nerdexam
ExamsPROFESSIONAL-CLOUD-ARCHITECTQuestions#308
GoogleGoogle

PROFESSIONAL-CLOUD-ARCHITECT · Question #308

PROFESSIONAL-CLOUD-ARCHITECT Question #308: Real Exam Question with Answer & Explanation

The correct answer is A: Gated Egress and VPC Service Controls. This question tests knowledge of the GCP services used to enforce data exfiltration controls and perimeter security for sensitive healthcare data in a regulated environment.

Submitted by jordan8· Mar 30, 2026

Question

Case Study: 10 - EHR Healthcare Company overview EHR Healthcare is a leading provider of electronic health record software to the medical industry. EHR Healthcare provides their software as a service to multi-national medical offices, hospitals, and insurance providers. Solution concept Due to rapid changes in the healthcare and insurance industry, EHR Healthcare's business has been growing exponentially year over year. They need to be able to scale their environment, adapt their disaster recovery plan, and roll out new continuous deployment capabilities to update their software at a fast pace. Google Cloud has been chosen to replace their current colocation facilities. Existing technical environment EHR's software is currently hosted in multiple colocation facilities. The lease on one of the data centers is about to expire. Customer-facing applications are web-based, and many have recently been containerized to run on a group of Kubernetes clusters. Data is stored in a mixture of relational and NoSQL databases (MySQL, MS SQL Server, Redis, and MongoDB). EHR is hosting several legacy file- and API-based integrations with insurance providers on- premises. These systems are scheduled to be replaced over the next several years. There is no plan to upgrade or move these systems at the current time. Users are managed via Microsoft Active Directory. Monitoring is currently being done via various open source tools. Alerts are sent via email and are often ignored. Business requirements • On-board new insurance providers as quickly as possible. • Provide a minimum 99.9% availability for all customer-facing systems. • Provide centralized visibility and proactive action on system performance and usage. • Increase ability to provide insights into healthcare trends. • Reduce latency to all customers. • Maintain regulatory compliance. • Decrease infrastructure administration costs. • Make predictions and generate reports on industry trends based on provider data. Technical requirements • Maintain legacy interfaces to insurance providers with connectivity to both on-premises systems and cloud providers. • Provide a consistent way to manage customer-facing applications that are container-based. • Provide a secure and high-performance connection between on-premises systems and Google Cloud. • Provide consistent logging, log retention, monitoring, and alerting capabilities. • Maintain and manage multiple container-based environments. • Dynamically scale and provision new environments. • Create interfaces to ingest and process data from new providers. Executive statement Our on-premises strategy has worked for years but has required a major investment of time and money in training our team on distinctly different systems, managing similar but separate environments, and responding to outages. Many of these outages have been a result of misconfigured systems, inadequate capacity to manage spikes in traffic, and inconsistent monitoring practices. We want to use Google Cloud to leverage a scalable, resilient platform that can span multiple environments seamlessly and provide a consistent and stable user experience that positions us for future growth. For this question, refer to the EHR Healthcare case study. The case study explains that: EHR hosts several legacy file-based and API integrations with on-site insurance providers, which are expected to be replaced in the coming years. Hence, there is no plan to upgrade or move these systems now. But EHR wants to use these APIs from its applications in Google Cloud so that they remain on-premise and private, securely exposing them. In other words, EHR wants to protect these APIs and the data they process, connect them only to its VPC environment in Google Cloud, with its systems in a protected DMZ that is not accessible from the Internet. Providers will be able to access integrations only through applications and with all possible precautions. Which technique allows you to fulfill these requirements?

Options

  • AGated Egress and VPC Service Controls
  • BCloud Endpoint
  • CCloud VPN
  • DCloud Composer

Explanation

This question tests knowledge of the GCP services used to enforce data exfiltration controls and perimeter security for sensitive healthcare data in a regulated environment.

Common mistakes.

  • B. Cloud Endpoints manages API authentication and quotas for applications you deploy, but it does not enforce network-level perimeter controls or prevent unauthorized data exfiltration from GCP services.
  • C. Cloud VPN provides encrypted connectivity between on-premises networks and GCP VPCs for network transit, but it does not restrict what data can leave GCP services or enforce service-level access boundaries.
  • D. Cloud Composer is a managed Apache Airflow workflow orchestration service for data pipelines and is unrelated to network security perimeter controls or data exfiltration prevention.

Concept tested. VPC Service Controls and data exfiltration prevention for regulated data

Reference. https://cloud.google.com/vpc-service-controls/docs/overview

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-CLOUD-ARCHITECT PracticeBrowse All PROFESSIONAL-CLOUD-ARCHITECT Questions