Exam Professional Cloud Architect topic 1 question 151 discussion

D is right , refer to https://cloud.google.com/vpc/docs/serverless-vpc-access#use_cases

D. Configuring serverless VPC access App Engine can connect to the VPC and then through VPN tunnel to the on-prem DB

App Engine Standard so Configuring serverless VPC access App Engine can connect to the VPC and then through VPN tunnel to the on-prem DB

The answer is D. The option B is for the other way. The option B is for the on-premise services to be able to use Google API through VPN

Answer is D. Here the explanation since I didn't see any good answer: 1- We have a VPC. 2- We have an onpremisses DB. 3- We have App Engine (that runs on a isolated network that does not belong to the VPC). 4- We can connect the VPC to the onpremisses network using Cloud VPN, which is the main purpose of Cloud VPN (let's say to simplify this answer). 5 - Now how we connect the AppEngine that is isolated from the VPC and needs to use "something" to reach out the onpremisses DB directly (no public ip, only private ip)? Here we will have to have somehow access to the VPC and then the VPN and then the on premisses DB. That is the serverless vpc access. 6- So flow can be something like app engine --> serverless vpc access --> cloud VPN ---> on premessises db through private ip.

D: Use cases ... Your serverless environment needs to access data from your on-premises database through Cloud VPN. https://cloud.google.com/vpc/docs/serverless-vpc-access#use_cases

Read this article: https://cloud.google.com/vpc/docs/serverless-vpc-access That makes me conclude for D.

It's App Engine Standard and VPN cannot be used with Standard version

That's the whole purpose of serverless google access

Private google service and private google access seem to provide same level of access: https://googlecloudarchitect.us/private-service-access-vs-google-private-access/ Based on elimination both can be eliminated. Hence D.

D is Right . You can use a Serverless VPC Access connector to let Cloud Run, App Engine standard, and Cloud Functions environments send packets to the internal IPv4 addresses of resources in a VPC network. Serverless VPC Access also supports sending packets to other networks connected to the selected VPC network.

Private Google Access (option B) is used to enable VM instances in a VPC network to reach Google APIs and services using an internal IP address, but it does not allow communication to on-premises resources. Private Services Access (option C) allows you to access supported Google Cloud services through private IP addresses rather than public IP addresses, but it does not help in communicating with on-premises resources. Configuring Private Google Access for on-premises hosts only (option A) is not a valid option as this configuration is not available.

C. Configure private services access. To enable an App Engine application to communicate with a database running in the company's on-premises environment over a VPC network that is fully connected to the company's on-premises environment through a Cloud VPN tunnel, the recommended approach is to use Private Service Access (PSA). Therefore, the correct answer is C. Configure private services access. Private Service Access (PSA) allows you to create private connections between your VPC network and services like Cloud SQL, Cloud Storage, and other Google APIs and services. With PSA, you can access these services using their private IP addresses, which are only accessible from within your VPC network, and not over the public internet. This provides better security and reduces the risk of data exfiltration or unauthorized access.

D is right. Configuring serverless VPC access is the option for app engine to have Google private access

You can use a Serverless VPC Access connector to let Cloud Run, App Engine standard, and Cloud Functions environments send packets to the internal IPv4 addresses of resources in a VPC network. Serverless VPC Access also supports sending packets to other networks connected to the selected VPC network. https://cloud.google.com/vpc/docs/private-access-options

Upvote if there was no mention of "serverless VPC access" in the training videos and study guides you used to prepare for this exam.

I am surprised 95% selected option D without understanding the use case. Very basic ask AppEngine ->Private Google Access->On-Prem DB Google Private Access to so enable any Services no matter running in VPC to connect to on-prem DB via VPN tunnel. https://cloud.google.com/vpc/docs/private-google-access-hybrid https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid AppEngine -> Serveless-VPV-Access -> Any GCP Resources/Services(with private IPs)