PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #227: Real Exam Question with Answer & Explanation

Question

Your DevOps team uses Packer to build Compute Engine images by using this process: 1. Create an ephemeral Compute Engine VM. 2. Copy a binary from a Cloud Storage bucket to the VM's file system. 3. Update the VM's package manager. 4. Install external packages from the internet onto the VM. Your security team just enabled the organizational policy, constraints/ compute.vmExternalIpAccess, to restrict the usage of public IP Addresses on VMs. In response, your DevOps team updated their scripts to remove public IP addresses on the Compute Engine VMs; however, the build pipeline is failing due to connectivity issues. What should you do? (Choose two.)

Options

• AProvision an HTTP load balancer with the VM in an unmanaged instance group to allow inbound
• BProvision a Cloud NAT instance in the same VPC and region as the Compute Engine VM.
• CEnable Private Google Access on the subnet that the Compute Engine VM is deployed within.
• DUpdate the VPC routes to allow traffic to and from the internet.
• EProvision a Cloud VPN tunnel in the same VPC and region as the Compute Engine VM.

Explanation

Provision a Cloud NAT instance (Option B): Cloud NAT allows your Compute Engine instances without public IP addresses to access the internet while preserving the security restrictions imposed by your organizational policy. By provisioning a Cloud NAT instance in the same VPC and region as your Compute Engine VMs, you enable outbound connectivity for these VMs. Enable Private Google Access (Option C): Enabling Private Google Access on the subnet where your Compute Engine VMs are deployed allows these instances to access Google Cloud services over the private IP address range. This can help with accessing external resources needed during the Packer image build process without exposing the VMs to the public internet.

No community discussion yet for this question.