Google Professional Cloud Network Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

The question requires configuring access to Google Cloud APIs via a Cloud VPN tunnel while meeting specific requirements. The key points are: 1. **VPC Service Controls compatibility**: This necessitates using `restricted.googleapis.com` (199.36.153.4/30) instead of `private.googleapis.com`, as Restricted Google Access aligns with service perimeters. 2. **Traffic routing via VPN**: On-premises routers must route traffic for the restricted IP range through the VPN tunnel, avoiding the public internet. 3. **DNS resolution on-premises**: Creating an A record for `restricted.googleapis.com` and a CNAME for `*.googleapis.com` ensures DNS is resolved locally. 4. **Firewall configuration**: On-premises firewalls must allow traffic to the restricted IP range (step 4 in Option B). Option C incorrectly removes the VPC's internet gateway, which is unnecessary because the restricted IP range's route via Private Google Access takes precedence over the default internet gateway. Option B correctly configures on-premises firewalls to permit traffic to the restricted endpoints, ensuring connectivity without altering the VPC's internet gateway.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your company has established a Cloud VPN tunnel between your on-premises data center and Google Cloud VPC. You must configure access to the Cloud Functions API for on-premises servers while adhering to these requirements:

• Data must remain within its originating project and not be exfiltrated to other projects.
• Traffic from on-premises servers with RFC 1918 addresses must access Google Cloud APIs without traversing the public internet.
• DNS resolution must be handled exclusively on-premises.
• The solution must only permit access to APIs supported by VPC Service Controls.

What is the correct configuration approach?

Exam-Like

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

15.0%

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

20.0%

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

15.0%