Google Associate Cloud Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: 1. Map *.googleapis.com to restricted.googleapis.com in the on-premises DNS configuration, resolving to 199.36.153.4/30. 2. Use Cloud Router to advertise the 199.36.153.4/30 IP range via the Cloud VPN tunnel. 3. Direct traffic destined for 199.36.153.4/30 to the default internet gateway by adding a custom static route to the VPC network. 4. Establish a Cloud DNS managed private zone for *.googleapis.com pointing to 199.36.153.4/30 and authorize it for the VPC network.

To ensure secure and private access to Google APIs within a service perimeter, requests should be directed to restricted.googleapis.com, which resolves to the VIP range 199.36.153.4/30. This range is not publicly announced, enhancing security. The correct approach involves: 1. Mapping *.googleapis.com to restricted.googleapis.com in the on-premises DNS. 2. Advertising the 199.36.153.4/30 range through the Cloud VPN tunnel using Cloud Router. 3. Adding a static route in the VPC network to direct traffic to the default internet gateway for egress to restricted.googleapis.com. 4. Creating a Cloud DNS managed private zone for *.googleapis.com to map to 199.36.153.4/30, authorized for the VPC network. This method leverages VPC Service Controls for enhanced security and mitigates data exfiltration risks. For more details, refer to Google's documentation on setting up private connectivity and private access options.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your company has transitioned most of its data center VMs to Google Compute Engine, leaving a few legacy applications in the data center to be decommissioned soon. A sudden change in the business model requires one of these legacy applications to access files from Google Cloud Storage. However, the data center lacks internet access, and the company prefers not to invest in setting it up due to the imminent shutdown. With a partner interconnect to GCP already in place, how would you route traffic from your data center to Google Storage through this interconnect?

Real Exam

Map storage.cloud.google.com to restricted.googleapis.com in the on-premises DNS configuration, resolving to 199.36.153.4/30.
Use Cloud Router to advertise the 199.36.153.4/30 IP range via the Cloud VPN tunnel.
Direct traffic destined for 199.36.153.4/30 to the default internet gateway by adding a custom static route to the VPC network.
Establish a Cloud DNS managed private zone for storage.cloud.google.com pointing to 199.36.153.4/30 and authorize it for the VPC network.

25.8%

Map storage.cloud.google.com to restricted.googleapis.com in the on-premises DNS configuration, resolving to 199.36.153.4/30.
Use Cloud Router to advertise the 199.36.153.4/30 IP range via the Cloud VPN tunnel.
Create a Cloud DNS managed public zone for storage.cloud.google.com pointing to 199.36.153.4/30 and authorize it for the VPC network.

19.4%

Map *.googleapis.com to restricted.googleapis.com in the on-premises DNS configuration, resolving to 199.36.153.4/30.
Use Cloud Router to advertise the 199.36.153.4/30 IP range via the Cloud VPN tunnel.
Direct traffic destined for 199.36.153.4/30 to the default internet gateway by adding a custom static route to the VPC network.
Establish a Cloud DNS managed private zone for *.googleapis.com pointing to 199.36.153.4/30 and authorize it for the VPC network.

41.9%