Your company has established a Cloud VPN tunnel between your on-premises data center and Google Cloud VPC. You must configure access to the Cloud Functions API for on-premises servers while adhering to these requirements:

• Data must remain within its originating project and not be exfiltrated to other projects.
• Traffic from on-premises servers with RFC 1918 addresses must access Google Cloud APIs without traversing the public internet.
• DNS resolution must be handled exclusively on-premises.
• The solution must only permit access to APIs supported by VPC Service Controls.

What is the correct configuration approach?

Exam-Like

Explanation:

The question requires configuring access to Google Cloud APIs via a Cloud VPN tunnel while meeting specific requirements. The key points are:

VPC Service Controls compatibility: This necessitates using restricted.googleapis.com (199.36.153.4/30) instead of private.googleapis.com, as Restricted Google Access aligns with service perimeters.
Traffic routing via VPN: On-premises routers must route traffic for the restricted IP range through the VPN tunnel, avoiding the public internet.
DNS resolution on-premises: Creating an A record for restricted.googleapis.com and a CNAME for *.googleapis.com ensures DNS is resolved locally.
Firewall configuration: On-premises firewalls must allow traffic to the restricted IP range (step 4 in Option B).

Option C incorrectly removes the VPC's internet gateway, which is unnecessary because the restricted IP range's route via Private Google Access takes precedence over the default internet gateway. Option B correctly configures on-premises firewalls to permit traffic to the restricted endpoints, ensuring connectivity without altering the VPC's internet gateway.

Powered ByGPT-5

Google Professional Cloud Network Engineer

Get started today

Google Professional Cloud Network Engineer

Get started today