- A
Configure Cloud SQL to use a private IP address
Private IP ensures traffic stays within Google Cloud network.
- B
Add authorized networks for all client IPs
Why wrong: Authorized networks are for public IP; private IP with proxy is more secure.
- C
Ensure the database is encrypted at rest using CMEK
Why wrong: CMEK is optional; Google manages default encryption.
- D
Enable SSL/TLS for all connections
Why wrong: SSL is recommended but not required if using private IP.
- E
Set up Cloud SQL Proxy for secure authentication and encryption
Cloud SQL Proxy handles IAM-based authentication and encryption.
Quick Answer
The correct answer is to set up Cloud SQL Proxy for secure authentication and encryption, combined with using a private IP address for the Cloud SQL instance. This pairing ensures that the migration traffic is both authenticated via IAM and encrypted in transit, while the private IP keeps the database entirely within your VPC, never exposed to the public internet. On the Google Professional Cloud Database Engineer exam, this scenario tests your understanding of defense-in-depth for database migrations—specifically that Cloud SQL Proxy handles the TLS handshake and credential verification, while private IP eliminates external attack vectors. A common trap is assuming a public IP with an authorized network is sufficient; the exam expects you to recognize that private IP plus proxy provides both network isolation and application-layer encryption. Memory tip: think of the proxy as a secure tunnel guard and the private IP as a hidden door—both are required to keep the database safe during migration.
PCDE Plan and manage database infrastructure Practice Question
This PCDE practice question tests your understanding of plan and manage database infrastructure. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A database administrator is planning to migrate an on-premises MySQL database to Cloud SQL. Which two steps are required to ensure a secure migration?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Configure Cloud SQL to use a private IP address
Option A is correct because using a private IP address for Cloud SQL ensures that the database instance is not exposed to the public internet, reducing the attack surface. This is a fundamental security best practice for database migrations, as it restricts network access to within a Virtual Private Cloud (VPC) and requires traffic to traverse Google's internal network, which is more secure than public IP routing.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Configure Cloud SQL to use a private IP address
Why this is correct
Private IP ensures traffic stays within Google Cloud network.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Add authorized networks for all client IPs
Why it's wrong here
Authorized networks are for public IP; private IP with proxy is more secure.
- ✗
Ensure the database is encrypted at rest using CMEK
Why it's wrong here
CMEK is optional; Google manages default encryption.
- ✗
Enable SSL/TLS for all connections
Why it's wrong here
SSL is recommended but not required if using private IP.
- ✓
Set up Cloud SQL Proxy for secure authentication and encryption
Why this is correct
Cloud SQL Proxy handles IAM-based authentication and encryption.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Google Cloud often tests the distinction between 'best practice' and 'required step' — candidates may select SSL/TLS (Option D) as a required step, but the exam expects understanding that Cloud SQL Proxy inherently provides encryption and authentication, making separate SSL/TLS configuration redundant for the migration scenario.
Detailed technical explanation
How to think about this question
Cloud SQL Proxy works by creating a secure tunnel using TLS 1.2 or higher, authenticating via IAM roles and OAuth 2.0 access tokens, which eliminates the need for managing SSL certificates or authorized networks. When combined with a private IP address, the proxy can connect over the VPC's internal network, ensuring that traffic never traverses the public internet, which is critical for compliance with standards like PCI DSS or HIPAA that require network segmentation.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Plan and manage database infrastructure — study guide chapter
Learn the concepts, then practise the questions
- →
Plan and manage database infrastructure practice questions
Targeted practice on this topic area only
- →
All PCDE questions
503 questions across all exam domains
- →
Google Professional Cloud Database Engineer study guide
Full concept coverage aligned to exam objectives
- →
PCDE practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PCDE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Plan and manage database infrastructure practice questions
Practise PCDE questions linked to Plan and manage database infrastructure.
Define data structures and implement SQL for Business Intelligence practice questions
Practise PCDE questions linked to Define data structures and implement SQL for Business Intelligence.
Design and implement database schemas practice questions
Practise PCDE questions linked to Design and implement database schemas.
Monitor and optimize database performance practice questions
Practise PCDE questions linked to Monitor and optimize database performance.
PCDE fundamentals practice questions
Practise PCDE questions linked to PCDE fundamentals.
PCDE scenario practice questions
Practise PCDE questions linked to PCDE scenario.
PCDE troubleshooting practice questions
Practise PCDE questions linked to PCDE troubleshooting.
Practice this exam
Start a free PCDE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PCDE question test?
Plan and manage database infrastructure — This question tests Plan and manage database infrastructure — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Configure Cloud SQL to use a private IP address — Option A is correct because using a private IP address for Cloud SQL ensures that the database instance is not exposed to the public internet, reducing the attack surface. This is a fundamental security best practice for database migrations, as it restricts network access to within a Virtual Private Cloud (VPC) and requires traffic to traverse Google's internal network, which is more secure than public IP routing.
What should I do if I get this PCDE question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 30, 2026
This PCDE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCDE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.