Google Professional Data Engineer

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

NO.16

You are developing an Apache Beam pipeline to extract data from a Cloud SQL instance by using JdbcIO. You have two projects running in Google Cloud. The pipeline will be deployed and executed on Dataflow in Project A. The Cloud SQL instance is running in Project B and does not have a public IP address. After deploying the pipeline, you noticed that the pipeline failed to extract data from the Cloud SQL instance due to connection failure. You verified that VPC Service Controls and shared VPC are not in use in these projects. You want to resolve this error while ensuring that the data does not go through the public internet. What should you do?

Real Exam

Community

LLeetQuiz

Set up VPC Network Peering between Project A and Project B. Add a firewall rule to allow the peered subnet range to access all instances on the network.

Turn off the external IP addresses on the Dataflow worker. Enable Cloud NAT in Project A.

Set up VPC Network Peering between Project A and Project B. Create a Compute Engine instance without external IP address in Project B on the peered subnet to serve as a proxy server to the Cloud SQL database.

Add the external IP addresses of the Dataflow worker as authorized networks in the Cloud SQL instance.

Explanation:

Explanation

Option C is correct because it provides a secure, private connectivity solution without exposing data to the public internet:

VPC Network Peering establishes direct network connectivity between Project A and Project B
Compute Engine instance without external IP in Project B acts as a proxy server within the peered subnet
Private connectivity is maintained throughout the data flow
Cloud SQL Auth proxy can be installed on the proxy server to facilitate secure database connections

Why other options are incorrect:

Option A: VPC Network Peering alone doesn't enable connectivity to Cloud SQL instances with private IP addresses. You need additional configuration like private services access and proper subnet allocation.
Option B: Cloud NAT doesn't support connectivity to Cloud SQL instances with private IP addresses. Cloud NAT only provides outbound connectivity for resources without public IPs, but doesn't solve the private Cloud SQL connectivity issue.
Option D: Adding external IPs as authorized networks would expose the Cloud SQL instance to the public internet, violating the security requirement. This approach also doesn't work for Cloud SQL instances with private IP addresses.

This solution maintains data privacy while enabling the Dataflow pipeline in Project A to securely access the Cloud SQL instance in Project B through the proxy server over the peered network.

Powered ByGPT-5.2

Comments

Loading comments...