ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 92 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 92
Topic #: 1
[All Professional Cloud Network Engineer Questions]

You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team’s requirements?

  • A. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
    2. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.
  • B. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
    2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.
  • C. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.
    2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.
  • D. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.
    2. Create a custom route that points Google's private API address range to the default internet gateway as the next hop.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by playpacman at Dec. 1, 2022, 1:03 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
al_zo
Highly Voted 1 year, 6 months ago
It can't be C or D: "Choose restricted.googleapis.com when you only need access to Google APIs and services that are supported by VPC Service Controls." I would go for A.
upvoted 9 times
AzureDP900
1 year, 6 months ago
A is right in my opinion.. A. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. 2. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.
upvoted 3 times
...
...
pbrvgl
Most Recent 7 months ago
Alternative A is correct. Alternatives C or D are not valid, since the domain to use when setting up private connectivity for Google APIs and services is "restricted.googleapis.com", as detailed here: https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity#procedure-overview. In addition, you need to create a custom route pointing the "restricted.googleapis.com" IP address range (199.36.153.4/30) to the default internet gateway as the next hop. This procedure is described here: https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity#configure-custom-routes
upvoted 2 times
...
didek1986
10 months, 1 week ago
Selected Answer: A
A: Google doesn't publish routes on the internet for the IP address ranges used by the private.googleapis.com or restricted.googleapis.com domains. Consequently, even though the routes in the VPC network send traffic to the default internet gateway next hop, packets sent to those IP address ranges remain within Google's network. If the VPC network to which your on-premises network connects contains a default route whose next hop is the default internet gateway, that route meets the routing requirements for Private Google Access for on-premises hosts.
upvoted 2 times
didek1986
10 months, 1 week ago
sorry B
upvoted 2 times
didek1986
10 months ago
After rethinking A
upvoted 1 times
...
...
...
Ben756
1 year, 3 months ago
Selected Answer: B
Option B is the correct solution because it creates a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. This ensures that traffic to the Google APIs and services is sent through the VPC Service Controls, which provides API-level security control. The second step is to change the custom route that points the default route (0/0) to the default internet gateway as the next hop. This ensures that any traffic not destined for Google APIs and services is sent back to the on-premises data center for inspection before egressing to the internet.
upvoted 3 times
gcpengineer
10 months ago
no, it means internet traffic goes w/on inspection
upvoted 1 times
...
...
pfilourenco
1 year, 6 months ago
Selected Answer: A
It's A. To have VPC-SC we need to use restricted.googleapis.com.
upvoted 4 times
...
ccieman2016
1 year, 6 months ago
Selected Answer: D
in my opinion is letter D. https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid I'm not 100% sure.
upvoted 1 times
...
playpacman
1 year, 6 months ago
either A or D as we dont want to change the default routing
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel