Exam Associate Cloud Engineer topic 1 question 60 discussion

I believe it's A. It's never mentioned in the question that traffic cannot go through the Internet but it's mentioned that effort should be minimized. A requires a lot less effort than C to accomplish the same (no VPC peering, per example).

i think C is better solution, the solution A pass trafic trought public internet, also C by internal network and the "no overlap ips" in the statament suggest that.

A. 1. In GKE, create a Service of type LoadBalancer that uses the application's Pods as backend. 2. Set the service's externalTrafficPolicy to Cluster. 3. Configure the Compute Engine instance to use the address of the load balancer that has been created. Why Other Options Are Incorrect: B: Using a proxy instance with multiple network interfaces and iptables for forwarding traffic is unnecessarily complex and requires significant manual configuration and maintenance. C: Creating an internal load balancer and peering the VPCs requires additional setup for VPC peering and route configurations. This violates the requirement to minimize effort. D: Adding a Cloud Armor Security Policy is unnecessary for this use case. Furthermore, the Compute Engine instance is in a different VPC, so using internal IPs of the GKE nodes is not possible without peering.

C is the correct answer. Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing-across-vpc-net

Correct Answer: A

Here's why Option A might be preferred over Option C: Simplicity: Option A requires creating a LoadBalancer service in GKE and configuring the Compute Engine instance to use the load balancer's address. This is a straightforward setup and does not involve additional networking configurations. Reduced Complexity: Peering two VPCs involves setting up and managing VPC peering configurations, which can be complex, especially if there are overlapping IP ranges. It also requires additional permissions and coordination between different teams. Direct Connectivity: Option A provides direct connectivity between the Compute Engine instance and the application running in GKE through the load balancer. Peering VPCs might introduce additional network hops, potentially impacting latency and network performance. Scalability and Flexibility: Using a LoadBalancer service in GKE allows for scalability and flexibility, as the load balancer can automatically scale to handle increased traffic and can be easily configured to adapt to changing requirements.

Not A, exposing the service with an external LoadBalancer (externalTrafficPolicy set to Cluster) and not peering VPCs or using an internal load balancer unnecessarily exposes the service to the internet, which is not required for inter-VPC communication and could lead to security concerns. All the details in the question are pushing to answer C.

Option A suggests creating an external LoadBalancer. This is not the most efficient method because you're exposing your GKE application to the internet just to allow communication between two internal resources. Option C suggests creating an internal LoadBalancer, which is the right approach. By using an internal LoadBalancer, the service is only exposed within the Google Cloud environment and won't be accessible from the internet. Peering the two VPCs ensures the two resources can communicate across the VPCs.

C. 1. In GKE, create a Service of type LoadBalancer that uses the application's Pods as backend. 2. Add an annotation to this service: cloud.google.com/load-balancer-type: Internal 3. Peer the two VPCs together. 4. Configure the Compute Engine instance to use the address of the load balancer that has been created.

Correct Answer is C Option A suggests setting the service's externalTrafficPolicy to Cluster. While this is a valid configuration, it's not directly related to the scenario described. In the given scenario, the goal is to connect a Compute Engine instance from a different VPC to the application running in GKE. This involves networking configurations, peering the VPCs, and potentially setting up a LoadBalancer. Setting the externalTrafficPolicy to Cluster primarily affects how traffic is balanced across Pods within the cluster, but it doesn't directly address the requirement of connecting an external instance from a different VPC.

Minimal effort is the point.

Option C.

A is not correct Because the GKE cluster and the instance are not in the same vpc , so without vpc peering traffic can't be established . C is the correct answer. Traffic still internal not exposed to internet , as they mentioned creating internal tcp loadbalancer not public one and created vpc peering . so no additional steps are needed.

Correct is C please refer https://www.youtube.com/watch?v=qx8PEmxKYzg

The answer is C as two VPC needed to Peer first

same region, but in another Virtual Private Cloud (VPC), called gce-network, that has no overlapping IP ranges with the first VPC.... need to read question again and again

peering is lot easier effort but with dependent on not having overlapping IPs and that was clearly stated on the question. So C without any doubt is the correct answer here IMO.