Topic 1 Question 94
You deployed a hub-and-spoke architecture in your Google Cloud environment that uses VPC Network Peering to connect the spokes to the hub. For security reasons, you deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed. When you attempt to reach the GKE control plane from a different spoke project, you cannot access it. You need to allow access to the GKE control plane from the other spoke projects. What should you do?
Add a firewall rule that allows port 443 from the other spoke projects.
Enable Private Google Access on the subnet where the GKE nodes are deployed.
Configure the authorized networks to be the subnet ranges of the other spoke projects.
Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.
ユーザの投票
コメント(9)
- 👍 7jitu0282022/12/08
- 正解だと思う選択肢: D
Agree D is right To enable access such as in hub-and-spoke designs, create a proxy hosted in authorized IP address space, because VPC network peering is non-transitive.
👍 5nosense2022/12/11 In this case:
Spoke 1 <--peering--> Hub <--peering--> Spoke 2
The peering does not allow transitivity: https://cloud.google.com/vpc/docs/vpc-peering#specifications
"Only directly peered networks can communicate. Transitive peering is not supported. In other words, if VPC network N1 is peered with N2 and N3, but N2 and N3 are not directly connected, VPC network N2 cannot communicate with VPC network N3 over VPC Network Peering."
Answer D it is the only way to achieve the communication.
👍 5Falconite2023/01/21
シャッフルモード