Google Exam Associate Cloud Engineer Topic 2 Question 110 Discussion

Actual exam question for Google's Associate Cloud Engineer exam

Question #: 110
Topic #: 2

[All Associate Cloud Engineer Questions]

You are planning to migrate your on-premises VMs to Google Cloud. You need to set up a landing zone in Google Cloud before migrating the VMs. You must ensure that all VMs in your production environment can communicate with each other through private IP addresses. You need to allow all VMs in your Google Cloud organization to accept connections on specific TCP ports. You want to follow Google-recommended practices, and you need to minimize your operational costs. What should you do?

ACreate individual VPCs per Google Cloud project. Peer all the VPCs together. Apply organization policies on the organization level.

BCreate individual VPCs for each Google Cloud project. Peer all the VPCs together. Apply hierarchical firewall policies on the organization level.

CCreate a host VPC project with each production project as its service project. Apply organization policies on the organization level.

DCreate a host VPC project with each production project as its service project. Apply hierarchical firewall policies on the organization level.

Show Suggested Answer

Suggested Answer: D

Comprehensive and Detailed Explanation From Exact Extract:

The goal is to create a landing zone facilitating private IP communication across production projects and apply organization-wide firewall rules, following best practices and minimizing operational costs.

Network Structure:Individual VPCs with Peering (A, B): While VPC Peering allows private connectivity, managing a full mesh or complex peering topology across many projects becomes operationally complex and can hit peering limits. It's not the recommended pattern for centralized connectivity in a landing zone.

Shared VPC (C, D): This is the Google-recommended practice for scenarios where resources from multiple projects need to communicate privately within a common VPC network. A central host project owns the network, and service projects use it. This simplifies network administration and connectivity.

Firewall Rules:Organization Policies (A, C): These enforce organizational constraints (e.g., disable external IPs, restrict locations) but do not define specific network firewall rules (like allowing TCP ports).

Hierarchical Firewall Policies (B, D): These allow defining firewall rules at the Organization or Folder level, which are inherited by resources in descendant projects/folders. This is the mechanism to apply consistent firewall rules (like allowing specific TCP ports) across all VMs in the organization (or a specific folder) efficiently, without managing rules in each individual VPC or project.

Combining Shared VPC for the network structure (best practice for cross-project private communication and central management) with Hierarchical Firewall Policies (for applying organization-wide firewall rules) meets all requirements efficiently and follows Google recommendations.

Shared VPC Overview: 'Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network...' - https://cloud.google.com/vpc/docs/shared-vpc

Hierarchical firewall policies: 'Hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization... They can be configured to explicitly deny traffic, or allow traffic...' - https://cloud.google.com/firewall/docs/hierarchical-firewall-policies

by Bernardine at Jul 29, 2025, 11:52 PM

Limited Time Offer

25%

Off

Get Premium Associate Cloud Engineer Questions as Interactive Web-Based Practice Test or PDF