Answer-first summary for fast verification
Answer: Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
The correct approach is to use an organizational policy constraint to restrict Cloud NAT usage to specific subnets. This ensures that even if other administrators attempt to configure Cloud NAT for unauthorized subnets, the policy will block it, aligning with Google's best practices for enforcing guardrails. Option B enforces this via the `constraints/compute.restrictCloudNATUsage` policy, which explicitly limits Cloud NAT configurations to allowed subnets. Other options rely on firewall rules or manual configurations, which are more prone to misconfiguration (e.g., admins overriding firewall priorities or mistakenly adding subnets to Cloud NAT). Organizational policies provide a higher level of enforcement and prevent unintentional changes across projects.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have multiple VMs distributed across several VPCs in your cloud environment that need outbound internet access. Due to security policies, these VMs cannot have public IP addresses, so you intend to use Cloud NAT for internet connectivity. Each VPC contains multiple subnets per region, and you want to restrict internet access through Cloud NAT to only designated subnets. How should you configure this while preventing unintended misconfigurations by other administrators and adhering to Google-recommended practices?
A
Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure all primary and secondary subnet source ranges.
B
Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
C
Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure a custom source range that includes the allowed subnets.
D
Deploy Cloud NAT in each VPC, and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.