You are configuring the cloud network architecture for a newly created project in Google Cloud that will host applications in Compute Engine. Compute Engine virtual machine instances will be created in two different subnets (sub-a and sub-b) within a single region:
• Instances in sub-a will have public IP addresses.
• Instances in sub-b will have only private IP addresses.
To download updated packages, instances must connect to a public repository outside the boundaries of Google Cloud. You need to allow sub-b to access the external repository. What should you do?
A. Enable Private Google Access on sub-b.
B. Configure Cloud NAT and select sub-b in the NAT mapping section.
C. Configure a bastion host instance in sub-a to connect to instances in sub-b.
D. Enable Identity-Aware Proxy for TCP forwarding for instances in sub-b.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
B
Explanation
A. Enable Private Google Access on sub-b.
(It doesn’t make sense, Public Google Access allows you to access Google APIs without an external IP, which doesnt solve the problem.)
B. Configure Cloud NAT and select sub-b in the NAT mapping section.
(Straight forward.)
C. Configure a bastion host instance in sub-a to connect to instances in sub-b.
(Bastion host is for the opposite purpose; accessing a machine administratively from the outside without an external IP, not a machine without an external IP accessing the outside.)
D. Enable Identity-Aware Proxy for TCP forwarding for instances in sub-b.
(It doesn’t make sense.)