Google Professional Cloud Architect Exam - Topic 6 Question 18 Discussion

Actual exam question for Google's Professional Cloud Architect exam

Question #: 18
Topic #: 6

[All Professional Cloud Architect Questions]

Your organization has decided to restrict the use of external IP addresses on instances to only approved instances. You want to enforce this requirement across all of your Virtual Private Clouds (VPCs). What should you do?

ARemove the default route on all VPCs. Move all approved instances into a new subnet that has a default route to an internet gateway.

BCreate a new VPC in custom mode. Create a new subnet for the approved instances, and set a default route to the internet gateway on this new subnet.

CImplement a Cloud NAT solution to remove the need for external IP addresses entirely.

DSet an Organization Policy with a constraint on constraints/compute.vmExternalIpAccess. List the approved instances in the allowedValues list.

Show Suggested Answer

Suggested Answer: D

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#disableexternalip

you might want to restrict external IP address so that only specific VM instances can use them. This option can help to prevent data exfiltration or maintain network isolation. Using an Organization Policy, you can restrict external IP addresses to specific VM instances with constraints to control use of external IP addresses for your VM instances within an organization or a project.

by Justine at May 06, 2022, 11:07 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Architect Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Xuan

4 months ago

Removing the default route could break things, not sure about A.

upvoted 0 times

...

Francine

4 months ago

Option C is interesting, but does it really eliminate the need for external IPs?

upvoted 0 times

...

Adolph

4 months ago

Wait, can you really restrict external IPs like that? Sounds risky.

upvoted 0 times

...

Viola

4 months ago

Totally agree, D makes the most sense!

upvoted 0 times

...

Cherry

5 months ago

I think option D is the best way to enforce this.

upvoted 0 times

...

Regenia

5 months ago

I remember discussing the importance of approved instances, and option D seems to align with that. It feels like the right approach to enforce restrictions effectively.

upvoted 0 times

...

Jacquelyne

5 months ago

I recall something about Cloud NAT, but I'm not sure if it completely removes the need for external IPs. Could it be a viable option here?

upvoted 0 times

...

Sherita

5 months ago

I think option D sounds familiar; I remember studying about Organization Policies and how they can help manage resources across VPCs.

upvoted 0 times

...

Izetta

5 months ago

I'm not entirely sure, but I feel like removing the default route might cause issues with connectivity. Wasn't there a practice question about routing that mentioned this?

upvoted 0 times

...

Cathrine

5 months ago

Okay, the question is asking about adding network elements in Huawei's u2000 management system. I think I know the answer, but I'll double-check the options.

upvoted 0 times

...

Isaac

5 months ago

Hmm, I'm a bit confused about the difference between the virtual interface IP address and the mobility group name. I'll need to review those concepts.

upvoted 0 times

...

Elke

5 months ago

I remember something about Windows managing credentials, but I'm not sure if it's proprietary or not.

upvoted 0 times

...

Aliza

5 months ago

I think the answer is C, Filter, but I'm kind of second-guessing myself. I remember it being important to select specific elements.

upvoted 0 times

...