Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM., Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.

The question requires enabling connectivity for VMs without external IP addresses while complying with the organizational policy constraint. The Packer build process requires two types of external access: (1) accessing Google Cloud services (Cloud Storage for binary copy) and (2) accessing the internet (for package manager updates and external package installations). Option B (Cloud NAT) provides outbound internet access for VMs without public IPs by allowing them to use NAT for external connectivity. Option C (Private Google Access) enables VMs to access Google APIs and services (like Cloud Storage) through private IP addresses without requiring internet access. Options A, D, and E are unsuitable: A exposes VMs to inbound internet traffic (contradicting the policy), D would allow direct internet routing (violating the constraint), and E (Cloud VPN) is for connecting networks, not providing general internet or Google API access.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM., Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your DevOps team uses Packer to create Compute Engine images with the following process:

An ephemeral Compute Engine VM is created.

A binary is copied from a Cloud Storage bucket to the VM's file system.

The VM's package manager is updated.

External packages are installed from the internet onto the VM.

Your security team has enabled the organizational policy constraint `constraints/compute.vmExternalIpAccess`, which restricts the use of external IP addresses on VMs. Your DevOps team has updated their scripts to not assign external IP addresses to the Compute Engine VMs, but the build pipeline is now failing due to connectivity issues.

What should you do? (Choose two.)

Provision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound connections from the internet to your VM.

25.0%

Provision a Cloud NAT instance in the same VPC and region as the Compute Engine VM.

50.0%

Enable Private Google Access on the subnet that the Compute Engine VM is deployed within.

25.0%

Update the VPC routes to allow traffic to and from the internet.

Provision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.