Mac
To whom it may concern
menu
Mac's Wiki|Docs / tech-reference / googlecloud / 2 / answer-by-gemini
print lock_open

Answer By Gemini

The correct answer is D. Here's why:

  • *D. 1. Using Cloud VPN or Interconnect, create a tunnel to a VPC in Google Cloud. 2. Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network through the VPN tunnel. 3. In your on-premises network, configure your DNS server to resolve .googleapis.com as a CNAME to restricted.googleapis.com.**

This option utilizes Private Google Access for on-premises hosts. It establishes a private connection (VPN or Interconnect) to a VPC network. Then, it leverages Cloud Router to advertise specific IP ranges (like 199.36.153.4/30, which is a reserved block for Private Google Access) to your on-premises network. Finally, the DNS configuration ensures that requests to Google Cloud APIs are routed through the private connection. This approach satisfies the requirement of no public IP addresses or internet access for the servers while still allowing them to reach Cloud Storage.

Let's look at why the other options are incorrect:

  • A. 1. Use nslookup to get the IP address for storage.googleapis.com. 2. Negotiate with the security team to be able to give a public IP address to the servers. 3. Only allow egress traffic from those servers to the IP addresses for storage.googleapis.com. This violates the core requirement of no public IP addresses or internet access. While restricting egress traffic is a good security practice, it doesn't solve the fundamental problem. Also, IP addresses for Google services can change, making this approach unreliable.

  • B. 1. Using Cloud VPN, create a VPN tunnel to a Virtual Private Cloud (VPC) in Google Cloud. 2. In this VPC, create a Compute Engine instance and install the Squid proxy server on this instance. 3. Configure your servers to use that instance as a proxy to access Cloud Storage. While this could work, it's overly complex. It requires managing a proxy server (Squid) which adds operational overhead. Option D achieves the same goal more directly and efficiently.

  • C. 1. Use Migrate for Compute Engine (formerly known as Velostrata) to migrate those servers to Compute Engine. 2. Create an internal load balancer (ILB) that uses storage.googleapis.com as backend. 3. Configure your new instances to use this ILB as proxy. Migrating the servers is a drastic and unnecessary step. The problem is about connectivity, not server location. This option introduces significant complexity and cost without addressing the core issue in the most efficient way.

This page was last edited on 2025-02-04 12:30

Powered by Wiki|Docs

This page was last edited on 2025-02-04 12:30

Mac
To whom it may concern

Powered by Wiki|Docs