Google Exam Professional Cloud Network Engineer Topic 3 Question 102 Discussion

Actual exam question for Google's Professional Cloud Network Engineer exam

Question #: 102
Topic #: 3

[All Professional Cloud Network Engineer Questions]

You have several VMs across multiple VPCs in your cloud environment that require access to internet endpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use Cloud NAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. You want to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoid any unintentional configuration issues caused by other administrators and align to Google-recommended practices. What should you do?

ADeploy Cloud NAT in each VPC and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.

BCreate a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0/0). Deploy Cloud NAT and configure all primary and secondary subnet source ranges.

CCreate a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0/0). Deploy Cloud NAT and configure a custom source range that includes the allowed subnets.

DCreate a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.

Show Suggested Answer

Suggested Answer: D

Using an organizational policy with the restrictCloudNATUsage constraint allows you to limit Cloud NAT usage to specific subnets, ensuring that only the necessary subnets can access the internet. This method aligns with Google-recommended practices for controlling Cloud NAT configurations across multiple VPCs and regions.

by Kirk at Feb 08, 2025, 02:29 PM

Limited Time Offer

25%

19 days ago

Option C looks good to me. Keeping the firewall rules simple and leveraging Cloud NAT's custom source range seems like the way to go.

upvoted 0 times

...