Exam Professional Data Engineer topic 1 question 253 discussion

- Private Google Access for services allows VM instances with only internal IP addresses in a VPC network or on-premises networks (via Cloud VPN or Cloud Interconnect) to reach Google APIs and services. - When you launch a Dataflow job, you can specify that it should use worker instances without external IP addresses if Private Google Access is enabled on the subnetwork where these instances are launched. - This way, your Dataflow workers will be able to access Cloud Storage and BigQuery without violating the organizational constraint of no external IPs.

No way it is C. Like the use case for Google VPC Service Controls perimeter is not to establish secure connectivity on its own but rather to control connectivity, like allowing vms within x premise to access, and blocking vms outside premise even if in same VPC from access. D on the other hand is completely sensical.

According to this documentation: https://cloud.google.com/vpc-service-controls/docs/overview I think the correct answer is C. Take into account the phrase "organizational constraint" and the VPC Service Control allow you to do that.

https://cloud.google.com/vpc/docs/private-google-access "VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services."

It should be C

Option D, as GCP001 said

https://cloud.google.com/dataflow/docs/guides/routes-firewall

C. Create a VPC Service Controls perimeter that contains the VPC network and add Dataflow, Cloud Storage, and BigQuery as allowed services in the perimeter. Use Dataflow with only internal IP addresses.