Preventing Public Internet Traffic to Compute Engine Instance in Google Cloud VPC

B.

Get private access to Google services, such as storage, big data, analytics, or machine learning, without having to give your service a public IP address.

To deploy a new Compute Engine instance and ensure that no public Internet traffic can be routed to it, you should create the instance without a public IP address. This will ensure that the instance can only be accessed via the internal IP address within the VPC network and over the VPN tunnel to the on-premises network.

Option A: Create the instance without a public IP address.

This option is correct as it ensures that the instance has no external IP address and can only be accessed via the internal IP address within the VPC network and over the VPN tunnel to the on-premises network.

Option B: Create the instance with Private Google Access enabled.

This option is not the correct choice as enabling Private Google Access would allow the instance to reach Google APIs and services over the Internet, which is not desired in this scenario.

Option C: Create a deny-all egress firewall rule on the VPC network.

This option is not the correct choice as creating a deny-all egress firewall rule on the VPC network would block all outgoing traffic from the instance, including traffic over the VPN tunnel to the on-premises network.

Option D: Create a route on the VPC to route all traffic to the instance over the VPN tunnel.

This option is not the correct choice as it would not prevent public Internet traffic from being routed to the instance if it had a public IP address assigned to it.

In summary, creating the instance without a public IP address is the correct choice to ensure that no public Internet traffic can be routed to it.