A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket.
The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?
Click on the arrows to vote for the correct answer
A. B. C. D. E.B.
The requirement is to run a batch processing system on VMs and store the output files in a Cloud Storage bucket without allowing any VM to reach the public internet. To achieve this, we can follow the below steps:
Option A: Creating a firewall rule to block internet traffic from the VM
This option can be considered, but it's not a complete solution as Cloud Storage uses public IP addresses to route traffic over the internet. Therefore, blocking all internet traffic may cause issues while accessing Cloud Storage.
Option B: Provisioning a NAT Gateway to access the Cloud Storage API endpoint
This option can be considered as NAT Gateway allows VMs to access the internet while not exposing their internal IP addresses. We can configure NAT Gateway to allow outbound traffic from the VMs to the Cloud Storage API endpoint, which will be routed via the NAT Gateway. The NAT Gateway can be configured with a static IP address to whitelist only this IP in the firewall. This option provides the required connectivity to Cloud Storage while still maintaining the security of the VMs.
Option C: Enabling Private Google Access on the VPC
Private Google Access allows the VMs to access Google APIs and services over private IP addresses without having to traverse the internet. However, this option does not solve the issue of accessing Cloud Storage from the VMs, as Cloud Storage does not currently support Private Google Access.
Option D: No option provided.
Option E: Mounting a Cloud Storage bucket as a local filesystem on every VM
This option can also be considered, but it may not be the optimal solution for a batch processing system. The performance may be impacted if the system has to transfer large files between the VMs and Cloud Storage over the network. Moreover, it would require mounting the Cloud Storage bucket on every VM, which may increase the complexity of the system.
Therefore, the recommended solution is option B: Provision a NAT Gateway to access the Cloud Storage API endpoint.