Skip to Content

Google Associate Cloud Engineer: Securely Access Cloud Storage from a Private VPC on Google Cloud

By: Author Alex Lim

Posted on

Categories Exam

Learn how to enable secure access to a Cloud Storage bucket from an application running on Compute Engine VM instances within a private VPC, using Private Google Access.

Table of Contents

Question

You have an application that runs on Compute Engine VM instances in a custom Virtual Private Cloud (VPC). Your company’s security policies only allow the use of internal IP addresses on VM instances and do not let VM instances connect to the internet. You need to ensure that the application can access a file hosted in a Cloud Storage bucket within your project. What should you do?

A. Enable Private Service Access on the Cloud Storage Bucket.
B. Add storage.googleapis.com to the list of restricted services in a VPC Service Controls perimeter and add your project to the list of protected projects.
C. Enable Private Google Access on the subnet within the custom VPC.
D. Deploy a Cloud NAT instance and route the traffic to the dedicated IP address of the Cloud Storage bucket.

Answer

C. Enable Private Google Access on the subnet within the custom VPC.

Explanation

The correct answer is C. Enable Private Google Access on the subnet within the custom VPC.

Private Google Access allows VM instances within a VPC to access Google APIs and services, including Cloud Storage, using internal IP addresses. This eliminates the need for the instances to have public IP addresses or access to the internet.

To enable Private Google Access:

  1. Go to the VPC Network details page in the Google Cloud Console.
  2. Select the subnet where your Compute Engine instances are located.
  3. Click on “Edit” to modify the subnet settings.
  4. Under “Private Google Access,” select “On.”
  5. Save the changes.

Once Private Google Access is enabled, your application running on the Compute Engine instances can access the Cloud Storage bucket using the bucket’s DNS name or the Google Cloud Storage REST API, without requiring public IP addresses or internet access.

The other options are not suitable for this scenario:

A. Enabling Private Service Access on the Cloud Storage bucket is not sufficient, as it only controls access to the bucket from other VPC networks or on-premises networks connected via Cloud VPN or Cloud Interconnect.

B. Adding storage.googleapis.com to a VPC Service Controls perimeter is unnecessary, as Private Google Access allows access to Cloud Storage without needing a Service Perimeter.

D. Deploying a Cloud NAT instance is not required, as Private Google Access enables access to Google APIs and services without the need for a NAT gateway or public IP addresses.

Google Associate Cloud Engineer certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Google Associate Cloud Engineer exam and earn Google Associate Cloud Engineer certification.