Google Professional Cloud Architect Exam - Topic 4 Question 52 Discussion

Actual exam question for Google's Professional Cloud Architect exam

Question #: 52
Topic #: 4

[All Professional Cloud Architect Questions]

Your company has a networking team and a development team. The development team runs applications on Compute Engine instances that contain sensitive dat

a. The development team requires administrative permissions for Compute Engine. Your company requires all network resources to be managed by the networking team. The development team does not want the networking team to have access to the sensitive data on the instances. What should you do?

A1. Create a project with a standalone VPC and assign the Network Admin role to the networking team.
2. Create a second project with a standalone VPC and assign the Compute Admin role to the development team.
3. Use Cloud VPN to join the two VPCs.

B1. Create a project with a standalone Virtual Private Cloud (VPC), assign the Network Admin role to the networking team, and assign the Compute Admin role to the development team.

C1. Create a project with a Shared VPC and assign the Network Admin role to the networking team.
2. Create a second project without a VPC, configure it as a Shared VPC service project, and assign the Compute Admin role to the development team.

D1. Create a project with a standalone VPC and assign the Network Admin role to the networking team.
2. Create a second project with a standalone VPC and assign the Compute Admin role to the development team.
3. Use VPC Peering to join the two VPCs.

Show Suggested Answer

Suggested Answer: C

In this scenario, a large organization has a central team that manages security and networking controls for the entire organization. Developers do not have permissions to make changes to any network or security settings defined by the security and networking team but they are granted permission to create resources such as virtual machines in shared subnets. To facilitate this the organization makes use of a shared VPC (Virtual Private Cloud). A shared VPC allows creation of a VPC network of RFC 1918 IP spaces that associated projects (service projects) can then use. Developers using the associated projects can create VM instances in the shared VPC network spaces. The organization's network and security admins can create subnets, VPNs, and firewall rules usable by all the projects in the VPC network. https://cloud.google.com/iam/docs/job-functions/networking#single_team_manages_security_network_for_organization

by Katina at Jun 13, 2022, 05:08 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Architect Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Stefany

4 months ago

Wait, can we really trust VPC peering with sensitive info?

upvoted 0 times

...

Vilma

4 months ago

D sounds risky, peering could expose sensitive data.

upvoted 0 times

...

Gearldine

4 months ago

C is a bit complicated, not sure about that one.

upvoted 0 times

...

Talia

4 months ago

I think B is better, simpler setup!

upvoted 0 times

...

Stefanie

4 months ago

Option A seems solid, keeps things separate.

upvoted 0 times

...

Tien

5 months ago

I’m leaning towards option D because VPC Peering seems like a good way to connect the two teams while keeping their data separate. But I’m not 100% confident about the implications of that setup.

upvoted 0 times

...

Lonny

5 months ago

I practiced a similar question where we had to separate roles and permissions. I feel like option A is close, but using Cloud VPN might not be necessary if they can work independently.

upvoted 0 times

...

Denae

5 months ago

I'm not entirely sure, but I think Shared VPCs could complicate things. Option C sounds like it might expose the development team’s data to the networking team, which we want to avoid.

upvoted 0 times

...

Bettina

5 months ago

I remember we discussed the importance of keeping sensitive data secure while allowing teams to manage their resources. I think option B might be the right choice since it gives both teams their own VPCs.

upvoted 0 times

...

Ahmed

5 months ago

Hmm, I'm a bit unsure about this one. I know the Fishbone Diagram is used to identify root causes, but I'm not totally clear on how the different categories like "Equipment" are specifically used. I'll have to think this through carefully.

upvoted 0 times

...

Curt

5 months ago

Hmm, this is a tricky one. I'm thinking the ports are in a stealth state, since the XMAS scan isn't getting a response. But I'm not 100% sure on that. Guess I'll have to make an educated guess.

upvoted 0 times

...

Hyman

5 months ago

I'm torn between options B and D. Aren't both about protection?

upvoted 0 times

...