Agree with D - "When to choose the flexible environment" "Accesses the resources or services of your Google Cloud project that reside in the Compute Engine network." https://cloud.google.com/appengine/docs/the-appengine-environments

Right is D: https://stackoverflow.com/questions/37137914/is-it-possible-to-use-google-app-engine-with-google-cloud-vpn

now you can use option B

you can use a Serverless VPC Connector to connect App Engine Standard Environment to an on-premise resource via Cloud VPN

https://cloud.google.com/appengine/docs/flexible/flexible-for-standard-users Standard environment tend to be stateless web applications . Flexi is better for intergrating with on premise database

It is B

B. As per documentation https://cloud.google.com/appengine/docs/flexible/storage-options. Clearly App Engine standard can connect to on prem database.

D is correct

I vote B, flexible is just needed if you need no standard softwere etc... https://cloud.google.com/appengine/docs/flexible/storage-options#on_premises

I had originally chosen option B because both App Engine Standard and App Engine Flex can connect via Cloud VPN starting a few years ago. For App Engine Standard to connect with a VPC (which would be required to use Cloud VPN), we need to create a Serverless VPC Connector (as well as for other Cloud Run and Cloud Functions). This is something relatively new and probably came out after this question was designed for the exam: https://cloud.google.com/vpc/docs/serverless-vpc-access#supported_services. Based on the fact that the Serverless VPC Connector would add extra complexity to the network topology and incur in additional costs, I'm going with D.

I'm going with B based on this: https://cloud.google.com/appengine/docs/standard/storage-options#on_premises. App Engine Standard can connect through an external database via Cloud VPN. The question only states that the on-prem database must not be accessible through the public internet, not that the traffic must NOT traverse the public internet. Quoting the documentation from App Engine Standard: "If you have existing on-premises databases that you want to make accessible to your App Engine app, you can either configure your internal network and firewall to give the database a public IP address or connect using a VPN." Obviously we don't want to give the database a public IP because that would mean it would be accessible via public internet (which is what we want to prevent), and Cloud VPN would help with that.

Remember On-prem DB is not accessible over internet, hence VPN is out of question. C. Deploy your application on App Engine flexible environment and use App Engine firewall rules to limit access to the on-premises database.

Another question https://www.examtopics.com/discussions/google/view/60436-exam-professional-cloud-architect-topic-1-question-151/ States "Your company has a support ticketing solution that uses App Engine Standard. ...You want to enable the App Engine application to communicate with a database that is running in the company's on-premises environment. What should you do?" So this makes B the winner :)

D makes more sense

The correct answer is D. Those who say B are unclear about one piece of information: standard App Engine does not provide direct access to local resources.

The below link confirms the standard environment to use cloud VPN. The question is primarily around "an application", which could be .Net or any application. A flexible environment with Cloud VPN would be right answer. https://cloud.google.com/appengine/docs/standard/storage-options#on_premises

answer - B