Answer-first summary for fast verification
Answer: Create a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1.
To allow instances without public IP addresses to fetch updates from the internet while preventing external access, the correct approach is to set up a Cloud NAT gateway and Cloud Router in each region where the instances are located. This setup enables outbound internet access for the instances without assigning them public IP addresses, adhering to the company's security policy. A single global Cloud NAT gateway (Option B) is not supported by Google Cloud, as NAT gateways are regional resources. Changing the instances' network interface to have an ephemeral external IP address (Option C) would violate the security policy. Creating a firewall rule that allows egress to destination 0.0.0.0/0 (Option D) is unnecessary because default VPC rules already allow egress traffic, but without NAT, instances without public IPs cannot initiate outbound connections to the internet.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have deployed Compute Engine instances in regions us-west1 and us-east1 within a VPC using default routing. Your security policy requires that VMs must not have public IP addresses, but the instances need to download updates from the internet without allowing inbound external access. What is the recommended solution?
A
Create a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1.
B
Create a single global Cloud NAT gateway and global Cloud Router in the VPC.
C
Change the instances’ network interface external IP address from None to Ephemeral.
D
Create a firewall rule that allows egress to destination 0.0.0.0/0.
No comments yet.