Google Cloud Exam: Professional Cloud Architect

Maintaining Data Security and Network Management for Compute Engine Instances

Prev Question Next Question

Question

Your company has a networking team and a development team.

The development team runs applications on Compute Engine instances that contain sensitive data.

The development team requires administrative permissions for Compute Engine.

Your company requires all network resources to be managed by the networking team.

The development team does not want the networking team to have access to the sensitive data on the instances.

What should you do?

Answers

A. 1. Create a project with a standalone VPC and assign the Network Admin role to the networking team. 2. Create a second project with a standalone VPC and assign the Compute Admin role to the development team. 3. Use Cloud VPN to join the two VPCs.

B. 1. Create a project with a standalone Virtual Private Cloud (VPC), assign the Network Admin role to the networking team, and assign the Compute Admin role to the development team.

C. 1. Create a project with a Shared VPC and assign the Network Admin role to the networking team. 2. Create a second project without a VPC, configure it as a Shared VPC service project, and assign the Compute Admin role to the development team.

D. 1. Create a project with a standalone VPC and assign the Network Admin role to the networking team. 2. Create a second project with a standalone VPC and assign the Compute Admin role to the development team. 3. Use VPC Peering to join the two VPCs.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

https://cloud.google.com/vpc/docs/shared-vpc

The scenario in the question requires separation of duties between the networking team and the development team, while ensuring that the development team has administrative permissions for Compute Engine instances that contain sensitive data. Additionally, the networking team should manage all network resources while not having access to the sensitive data on the instances.

Option A suggests creating two separate projects, each with a standalone VPC, and assigning roles to the networking and development teams accordingly. Cloud VPN is used to connect the two VPCs. However, this solution is not optimal as it requires additional configuration for networking, and may also result in increased latency due to traffic passing through a VPN tunnel.

Option B suggests creating a single project with a standalone VPC, and assigning both the Network Admin and Compute Admin roles to the respective teams. However, this solution does not enforce the required separation of duties between the networking and development teams.

Option C suggests using a Shared VPC. A Shared VPC allows for separation of duties between teams while sharing network resources. The networking team can manage the Shared VPC, and the development team can create Compute Engine instances in the Shared VPC without the networking team having access to the sensitive data on the instances. The development team can be assigned the Compute Admin role for the Shared VPC service project, and the networking team can be assigned the Network Admin role for the Shared VPC host project.

Option D suggests creating two separate projects, each with a standalone VPC, and assigning roles to the networking and development teams accordingly. VPC peering is used to connect the two VPCs. However, this solution is not optimal as it also requires additional configuration for networking, and may result in increased latency due to traffic passing through the peering connection.

Therefore, the best solution for this scenario is Option C, using a Shared VPC.

Prev Question Next Question