Answer-first summary for fast verification
Answer: Enable Private Google Access on the subnet within the custom VPC.
Option B is correct because enabling Private Google Access on the subnet within the custom VPC allows VM instances in the VPC to access Google APIs and services, such as Cloud Storage, using internal IP addresses. This ensures that the application running on Compute Engine VM instances can access the file hosted in the Cloud Storage bucket without requiring external internet connectivity. Option A is incorrect as deploying a Cloud NAT instance assumes external internet connectivity, which is not allowed. Option C is incorrect because enabling Private Service Access on the Cloud Storage bucket alone does not address the restriction on VM instances connecting to the internet or using external IP addresses. Option D is incorrect because adding storage.googleapis.com to the list of restricted services in a VPC Service Controls perimeter and configuring protected projects does not specifically enable internal access to Cloud Storage within the custom VPC.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your company is developing an internal portal on Google Cloud Platform using a custom VPC. The security team has imposed strict requirements: VMs must not have internet access and should only use private IP addresses. However, your application needs to access files stored in Google Cloud Storage within your project. How can you facilitate this access without violating the security mandates?
A
Route the traffic to the dedicated IP address of the Cloud Storage bucket by deploying a Cloud NAT instance.
B
Enable Private Google Access on the subnet within the custom VPC.
C
Enable Private Service Access on the Cloud Storage Bucket.
D
Create a VPC Service Control perimeter and add storage.googleapis.com to the list of restricted services and add your project to the list of protected projects.