Google Exam Professional Cloud Network Engineer Topic 3 Question 83 Discussion

Actual exam question for Google's Professional Cloud Network Engineer exam

Question #: 83
Topic #: 3

[All Professional Cloud Network Engineer Questions]

Your company's current network architecture has three VPC Service Controls perimeters:

One perimeter (PERIMETER_PROD) to protect production storage buckets

One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets

One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)

In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?

ADevelop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.

BDevelop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_NONPROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_PROD perimeter.

CDevelop a design that creates a new VPC (VPC_NONPROD) in the same project as VPC_ONE. Migrate all the non-production workloads from VPC_ONE to the PERIMETER_NONPROD perimeter. Remove the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include VPC_ONE and the PERIMETER_NONPROD perimeter to include VPC_NONPROD.

DDevelop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.

Show Suggested Answer

Suggested Answer: D

The correct answer is D because it meets the following requirements:

It matches the hub-and-spoke model of the on-premises network, where each spoke is a separate VPC network that is connected to a central hub VPC network.

It minimizes management overhead and cost, because VPC Network Peering is a simple and low-cost way to connect VPC networks without using any external IP addresses or VPN gateways1.

It uses default networking quotas and limits, because VPC Network Peering does not consume any quota or limit for VPN tunnels, external IP addresses, or forwarding rules2.

It prevents connectivity between the spokes, because VPC Network Peering is non-transitive by default, meaning that a spoke can only communicate with the hub, not with other spokes1.To enforce this restriction, a third-party network appliance can be used as a default gateway in each spoke VPC network, which can filter out any traffic destined for other spokes3.

Option A is incorrect because it does not minimize cost, as Cloud VPN charges for egress traffic and requires external IP addresses for the VPN gateways4.Option B is incorrect because it does not prevent connectivity between the spokes, as VPC Network Peering allows direct communication between peered VPC networks by default1. Option C is incorrect because it does not minimize cost or use default quotas and limits, for the same reasons as option A.

VPC Network Peering overview | VPC

Quotas and limits | VPC

Hub-and-spoke network architecture | Cloud Architecture Center

Cloud VPN overview | Google Cloud

by Deeanna at May 22, 2024, 07:45 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Network Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Rosina

2 months ago

I'm leaning towards Option A as well. It's the simplest solution and should do the job without any unnecessary complexity. Though, I do wonder if the VPC police will show up and fine us for not using the latest buzzwords.

upvoted 0 times

Brock

14 days ago

User 3: Yeah, Option A seems like the best option for ensuring access levels and minimal setup effort.

upvoted 0 times

...

Rebecka

24 days ago

User 2: I agree, Option A sounds like the simplest and most effective choice.

upvoted 0 times

...

Jerlene

1 months ago

User 1: I think Option A is the way to go. It seems like the most straightforward solution.

upvoted 0 times

...

Hyman

2 months ago

Hmm, creating a new VPC just for non-production workloads seems like overkill. Why not just keep everything in VPC_ONE and use the access levels instead?

upvoted 0 times

Elise

18 days ago

A) Exactly, it would streamline the setup and management process while still ensuring the necessary security measures are in place.

upvoted 0 times

...

Marti

1 months ago

B) Hmm, that does seem like a simpler solution. It would keep everything in one VPC and still provide the necessary access restrictions.

upvoted 0 times

...

Gabriele

1 months ago

A) Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.

upvoted 0 times

...

Anna

2 months ago

I'm not sure removing the PERIMETER_VPC is a good idea. That perimeter seems to provide an additional layer of security that we shouldn't get rid of.

upvoted 0 times

Kimbery

14 days ago

I'm not sure removing the PERIMETER_VPC is a good idea. That perimeter seems to provide an additional layer of security that we shouldn't get rid of.

upvoted 0 times

...

Nikita

24 days ago

D) Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.

upvoted 0 times

...

Micah

1 months ago

upvoted 0 times

...

Vincent

2 months ago

That's a good point, Vanda. Option C does simplify the setup by separating production and non-production workloads into different VPCs.

upvoted 0 times

...

Lindsay

2 months ago

Option A seems the most logical choice. Separating the access levels based on the IP ranges makes sense and minimizes setup effort.

upvoted 0 times

Joye

29 days ago

Yes, it definitely simplifies the setup process by creating two access levels based on the IP ranges. It's a logical solution.

upvoted 0 times

...

Clement

2 months ago

I agree, option A seems like the best choice for ensuring production and non-production workloads have the right access levels.

upvoted 0 times

...

Vanda

2 months ago

I disagree, I believe option C is better. Creating a new VPC for non-production workloads and migrating them seems like a cleaner solution.

upvoted 0 times

...

Vincent

3 months ago

I think option A is the best choice. It seems like the most efficient way to ensure the right access levels for production and non-production workloads.

upvoted 0 times

...