You have multiple VMs distributed across several VPCs in your cloud environment that need outbound internet access. Due to security policies, these VMs cannot have public IP addresses, so you intend to use Cloud NAT for internet connectivity. Each VPC contains multiple subnets per region, and you want to restrict internet access through Cloud NAT to only designated subnets. How should you configure this while preventing unintended misconfigurations by other administrators and adhering to Google-recommended practices?

Exam-Like

A

Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure all primary and secondary subnet source ranges.

16.7%

B

Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.

50.0%

C

Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure a custom source range that includes the allowed subnets.

16.7%

D

Deploy Cloud NAT in each VPC, and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.

16.7%

Powered ByGPT-5.2

Google Professional Cloud Network Engineer

Get started today

Comments