ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Subtask 2.3: Compute SystemsGKESecurityWorkload IdentityPrivate Cluster
This question is part of a case study — click to read the full scenario(Case 16)

CASE STUDY: HealthCare360

Company Overview: HealthCare360 provides EHR systems to hospitals in NA and EU.
Current Environment: Isolated on-prem deployments. Fragmented data.
Business Requirements: Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance.
Executive Statements: CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.'
Technical Requirements: Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters.
Constraints: Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance.

QUESTION:
To meet the requirement for a multi-region active-active deployment with an RPO of 0, which TWO database architectures could you use? (Select TWO)

View full case study page →

GCP PCA · Question 17 · Compute Systems

CASE STUDY: HealthCare360

Company Overview: HealthCare360 provides EHR systems to hospitals in NA and EU.
Current Environment: Isolated on-prem deployments. Fragmented data.
Business Requirements: Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance.
Executive Statements: CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.'
Technical Requirements: Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters.
Constraints: Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance.

QUESTION:
How should you configure the GKE clusters to ensure the highest level of network security and isolation for the microservices?

Answer options:

A.

Deploy Public GKE clusters and use Node Service Accounts with broad permissions.

B.

Deploy Private GKE clusters and use Workload Identity to grant microservices access to GCP APIs.

C.

Deploy GKE clusters in the default VPC and export service account keys as Kubernetes Secrets.

D.

Use Cloud Run instead of GKE to avoid managing network security.

How to approach this question

Combine network isolation (Private Clusters) with identity isolation (Workload Identity).

Full Answer

B.Deploy Private GKE clusters and use Workload Identity to grant microservices access to GCP APIs.✓ Correct
Deploy Private GKE clusters and use Workload Identity to grant microservices access to GCP APIs.
For strict security (HIPAA/GDPR), GKE clusters should be Private (nodes have no public IP addresses). To securely grant pods access to GCP services (like Cloud Storage or Spanner), Workload Identity is the recommended approach. It maps Kubernetes Service Accounts to GCP IAM Service Accounts, eliminating the need to manage and rotate vulnerable JSON keys.

Common mistakes

Using Node Service Accounts, which grants all pods on a node the same permissions, violating least privilege.
16All questions18

Practice the full GCP Professional Cloud Architect Practice Exam 1

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ02**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ03**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ04**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ05**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium
View all 50 questions →