Exam Cloud Digital Leader topic 1 question 29 discussion

Agree with fpreli, the answer is D. According to the Google Documents >>> By default, when a Compute Engine VM lacks an external IP address assigned to its network interface, it can only send packets to other internal IP address destinations. You can allow these VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface. Besides, the security rules say no Internet access while NAt provite internet access. Google Private Access is like AWS VPC endpoint where you access GCP Public services without using Public Internet.

Agree with the answer is D. Virtual Private Google Access. Ref - https://cloud.google.com/vpc/docs/private-google-access

If it is a group of VMs with a specific IP range, then NAT works better. If there are VMs which doesn't fall with IP ranges, then PGA is best choice. Remember PGA can be enabled via subnet change through a button click. So it is easy simple and free of cost too.

D is the answer

D is correct. NAT is option for securing Internet connection which is not ask. VM and other components are in cloud.

Private Google Access allows virtual machine instances in a VPC network to access Google Cloud services like BigQuery and Cloud Storage using internal IP addresses, without requiring public IP addresses or access to the public internet. By enabling Private Google Access, your organization can ensure that the workloads can securely access these services while adhering to the security requirement of not allowing access to the public internet.

D is correct

D is right

Private Google Access (PGA) allows you to access Google APIs and services from your on-premises network without exposing your workloads to the public internet. This is achieved by creating a private connection between your on-premises network and Google Cloud Platform (GCP).

Cloud NAT is a good option for organizations that need to allow their instances to access the internet, but want to protect them from unauthorized access. PGA is a good option for organizations that need to access Google APIs and services from their on-premises network without exposing their workloads to the public internet. Answer should be "D"

B is correct

why its not cloud nat? -> Cloud NAT: Cloud NAT is a service that allows you to access the public internet from your VMs. However, it does not allow you to control which services your VMs can access.

The document shared previously in this discussion is very useful to understand difference between PGA and NAT. This document clearly mentions "if we know the VMs in the subnet would never connect to internet except Google’s services, GPA is a better choice due to quick setup and better security." Hence, my answer is also D

https://medium.com/@larry_nguyen/comparing-google-private-access-and-cloud-nat-cc43ddc9ce61 As per this article PGA is sufficient to access the Google services and NAT internally used PGA

Answer D. Google documentation - https://cloud.google.com/vpc/docs/private-google-access "VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services" -> since they need to access BigQuery and Cloud Storage services

D is correct

Correct answer is B. Dont ask me why but