Your team needs to create a Google Kubernetes Engine (GKE) cluster to host a newly built application that requires access to third-party services on the internet. Your company does not allow any Compute Engine instance to have a public IP address on Google Cloud. You need to create a deployment strategy that adheres to these guidelines. What should you do?
A. Configure the GKE cluster as a private cluster, and configure Cloud NAT Gateway for the cluster subnet.
B. Configure the GKE cluster as a private cluster. Configure Private Google Access on the Virtual Private Cloud (VPC).
C. Configure the GKE cluster as a route-based cluster. Configure Private Google Access on the Virtual Private Cloud (VPC).
D. Create a Compute Engine instance, and install a NAT Proxy on the instance. Configure all workloads on GKE to pass through this proxy to access third-party services on the Internet.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
A
Explanation
A. Configure the GKE cluster as a private cluster, and configure Cloud NAT Gateway for the cluster subnet.
(Cloud NAT allows the resources in private subnet to access the internet—for updates, patching, config management, and more—in a controlled and efficient manner.)
B. Configure the GKE cluster as a private cluster. Configure Private Google Access on the Virtual Private Cloud (VPC).
(Private Google Access is useful for allowing Google Cloud resources, including GKE clusters, to access Google services without public IPs, but it doesn’t provide access to third-party services on the internet.)
C. Configure the GKE cluster as a route-based cluster. Configure Private Google Access on the Virtual Private Cloud (VPC).
(Ruled out.)
D. Create a Compute Engine instance, and install a NAT Proxy on the instance. Configure all workloads on GKE to pass through this proxy to access third-party services on the Internet.
(Ruled out.)