Google Professional Cloud Network Engineer

Get started today

Ultimate access to all questions.

Explanation:

The question requires configuring access to Google Cloud APIs via a Cloud VPN tunnel while meeting specific requirements. The key points are:

VPC Service Controls compatibility: This necessitates using restricted.googleapis.com (199.36.153.4/30) instead of private.googleapis.com, as Restricted Google Access aligns with service perimeters.
Traffic routing via VPN: On-premises routers must route traffic for the restricted IP range through the VPN tunnel, avoiding the public internet.
DNS resolution on-premises: Creating an A record for restricted.googleapis.com and a CNAME for *.googleapis.com ensures DNS is resolved locally.
Firewall configuration: On-premises firewalls must allow traffic to the restricted IP range (step 4 in Option B).

Option C incorrectly removes the VPC's internet gateway, which is unnecessary because the restricted IP range's route via Private Google Access takes precedence over the default internet gateway. Option B correctly configures on-premises firewalls to permit traffic to the restricted endpoints, ensuring connectivity without altering the VPC's internet gateway.

Explanation:

The question requires configuring access to Google Cloud APIs via a Cloud VPN tunnel while meeting specific requirements. The key points are:

VPC Service Controls compatibility: This necessitates using restricted.googleapis.com (199.36.153.4/30) instead of private.googleapis.com, as Restricted Google Access aligns with service perimeters.
Traffic routing via VPN: On-premises routers must route traffic for the restricted IP range through the VPN tunnel, avoiding the public internet.
DNS resolution on-premises: Creating an A record for restricted.googleapis.com and a CNAME for *.googleapis.com ensures DNS is resolved locally.
Firewall configuration: On-premises firewalls must allow traffic to the restricted IP range (step 4 in Option B).

Comments (0)

No comments yet.

Your company has established a Cloud VPN tunnel between your on-premises data center and Google Cloud VPC. You must configure access to the Cloud Functions API for on-premises servers while adhering to these requirements:

• Data must remain within its originating project and not be exfiltrated to other projects.
• Traffic from on-premises servers with RFC 1918 addresses must access Google Cloud APIs without traversing the public internet.
• DNS resolution must be handled exclusively on-premises.
• The solution must only permit access to APIs supported by VPC Service Controls.

What is the correct configuration approach?

Exam-Like

Last updated: March 28, 2026 at 14:03

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

15.0%

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

20.0%

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range. 2. Create a CNAME record for *.googleapis.com that points to the A record. 3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record. 4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

15.0%