Exam Professional Cloud Security Engineer topic 1 question 82 discussion

C-there is no traffic to outside internet

The ask is to store the output files in a Cloud storage bucket. "The networking and security teams have decided that no VMs may reach the public internet" - No VMs MAY reach public internet but not 'MUST'. Hence 'C' is the answer

What if the VM is on-premise? The question never said it was in GCP? Would the answer not be 'B'?

What should be accomplished is the access to GCS, knowing VMs cannot access the public network. So, Private Google Access accomplishes it.

The answer is A.... With GPA enabled, VMs can still reach the Internet. Accessing the backend storage is ther to throw you off of what is being asked - and that's NO VMs may reach the Internet... Answer is A

C private google access allows access to google services without internet connection

To ensure that VMs can access Cloud Storage without reaching the public internet, you should: C. Enable Private Google Access. Enabling Private Google Access allows VMs with only internal IP addresses in a VPC network to access Google Cloud services like Cloud Storage without needing external IP addresses or going through the public internet.

B. Provision a NAT Gateway to access the Cloud Storage API endpoint. Explanation: To ensure that VMs can't reach the public internet but can still access Google Cloud services like Cloud Storage, you can use a Network Address Translation (NAT) Gateway. NAT Gateway allows instances in a private subnet to initiate outbound connections to the internet while masking their actual internal IP addresses. This way, the VMs can access the Cloud Storage API endpoint without directly connecting to the public internet.

"C" The question is not worded well. If you replace "..has decided.." with "..has enforced.." then the meat of the question becomes how to achieve the first part of the requirement which is reaching cloud storage without public access, which is through private google access. Reference: https://cloud.google.com/vpc/docs/private-google-access

I think A is correct

B is the ans, as nat is needed to reach the cloud storage

The question says "The networking and security teams have decided that no VMs may reach the public internet"y A

C!!!! This example is just the exact and only meaning for have PGA!!!

Answer C: Here is why; the VM need to access google service i.e. "Cloud Storage Bucket". Google doc states: Private Google Access permits access to Google APIs and services in Google's production infrastructure https://cloud.google.com/vpc/docs/private-google-access Everyone is reading the question as limited access to public internet but is missing the 2nd part of the question, which is access a google services. ONLY enable Private Google Access will fulfil the requirement.

C is the answer

The ask is to access cloud storage while doing the batch processing not how to block the internet. Overall it’s a poor choice of words in the question attempting to confuse than check knowledge

C. Enable Private Google Access on the VPC.