction for accessing Google APIs, while option C uses private.googleapis.com but does not specify the use of restricted access, making it less secure compared to option D.