PCNE Implementing network security • Complete Question Bank
Complete PCNE Implementing network security question bank — all 0 questions with answers and detailed explanations.
{
"bindings": [
{
"role": "roles/compute.securityAdmin",
"members": [
"user:alice@example.com"
]
},
{
"role": "roles/compute.networkAdmin",
"members": [
"user:bob@example.com"
]
}
]
}Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Direct physical connection between on-premises and Google
Connection via a supported service provider
Direct BGP peering between on-premises and Google edge
Peering via a carrier's network
Encrypted tunnel over the internet to your VPC
Drag a concept onto its matching description — or click a concept then click the description.
Maps a hostname to an IPv4 address
Maps a hostname to an IPv6 address
Alias of one hostname to another
Specifies mail servers for a domain
Holds arbitrary text, often for verification
{
"rules": [
{
"action": "deny(403)",
"priority": 1000,
"match": {
"versionedExpr": "SRC_IPS_V1",
"config": {
"srcIpRanges": ["10.0.0.0/8"]
}
}
},
{
"action": "allow",
"priority": 2000,
"match": {
"versionedExpr": "SRC_IPS_V1",
"config": {
"srcIpRanges": ["0.0.0.0/0"]
}
}
}
]
}gcloud compute instances describe instance-1 --format="yaml(tags, serviceAccounts)" tags: items: - web serviceAccounts: - email: test@project.iam.gserviceaccount.com scopes: - https://www.googleapis.com/auth/cloud-platform --- Firewall rule: gcloud compute firewall-rules describe allow-ssh-iap allowed: - IPProtocol: tcp ports: - '22' direction: INGRESS priority: 1000 sourceRanges: - 35.235.240.0/20 targetTags: - ssh-iap
gcloud compute firewall-rules list --format="table(name, network, direction, priority, sourceRanges, allowed, denied)" NAME NETWORK DIRECTION PRIORITY SOURCE_RANGES ALLOWED DENIED allow-http default INGRESS 1000 0.0.0.0/0 tcp:80 deny-ssh default INGRESS 100 10.0.1.0/24 tcp:22 default-allow-ssh default INGRESS 65535 0.0.0.0/0 tcp:22 allow-internal default INGRESS 65535 10.0.0.0/8 all
Cloud Armor security policy 'my-policy' with rules: - priority: 100, match: request headers: User-Agent: *BadBot*, action: deny(403) - priority: 200, match: request headers: User-Agent: *GoodBot*, action: allow - priority: 300, match: request path: /admin, action: deny(403) - priority: 1000, default rule: allow
{
"name": "my-perimeter",
"status": {
"accessLevels": [
"accessPolicies/12345/accessLevels/trusted_ips"
],
"resources": ["projects/111111111111"],
"restrictedServices": ["bigquery.googleapis.com"],
"vpcAccessibleServices": {
"allowedServices": ["bigquery.googleapis.com"],
"enableRestriction": true
}
}
}You are a cloud network engineer for a company that runs a web application on Compute Engine instances in a managed instance group (MIG) behind an external HTTP(S) load balancer. The backend instances are in a subnet with CIDR 10.0.2.0/24 and are tagged 'web-backend'. The health checks are configured to use TCP port 80. Recently, the security team added new firewall rules to restrict traffic, and now the health checks are failing. The current firewall rules (in order of priority) are:
1. Priority 100: Deny ingress from 0.0.0.0/0 to all instances (deny-all). 2. Priority 200: Allow ingress from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'health-checked' on TCP port 80. 3. Priority 300: Allow ingress from 0.0.0.0/0 to instances with tag 'web-backend' on TCP port 80.
The MIG instances are tagged 'web-backend' but not 'health-checked'. The health checks are failing. What is the most efficient course of action to fix the health checks while maintaining security?