PROFESSIONAL-CLOUD-ARCHITECT · Question #270
PROFESSIONAL-CLOUD-ARCHITECT Question #270: Real Exam Question with Answer & Explanation
The correct answer is B: Configure Cloud NAT and select sub b m the NAT mapping section. Cloud NAT is the right solution because instances in sub-b lack public IPs and need a way to initiate outbound connections to the internet - NAT translates their private IPs to a public address for egress traffic, letting them reach external repositories without exposing them inb
Question
You are configuring the cloud network architecture for a newly created project m Google Cloud that will host applications in Compote Engine Compute Engine virtual machine instances will be created in two different subnets (sub-a and sub-b) within a single region: - Instances in sub-a win have public IP addresses - Instances in sub-b will have only private IP addresses To download updated packages, instances must connect to a public repository outside the boundaries of Google Cloud. You need to allow sub-b to access the external repository. What should you do?
Options
- AEnable Private Google Access on sub-b
- BConfigure Cloud NAT and select sub b m the NAT mapping section
- CConfigure a bastion host instance in sub a to connect to instances in sub-b
- DEnable Identity Aware Proxy for TCP forwarding for instances in sub-b
Explanation
Cloud NAT is the right solution because instances in sub-b lack public IPs and need a way to initiate outbound connections to the internet - NAT translates their private IPs to a public address for egress traffic, letting them reach external repositories without exposing them inbound.
A is wrong because Private Google Access only allows private instances to reach Google APIs and services (e.g., Cloud Storage, BigQuery) over Google's internal network - it does nothing for destinations outside of Google Cloud. C is wrong because a bastion host is an SSH jump server for administrative access to private instances, not a mechanism for those instances to pull external packages. D is wrong because IAP TCP forwarding is similarly an inbound access control tool for tunneling SSH/RDP to private instances, not outbound internet egress.
Memory tip: "NAT = going OUT to the internet with a private IP." If the question involves private instances downloading from or calling anything outside Google Cloud, Cloud NAT is your answer. Private Google Access is only for Google's own services - if you see "external repository" or a non-Google URL, PGA won't cut it.
Topics
Community Discussion
No community discussion yet for this question.