New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud Network Engineer Exam - Topic 3 Question 83 Discussion

Actual exam question for Google's Professional Cloud Network Engineer exam
Question #: 83
Topic #: 3
[All Professional Cloud Network Engineer Questions]

Your company's current network architecture has three VPC Service Controls perimeters:

One perimeter (PERIMETER_PROD) to protect production storage buckets

One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets

One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)

In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: D

The correct answer is D because it meets the following requirements:

It matches the hub-and-spoke model of the on-premises network, where each spoke is a separate VPC network that is connected to a central hub VPC network.

It minimizes management overhead and cost, because VPC Network Peering is a simple and low-cost way to connect VPC networks without using any external IP addresses or VPN gateways1.

It uses default networking quotas and limits, because VPC Network Peering does not consume any quota or limit for VPN tunnels, external IP addresses, or forwarding rules2.

It prevents connectivity between the spokes, because VPC Network Peering is non-transitive by default, meaning that a spoke can only communicate with the hub, not with other spokes1.To enforce this restriction, a third-party network appliance can be used as a default gateway in each spoke VPC network, which can filter out any traffic destined for other spokes3.

Option A is incorrect because it does not minimize cost, as Cloud VPN charges for egress traffic and requires external IP addresses for the VPN gateways4.Option B is incorrect because it does not prevent connectivity between the spokes, as VPC Network Peering allows direct communication between peered VPC networks by default1. Option C is incorrect because it does not minimize cost or use default quotas and limits, for the same reasons as option A.


VPC Network Peering overview | VPC

Quotas and limits | VPC

Hub-and-spoke network architecture | Cloud Architecture Center

Cloud VPN overview | Google Cloud

by Deeanna at May 22, 2024, 07:45 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Network Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Gayla
3 months ago
C feels like overkill for this situation.
upvoted 0 times
...
Levi
3 months ago
A is definitely the best choice for minimal setup.
upvoted 0 times
...
Gladis
3 months ago
Wait, removing PERIMETER_VPC? That sounds risky!
upvoted 0 times
...
Pearline
4 months ago
I disagree, B could simplify the architecture.
upvoted 0 times
...
Jolene
4 months ago
Option A seems the most straightforward for access control.
upvoted 0 times
...
Mona
4 months ago
I feel like updating the existing perimeters is the way to go, but I can't recall if we discussed the implications of removing a perimeter entirely.
upvoted 0 times
...
Hannah
4 months ago
I’m a bit confused about whether we really need to create a new VPC for non-production. That seems like a lot of work.
upvoted 0 times
...
Angelica
4 months ago
I think option A sounds familiar from practice questions, where we had to set access levels based on IP ranges.
upvoted 0 times
...
Natalie
5 months ago
I remember studying how VPC Service Controls work, but I'm not sure if removing the PERIMETER_VPC is the best option.
upvoted 0 times
...
Brinda
5 months ago
This is a tricky one. I'm not entirely sure which option is the best, as they all have their pros and cons. I think I'll need to sketch out the different designs on paper to really evaluate them before making a decision.
upvoted 0 times
...
Chau
5 months ago
I'm leaning towards option A as well. It seems like the most direct way to achieve the desired segregation without having to make major changes to the existing architecture. As long as the IP ranges are set up correctly, that should do the trick.
upvoted 0 times
...
Jolene
5 months ago
Option C looks interesting, creating a separate VPC for non-production workloads. That could help simplify the overall architecture. I'll need to think through the implications of that approach, but it might be the most robust long-term solution.
upvoted 0 times
...
Martina
5 months ago
Hmm, I'm a bit confused by the different perimeters and VPCs mentioned in the question. I'll need to re-read it carefully to make sure I understand the current setup before deciding on the best approach.
upvoted 0 times
...
Antione
5 months ago
This seems like a pretty straightforward question. I think I'll go with option A - it seems the most straightforward approach to segregating the production and non-production workloads and storage buckets.
upvoted 0 times
...
Selma
5 months ago
I've got a good handle on SSPR, so I think I can tackle this. Let me carefully consider each option and select the ones that match the description in the question.
upvoted 0 times
...
Charlene
5 months ago
Hmm, I'm a little unsure about the steps here. I'll need to carefully read through the options and think through the process.
upvoted 0 times
...
Evette
5 months ago
I'm a little confused by the resource pool configurations. Do we really need multiple resource pools, or would a single pool be sufficient? I'll have to carefully consider the tradeoffs between the options.
upvoted 0 times
...
Rosina
10 months ago
I'm leaning towards Option A as well. It's the simplest solution and should do the job without any unnecessary complexity. Though, I do wonder if the VPC police will show up and fine us for not using the latest buzzwords.
upvoted 0 times
Brock
9 months ago
User 3: Yeah, Option A seems like the best option for ensuring access levels and minimal setup effort.
upvoted 0 times
...
Rebecka
9 months ago
User 2: I agree, Option A sounds like the simplest and most effective choice.
upvoted 0 times
...
Jerlene
9 months ago
User 1: I think Option A is the way to go. It seems like the most straightforward solution.
upvoted 0 times
...
...
Hyman
10 months ago
Hmm, creating a new VPC just for non-production workloads seems like overkill. Why not just keep everything in VPC_ONE and use the access levels instead?
upvoted 0 times
Elise
9 months ago
A) Exactly, it would streamline the setup and management process while still ensuring the necessary security measures are in place.
upvoted 0 times
...
Marti
9 months ago
B) Hmm, that does seem like a simpler solution. It would keep everything in one VPC and still provide the necessary access restrictions.
upvoted 0 times
...
Gabriele
10 months ago
A) Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.
upvoted 0 times
...
...
Anna
10 months ago
I'm not sure removing the PERIMETER_VPC is a good idea. That perimeter seems to provide an additional layer of security that we shouldn't get rid of.
upvoted 0 times
Kimbery
9 months ago
I'm not sure removing the PERIMETER_VPC is a good idea. That perimeter seems to provide an additional layer of security that we shouldn't get rid of.
upvoted 0 times
...
Nikita
9 months ago
D) Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.
upvoted 0 times
...
Micah
10 months ago
A) Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.
upvoted 0 times
...
...
Vincent
10 months ago
That's a good point, Vanda. Option C does simplify the setup by separating production and non-production workloads into different VPCs.
upvoted 0 times
...
Lindsay
11 months ago
Option A seems the most logical choice. Separating the access levels based on the IP ranges makes sense and minimizes setup effort.
upvoted 0 times
Joye
9 months ago
Yes, it definitely simplifies the setup process by creating two access levels based on the IP ranges. It's a logical solution.
upvoted 0 times
...
Clement
10 months ago
I agree, option A seems like the best choice for ensuring production and non-production workloads have the right access levels.
upvoted 0 times
...
...
Vanda
11 months ago
I disagree, I believe option C is better. Creating a new VPC for non-production workloads and migrating them seems like a cleaner solution.
upvoted 0 times
...
Vincent
11 months ago
I think option A is the best choice. It seems like the most efficient way to ensure the right access levels for production and non-production workloads.
upvoted 0 times
...

Save Cancel