A developer needs to connect to a Cloud SQL for PostgreSQL instance from a Compute Engine VM without adding the VM's IP to an authorized networks list. Which method should they use?
Cloud SQL Auth Proxy uses IAM for authentication and does not require IP allowlisting.
Why this answer
The Cloud SQL Auth Proxy is the recommended method for securely connecting to a Cloud SQL instance from a Compute Engine VM without adding the VM's IP to an authorized networks list. It uses mutual TLS (mTLS) to authenticate and encrypt traffic, and it handles IAM-based authorization, so the VM only needs the Cloud SQL Client role and outbound access to the Cloud SQL API (port 443). This avoids exposing the database to the public internet or requiring static IP management.
Exam trap
Cisco often tests the distinction between 'authorized networks' (which only apply to public IP connections) and private IP connectivity; the trap here is that candidates may assume VPC peering (Option D) is required for private access, but the Cloud SQL Auth Proxy works with both public and private IP and is the simplest way to avoid managing IP whitelists.
How to eliminate wrong answers
Option A is wrong because Cloud Shell is an interactive browser-based terminal that runs on a temporary VM; it cannot be used as a persistent connection method from a Compute Engine VM, and it still requires the Cloud Shell's ephemeral IP to be authorized. Option B is wrong because configuring a direct IP connection with SSL still requires the VM's IP address to be added to the authorized networks list, which the question explicitly states must be avoided. Option D is wrong because setting up VPC peering and using private IP is a valid approach for private connectivity, but it requires the Cloud SQL instance to be configured with a private IP and the VPC networks to be peered, which is a more complex networking setup; the question asks for the method to use without adding the VM's IP to authorized networks, and the Cloud SQL Auth Proxy is the simplest and most secure solution that works with both public and private IP configurations.