Securing Analytics Workloads on Google Cloud Platform
Question
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage.
Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.BE.
The customer has a requirement to restrict internet access to their analytics workload running on GCP, specifically the Compute Engine instances accessing data stored on Cloud Storage. The following are two strategies that can be used to meet these requirements:
A. Configure Private Google Access on the Compute Engine subnet: Private Google Access allows VM instances in a subnet to reach Google APIs and services, including Cloud Storage, using an internal IP address. With this option, traffic destined for the internet is sent to Google's edge network, and then routed to the intended Google service using an internal IP address. By configuring Private Google Access on the Compute Engine subnet, the Compute Engine instances will have access to the Cloud Storage data using an internal IP address and will not require internet access. This will prevent unauthorized internet access to the analytics workload.
B. Avoid assigning public IP addresses to the Compute Engine cluster: By avoiding the assignment of public IP addresses to the Compute Engine instances, the workload will be isolated from the internet. Compute Engine instances without a public IP address can only be accessed from within the VPC network. With this option, all traffic to and from the Compute Engine instances must go through the internal network, thereby restricting internet access.
C. Make sure that the Compute Engine cluster is running on a separate subnet: By running the Compute Engine instances on a separate subnet, the instances can be isolated from the rest of the VPC network. A separate subnet can be used to apply different firewall rules, routing policies, and access controls than the rest of the VPC network. By restricting access to the subnet to authorized users or applications only, the workload can be protected from unauthorized access.
D. Turn off IP forwarding on the Compute Engine instances in the cluster: By turning off IP forwarding on the Compute Engine instances, the instances will not be able to forward traffic to other destinations, including the internet. This will help prevent the workload from accessing or being accessed from the internet.
E. Configure a Cloud NAT gateway: A Cloud NAT gateway allows Compute Engine instances without public IP addresses to access the internet. With this option, Compute Engine instances can send and receive traffic to and from the internet through the Cloud NAT gateway. However, this option does not fully meet the requirement to restrict internet access to the analytics workload since the Compute Engine instances will still have access to the internet.
In summary, the best two strategies to meet the customer's requirements are:
A. Configure Private Google Access on the Compute Engine subnet B. Avoid assigning public IP addresses to the Compute Engine cluster.
