Google Professional Cloud Network Engineer
Get started today
Ultimate access to all questions.
You are setting up an HA VPN connection between your Google Cloud Virtual Private Cloud (VPC) and an on-premises network. The VPN gateway is named VPN_GATEWAY_1. How can you ensure that VPN tunnels in the project only establish connections to your on-premises VPN public IP address 203.0.113.1/32?
You are setting up an HA VPN connection between your Google Cloud Virtual Private Cloud (VPC) and an on-premises network. The VPN gateway is named VPN_GATEWAY_1. How can you ensure that VPN tunnels in the project only establish connections to your on-premises VPN public IP address 203.0.113.1/32?
Explanation:
The correct approach is to use the Organization Policy constraint compute.restrictVpnPeerIPs, which allows specifying a list of allowed peer IP addresses for VPN tunnels. This ensures that only the specified on-premises IP (203.0.113.1/32) is permitted for VPN connections in the project. Firewall rules (A) apply to VM traffic, not VPN tunnel peer IPs. Google Cloud Armor (C) is for HTTP(S) load balancers and unrelated to VPNs. Configuring an ACL on the peer gateway (D) is not feasible as the peer is on-premises and outside GCP's control.