Answer-first summary for fast verification
Answer: Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.
The correct approach is to use the Organization Policy constraint `compute.restrictVpnPeerIPs`, which allows specifying a list of allowed peer IP addresses for VPN tunnels. This ensures that only the specified on-premises IP (203.0.113.1/32) is permitted for VPN connections in the project. Firewall rules (A) apply to VM traffic, not VPN tunnel peer IPs. Google Cloud Armor (C) is for HTTP(S) load balancers and unrelated to VPNs. Configuring an ACL on the peer gateway (D) is not feasible as the peer is on-premises and outside GCP's control.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are setting up an HA VPN connection between your Google Cloud Virtual Private Cloud (VPC) and an on-premises network. The VPN gateway is named VPN_GATEWAY_1. How can you ensure that VPN tunnels in the project only establish connections to your on-premises VPN public IP address 203.0.113.1/32?
A
Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.
B
Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.
C
Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.
D
Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.
No comments yet.