Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:
• Certain data must stay in the project where it is stored and not be exfiltrated to other projects.
• Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.
• All DNS resolution must be done on-premises.
• The solution should only provide access to APIs that are compatible with VPC Service Controls.
What should you do?
A. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
B. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.
C. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
D. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
2. Create a CNAME record for *.googleapis.com that points to the A record.
3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.
Answer
B