Your company has transitioned most of its data center VMs to Google Compute Engine, leaving a few legacy applications in the data center to be decommissioned soon. A sudden change in the business model requires one of these legacy applications to access files from Google Cloud Storage. However, the data center lacks internet access, and the company prefers not to invest in setting it up due to the imminent shutdown. With a partner interconnect to GCP already in place, how would you route traffic from your data center to Google Storage through this interconnect?

Real Exam

Explanation:

To ensure secure and private access to Google APIs within a service perimeter, requests should be directed to restricted.googleapis.com, which resolves to the VIP range 199.36.153.4/30. This range is not publicly announced, enhancing security. The correct approach involves:

Mapping *.googleapis.com to restricted.googleapis.com in the on-premises DNS.
Advertising the 199.36.153.4/30 range through the Cloud VPN tunnel using Cloud Router.
Adding a static route in the VPC network to direct traffic to the default internet gateway for egress to restricted.googleapis.com.
Creating a Cloud DNS managed private zone for *.googleapis.com to map to 199.36.153.4/30, authorized for the VPC network. This method leverages VPC Service Controls for enhanced security and mitigates data exfiltration risks. For more details, refer to Google's documentation on setting up private connectivity and private access options.

Powered ByGPT-5

Google Associate Cloud Engineer

Get started today

Google Associate Cloud Engineer

Get started today