Exam Professional Cloud Architect topic 4 question 7 discussion

It should be A. Public endpoint access disabled is the most secure option as it prevents all internet access to the control plane. This is a good choice if you have configured your on-premises network to connect to Google Cloud using Cloud Interconnect (EHR has enabled this) or Cloud VPN. If you disable public endpoint access, then you must configure authorized networks for the private endpoint. If you don't do this, you can only connect to the private endpoint from cluster nodes or VMs in the same subnet as the cluster. Public endpoint access enabled, authorized networks enabled: This is a good choice if you need to administer the cluster from source networks that are not connected to your cluster's VPC network using Cloud Interconnect or Cloud VPN (but EHR is already using interconnect) So answer C is wrong. Reference- https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept

A. Use a private cluster with a private endpoint with master authorized networks configured. --> Private clusters run nodes without external IP addresses, and optionally run their cluster control plane without a publicly-reachable endpoint. Additionally, private clusters do not allow Google Cloud IP addresses to access the control plane endpoint by default. Using private clusters with authorized networks makes your control plane reachable only by the allowed CIDRs, by nodes within your cluster's VPC, and by Google's internal production jobs that manage your control plane.

They do not have Interconnect today. But considering high-performance network requirements it will be interconnect. if interconnect is there no reason to have public end point enabled for cluster management. Public end point is never enabled on on a cloud system (for almost any service) for any medium/large scale enterprise.

A: https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept Public endpoint access disabled: This is the most secure option as it prevents all internet access to the control plane. This is a good choice if you have configured your on-premises network to connect to Google Cloud using Cloud Interconnect or Cloud VPN. If you disable public endpoint access, then you must configure authorized networks for the private endpoint. If you don't do this, you can only connect to the private endpoint from cluster nodes or VMs in the same subnet as the cluster.

A seems the most secure as it's the only option that makes access to the control plane private using authorized networks work to limit access even further. Although the nodes are private the pods can still be accessed via an externally exposed service "An external client with a source IP address on the internet can connect to an external Service of type LoadBalancer"

A. Use a private cluster with a private endpoint with master authorized networks configured. Using a private cluster with a private endpoint and master authorized networks configured is the best way to reduce the attack surface in Google Kubernetes Engine (GKE). A private cluster ensures that the nodes have private IP addresses, which are not accessible from the internet. The private endpoint allows access to the GKE API server only within the same VPC or through a secure connection (e.g., VPN or VPC peering). Configuring master authorized networks restricts access to the GKE control plane to specific CIDR blocks, further securing the environment and adhering to EHR Healthcare's business and technical requirements.

C is correct. A is wrong because, despite what everyone is thinking, because you cannot have a private endpoint for the control plane WITH authorised networks. It's a contradiction of ideas. The authorised networks are specifically to manage access to a public endpoint to only a set RFC1918 addresses, for example. Which, ironically, is covered by the link that everyone is pasting referring to answer A https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept

Public endpoint access disabled is the most secure option as it prevents all internet access to the control plane. This is a good choice if you have configured your on-premises network to connect to Google Cloud using Cloud Interconnect (EHR has enabled this) or Cloud VPN. If you disable public endpoint access, then you must configure authorized networks for the private endpoint. If you don't do this, you can only connect to the private endpoint from cluster nodes or VMs in the same subnet as the cluster. Public endpoint access enabled, authorized networks enabled: This would be a good choice if you need to administer the cluster from source networks that are not connected to your cluster's VPC network (using Cloud Interconnect or Cloud VPN) but EHR is already using interconnect! Reference: https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept

Private cluter will have only one end Private end point and It is not poosible to autherize any specific Master network

A is good

To reduce the attack surface and follow Google's best practices for network architecture in Google Kubernetes Engine, you should use a private cluster with a private endpoint and configure master authorized networks. Private clusters allow you to create clusters with nodes that are not reachable from the public internet. This reduces the attack surface by making it more difficult for an attacker to target the nodes. Additionally, by using a private endpoint and configuring master authorized networks, you can further restrict access to the cluster to only authorized users and networks. This helps to ensure that only authorized users and systems can access the cluster and helps to prevent unauthorized access.

A is ok

A is the best answer https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept#overview

Public endpoint access enabled, authorized networks enabled (recommended): This option provides restricted access to the control plane from source IP addresses that you define. This is a good choice if you don't have existing VPN infrastructure or have remote users or branch offices that connect over the public internet instead of the corporate VPN and Cloud Interconnect or Cloud VPN. https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_network_access_to_the_control_plane_and_nodes

I'll go with A as it is the most secure option. C would be more cost-effective for when EHR has no plans for Cloud Interconnect / VPN (which they do!).

Why would we need access to control plane from outside. It is better to keep everything private and expose the web/ui through an external ingress.

Putting a Autn Network on a private endpoint is moot Note: Authorized networks block untrusted IP addresses from outside Google Cloud. Addresses from inside Google Cloud (such as traffic from Compute Engine virtual machines (VMs), Cloud Functions and Cloud Run) can reach your control plane using HTTPS, provided that they have the necessary Kubernetes credentials.