Skip to main content
  1. Home
  2. >
  3. GCP
  4. >
  5. PCA
  6. >
  7. This article

GCP PCA Drill: Hybrid Connectivity - Overlapping IP Space Integration Trade-off

·710 words·4 mins·
Architecture Drills Google Cloud Platform GCP PCA GCP FinOps SRE Hybrid Connectivity
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the GCP Professional Cloud Architect (PCA) exam, many candidates struggle with hybrid networking challenges—especially when dealing with IP address conflicts between on-premises and cloud environments. In practice, this is fundamentally a decision about routing hygiene and network address translation trade-offs. Let’s drill into a simulated scenario.

The Scenario
#

FinEdge Technologies, a rapidly scaling global fintech startup, has just acquired a smaller payments platform company—PayNex. FinEdge’s private data center network uses RFC 1918 IP ranges that overlap with PayNex’s existing Google Cloud VPC IP addresses. Their SRE and Cloud Architecture teams must integrate PayNex’s GCP environment with FinEdge’s on-prem data center network to enable seamless connectivity for shared services and unified operations.

Key Requirements
#

Enable hybrid connectivity between PayNex’s GCP VPC and FinEdge’s on-premise data center without IP address conflicts to ensure smooth service interoperability and avoid routing issues when connectivity is established.

The Options
#

  • A) Create a Cloud VPN connection from the PayNex VPC to the data center, configure a Cloud Router, and reassign new IP addresses in the cloud to eliminate overlapping IP space.
  • B) Create a Cloud VPN connection from the PayNex VPC to the data center and deploy Cloud NAT to perform network address translation on the overlapping IP ranges.
  • C) Create a Cloud VPN connection from the PayNex VPC to the data center, configure a Cloud Router, and advertise custom routes that block the overlapping IP ranges.
  • D) Create a Cloud VPN connection from the PayNex VPC to the data center, and apply firewall rules that block traffic to the overlapping IP ranges.

Correct Answer
#

Option A.

The Architect’s Analysis
#

Correct Answer
#

Option A

Step-by-Step Winning Logic
#

The fundamental issue here is overlapping RFC 1918 IP address spaces between FinEdge’s on-prem data center and PayNex’s GCP VPC. The recommended approach is to avoid any overlap by redesigning the IP space on one side—in this case, PayNex’s cloud VPC—because overlapping IP addresses cannot be routed correctly without complex Network Address Translation (NAT) or filtering. Creating a Cloud VPN connection with a Cloud Router allows dynamic routing, while assigning new, non-overlapping IP ranges removes routing ambiguity, preventing any packet misdirection or blackholes.

This approach aligns with SRE best practices by minimizing ongoing operational toil—fewer failures from routing conflicts—and reduces complexity, which lowers costs over time (FinOps principle).

The Trap (Distractor Analysis)
#

  • Why not Option B?
    Using Cloud NAT to translate overlapping IPs is technically possible but introduces ongoing operational overhead. NAT can complicate troubleshooting, increases latency, and can affect performance. NAT is better for outbound internet access, not solving overlapping private IP space in hybrid connectivity.

  • Why not Option C?
    Blocking overlapping IP addresses through route advertisements or policies will isolate traffic and cause service disruptions, breaking connectivity where overlapping IPs exist, which harms the business requirement of integration.

  • Why not Option D?
    Firewall rules to block overlapping IP space won’t solve connectivity issues—they will prevent communication altogether rather than resolve routing conflicts, going against the goal to enable integrated networking.

The Architect Blueprint
#

Mermaid Diagram illustrating the correct approach:

graph TD OnPremDataCenter[On-Prem Data Center<br/>RFC1918 10.0.0.0/16] PayNexVPC[PayNex GCP VPC<br/>New RFC1918 Range 10.100.0.0/16] CloudRouter[Cloud Router] VPN[Cloud VPN Tunnel] OnPremDataCenter -->|Dynamic Routes| VPN PayNexVPC --> CloudRouter CloudRouter --> VPN style CloudRouter fill:#4285F4,stroke:#333,color:#fff style VPN fill:#0F9D58,stroke:#333,color:#fff

Diagram Note: The diagram showcases a Cloud VPN tunnel with dynamic routing through Cloud Router connecting two distinct, non-overlapping RFC1918 ranges.

The Decision Matrix (Mandatory for Professional Level)
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A Medium (IP renumbering) Low (VPN + Cloud Router) Eliminates routing conflict; simpler ops Requires IP redesign & careful planning
B High (NAT complexity) Medium (VPN + Cloud NAT) Avoids IP renumbering temporarily Increased troubleshooting & latency
C Low Low Simple to implement Blocks traffic causing integration failure
D Low Low Easy firewall implementation Blocks communication; breaks business goal

Real-World Practitioner Insight
#

Exam Rule
#

For hybrid networking scenarios involving overlapping IP address spaces, always recommend IP renumbering or segmentation to avoid operational complexity before resorting to NAT or complex filters.

Real World
#

In practice, if renumbering is impossible, a temporary NAT solution may be deployed as a stopgap, but the long-term goal must be clear IP separation to reduce SRE toil and cost.

Related Articles

GCP Professional Cloud Architect Drills

Design, develop, and manage robust, secure, and scalable Google Cloud solutions.