You are hosting an application on bare-metal servers in your own data center.
The application needs access to Cloud Storage.
However, security policies prevent the servers hosting the application from having public IP addresses or access to the internet.
You want to follow Google-recommended practices to provide the application with access to Cloud Storage.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The correct answer is D.
Explanation:
Option A suggests using nslookup to get the IP address for storage.googleapis.com and then negotiating with the security team to give public IP addresses to the servers. This option violates the security policies preventing the servers from having public IP addresses or internet access, and therefore is not a viable solution.
Option B suggests creating a VPN tunnel to a VPC in Google Cloud and configuring a Squid proxy server on a Compute Engine instance to access Cloud Storage. This option requires additional infrastructure and is not the most optimal solution.
Option C suggests using Migrate for Compute Engine to move the servers to Compute Engine, creating an internal load balancer that uses storage.googleapis.com as a backend, and configuring the new instances to use this ILB as a proxy. This option also requires additional infrastructure and is not the most optimal solution.
Option D suggests using Cloud VPN or Interconnect to create a tunnel to a VPC in Google Cloud, creating a custom route advertisement for 199.36.153.4/30, and configuring the DNS server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com. This option is the most viable and secure solution.
Here's how this solution works:
Using Cloud VPN or Interconnect, create a tunnel to a VPC in Google Cloud. Cloud VPN or Interconnect can be used to establish a secure and reliable connection between the on-premises data center and Google Cloud.
Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network through the VPN tunnel. Cloud Router is a Google Cloud service that enables dynamic route advertisement and path selection for VPC networks. By creating a custom route advertisement for 199.36.153.4/30 and announcing it to the on-premises network through the VPN tunnel, the on-premises servers can reach the Cloud Storage service using the internal IP address.
In your on-premises network, configure your DNS server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com. By configuring the DNS server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com, the on-premises servers can reach the Cloud Storage service using the internal IP address without needing internet access.
In summary, by using Cloud VPN or Interconnect, Cloud Router, and DNS configuration, the on-premises servers can securely access Cloud Storage without requiring public IP addresses or internet access. This solution is in line with Google-recommended practices for accessing Cloud Storage from on-premises data centers.