{"results":[{"id":"ar-virtual-repos-priority-based-resolution","text":"Artifact Registry virtual repositories aggregate multiple repos behind a single endpoint with priority-based resolution order, mitigating dependency confusion attacks by prioritizing private over public upstream repos.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-configuration-cascading-side-effects","text":"Cloud DNS configuration changes have cascading side effects that extend beyond the modified resource: enabling an outbound server policy silently disables resolution of all private zones, forwarding zones, and peering zones; DNSSEC disabling must follow a registrar-first sequence or cause resolution failures for the entire zone; and CNAME exclusivity silently prevents coexistence with any other record type at the same name — making DNS changes among the highest-blast-radius operations in GCP networking.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-outbound-policy-disables-private-zones","text":"Using a Cloud DNS outbound server policy disables resolution of all Cloud DNS private zones, forwarding zones, peering zones, and Compute Engine internal DNS zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-security-limited-and-operationally-fragile","text":"Cloud DNS security is limited in scope (DNSSEC provides authentication against spoofing and cache poisoning only, not encryption) and operationally fragile (configuration changes have cascading side effects where enabling outbound server policies silently disables private zones, CNAME exclusivity creates implicit constraints) — security-relevant DNS changes can silently break zone resolution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-shared-vpc-zones-in-host-project","text":"Shared VPC private/forwarding/peering zones must be created in the host project (or use cross-project binding in service projects).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-gateway-public-or-private-not-both","text":"A single Cloud NAT gateway can be either Public NAT or Private NAT, never both; two separate gateways can serve the same subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-google-apis-use-pga-not-nat","text":"Traffic to Google APIs uses Private Google Access, not Public NAT, even when Public NAT is configured.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-private-nat-overlapping-ip-ranges","text":"Private NAT addresses the overlapping IP range problem between VPC networks, using NCC spokes for connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-software-defined-regional-gateway","text":"Cloud NAT is a software-defined regional gateway on Cloud Router (not proxy VMs), routing internet egress while directing Google API traffic through Private Google Access instead, and requiring VPC egress configuration for serverless resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-vpn-cannot-route-public-internet","text":"Cloud VPN cannot be used to route traffic to the public internet — it is designed exclusively for private network communication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-both-pool-types-scale-to-zero","text":"Both Cloud Build default and private pools are fully managed, pay-per-build-minute, and auto-scale to zero.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-default-pool-max-concurrency-30","text":"Cloud Build default pool max concurrency is 30; private pool supports 100+.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-global-region-default-pool-only","text":"Cloud Build `global` region uses default pools; specifying a specific region requires a private pool in that region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-private-pool-64-machine-types","text":"Cloud Build private pools support 64 machine types compared to 5 for default pools.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-private-pool-disable-public-ip","text":"Private pools can disable public IPs and provide static internal IP ranges; default pools cannot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-private-pool-region-fixed-at-creation","text":"Private pool builds run in the region where the pool is created, not where the build is submitted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-private-pool-vpc-peering-access","text":"Cloud Build private pools connect to customer VPC networks via VPC peering (private services access) to reach private resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-services-private-by-default","text":"Cloud Run services are deployed as private by default, requiring authentication credentials in requests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-private-access-simple-for-serverless","text":"Cloud SQL private IP access is operationally simple for serverless workloads: stable connection strings survive failover, and private networking avoids public internet exposure.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-private-ip-cannot-be-removed","text":"Private IP cannot be removed from a Cloud SQL instance once configured.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":60,"limit":20,"offset":0}