Q: 2
You are designing the architecture to process your data from Cloud Storage to BigQuery by using
Dataflow. The network team provided you with the Shared VPC network and subnetwork to be used
by your pipelines. You need to enable the deployment of the pipeline on the Shared VPC network.
What should you do?
Options
Discussion
Option B
B vs A. If you just need the pipeline to use Shared VPC subnetworks, it's the service account that executes the pipeline requiring compute.networkUser, not the Dataflow service agent. Pretty sure that's what GCP docs say but always gets murky if org policies are custom. Disagree?
B is right here. compute.networkUser has to be on the service account running Dataflow, otherwise pipeline can't use the Shared VPC subnet. The agent role is for managing infra, not network access itself. Pretty sure that's the distinction but open if anyone sees it another way.
A is wrong, B. The pipeline needs networkUser on the service account, not the service agent.
B tbh
I'm leaning toward A here since the Dataflow service agent is what actually interacts with a lot of the GCP resources. If you give compute.networkUser to the agent, shouldn't that let it access Shared VPC subnetworks? Maybe missing something about the distinction between agent and pipeline service account, but feels like A covers network requirements too. Agree or did I misinterpret how roles are split?
Nah, not C. Tricky one but it's B because you need compute.networkUser on the service account that runs Dataflow, not on the Dataflow service agent. D is a bit of a trap since dataflow.admin isn’t about network use. Seen similar Qs on practice exams.
B here. Service account running Dataflow needs compute.networkUser or else subnet attach will fail on Shared VPC. Makes sense, right?
Don’t think C fits here. B works since compute.networkUser needs to go on the service account that runs the actual Dataflow pipeline, otherwise you hit permission errors with Shared VPC. Could see D being a trap since dataflow.admin doesn't provide network access.
Probably B. The compute.networkUser role is what lets the service account actually use subnets in the Shared VPC, so if you don't assign it to the service account running the pipeline, Dataflow can't create resources there. dataflow.admin by itself doesn't touch network rights. Pretty sure on this one but open to counterpoints.
Be respectful. No spam.
