You are deploying an application on App Engine that needs to integrate with an on-premises database. For security purposes, your on-premises database must not be accessible through the public internet. What should you do?
You are deploying an application on App Engine that needs to integrate with an on-premises database. For security purposes, your on-premises database must not be accessible through the public internet. What should you do?
To securely integrate an application deployed on App Engine with an on-premises database while ensuring the database is not accessible through the public internet, you should deploy your application on the App Engine flexible environment and use Cloud VPN to limit access to the on-premises database. The App Engine flexible environment provides better support for accessing resources in the Compute Engine network, which includes the option to establish a secure VPN connection to on-premises databases. This setup ensures that all traffic between the App Engine application and the on-premises database is routed through a secure, private network connection, thus preventing exposure to the public internet.
Agree with D - "When to choose the flexible environment" "Accesses the resources or services of your Google Cloud project that reside in the Compute Engine network." https://cloud.google.com/appengine/docs/the-appengine-environments
Why not B ? https://cloud.google.com/appengine/docs/flexible/python/using-third-party-databases
because app engine standard cant connect to on-prem db
Where does it say appengine cannot connect to on-prem db? With CloudVPN, it shoudl connect as per this https://cloud.google.com/appengine/docs/flexible/storage-options#on_premises Also going with D will require app to be containerized. That is not listed in the requirement.
This is the link for Standard Env https://cloud.google.com/appengine/docs/standard/storage-options Both standard and Flexible can connect to a VPC with Serverless VPC connector. Once it connects to a VPC, connecting to onprem is same for any service.
I just had the same confusion. Serverless VPC Connector is something relatively newer than this question on the exam, so probably it's safer to assume that a VPC connection is not supported (at least directly) by App Engine Standard. Besides, this would add extra overhead, and would also increase the costs for the solution. Most of these questions haven't been updated or repurposed according to newer products and services. For this particular question, using a Serverless VPC Connector would add unnecessary complexity and the solution would become more expensive. I swore to god it was B lol, but after a few hours of reading the documentation, I changed my mind and switched to option D. You might want to do the same.
In a forum mentions that GCE and CAP flex are designed for connect to VPC . With GAP standard is needed a proxy . https://stackoverflow.com/questions/47537204/how-to-connect-app-engine-and-on-premise-server-through-vpn
Isn't the question said "not public internet access"?
Yes, that phrase in the question bothers me too. However, when I check this: https://cloud.google.com/appengine/docs/flexible/storage-options#:~:text=On%20premises,-If%20you%20have&text=Because%20App%20Engine%20and%20Compute,database%20server's%20internal%20IP%20address. it says "If you have existing on-premises databases that you want to make accessible to your App Engine app, you can either configure your internal network and firewall to give the database a public IP address or connect using a VPN." So I think the question should have skipped the words "not public internet access" if they want us to choose VPN.
Right is D: https://stackoverflow.com/questions/37137914/is-it-possible-to-use-google-app-engine-with-google-cloud-vpn
Question is can we restrict acess with VP N ?
The stackoverflow reference if older that the answer (6 years) I think that has changed.
https://cloud.google.com/appengine/docs/flexible/flexible-for-standard-users Standard environment tend to be stateless web applications . Flexi is better for intergrating with on premise database
I'm going with B based on this: https://cloud.google.com/appengine/docs/standard/storage-options#on_premises. App Engine Standard can connect through an external database via Cloud VPN. The question only states that the on-prem database must not be accessible through the public internet, not that the traffic must NOT traverse the public internet. Quoting the documentation from App Engine Standard: "If you have existing on-premises databases that you want to make accessible to your App Engine app, you can either configure your internal network and firewall to give the database a public IP address or connect using a VPN." Obviously we don't want to give the database a public IP because that would mean it would be accessible via public internet (which is what we want to prevent), and Cloud VPN would help with that.
I vote B, flexible is just needed if you need no standard softwere etc... https://cloud.google.com/appengine/docs/flexible/storage-options#on_premises
B. As per documentation https://cloud.google.com/appengine/docs/flexible/storage-options. Clearly App Engine standard can connect to on prem database.
I believe that above link treats about Flexible env. - even URL contains "flexible" part.
Ok, for Standard is exactly the same statement.
correct, the link is https://cloud.google.com/appengine/docs/standard/connecting-vpc
It is B
you can use a Serverless VPC Connector to connect App Engine Standard Environment to an on-premise resource via Cloud VPN
now you can use option B
The documentation mentions that App Engine Standard can connect to on-prem database using VPN. Link of the documentation: https://cloud.google.com/appengine/docs/standard/storage-options
D makes more sense
Another question https://www.examtopics.com/discussions/google/view/60436-exam-professional-cloud-architect-topic-1-question-151/ States "Your company has a support ticketing solution that uses App Engine Standard. ...You want to enable the App Engine application to communicate with a database that is running in the company's on-premises environment. What should you do?" So this makes B the winner :)
I had originally chosen option B because both App Engine Standard and App Engine Flex can connect via Cloud VPN starting a few years ago. For App Engine Standard to connect with a VPC (which would be required to use Cloud VPN), we need to create a Serverless VPC Connector (as well as for other Cloud Run and Cloud Functions). This is something relatively new and probably came out after this question was designed for the exam: https://cloud.google.com/vpc/docs/serverless-vpc-access#supported_services. Based on the fact that the Serverless VPC Connector would add extra complexity to the network topology and incur in additional costs, I'm going with D.
Remember On-prem DB is not accessible over internet, hence VPN is out of question. C. Deploy your application on App Engine flexible environment and use App Engine firewall rules to limit access to the on-premises database.
There's a difference between accessing from Public Internet, and traversing through Public Internet. To ensure that no traffic goes over public internet at all, they should use Dedicated Interconnect, not Cloud VPN. Plus, using Firewall rules would only determine if traffic can ingress or egress via HTTP(S), it doesn't provide any security at all with regards to preventing the traffic from being accessed, corrupted or tampered via public internet (before reaching GCP). Both ChatGPT and Bard suggest B as the correct option too, you might want to have second thoughts about your choice here.
D is correct
Explain?
"your on-premises database must not be accessible through the public internet" => definitely C
sorry was a typo, It's D
right answer is B