An engineer needs to provide outbound internet access to a set of Compute Engine instances that have only internal IP addresses. The instances must use a static IP address for outbound traffic. Which solution should they implement?
A security team wants to enforce a policy that blocks all egress traffic to the internet from a specific set of VMs across multiple projects in an organization. The policy should be centrally managed and override VPC-level firewall rules. Which approach should they use?
An organization needs to restrict access to Google Cloud APIs such that only traffic from a specific set of VMs inside a VPC can reach the APIs, and all other traffic (including from other VPCs) must be denied. The VMs do not have external IPs. Which combination of services should they use?
A developer wants to allow HTTP (port 80) traffic from the internet to a set of Compute Engine instances that have a tag "web-server". Which firewall rule should they create?
A company has a VPC with a subnet in us-central1. They launched a Compute Engine instance named "app-server" in that subnet without an external IP. They need the instance to be able to download updates from the internet. Which two steps must be taken?
An organization uses a hierarchical firewall policy at the organization level with a deny-all egress rule (priority 100). They also have a VPC-level firewall rule allowing egress to a specific external IP (priority 1000). Will traffic to that external IP be allowed?
An engineer wants to allow traffic from a specific service account to a Compute Engine instance. Which firewall rule option should they use for the source?
A company wants to publish a service running on Compute Engine instances in their VPC so that consumers in other VPCs can access it via private IPs without needing VPC peering. Which service should they use?
An organization needs to protect a web application behind an HTTPS Load Balancer from SQL injection attacks. They want to use a managed WAF solution. Which Google Cloud service should they configure?
An engineer needs to configure DNS resolution for a Compute Engine instance named "web-1" in zone us-central1-a of project my-project. What is the internal DNS name for this instance?
A company wants to restrict access to Google Cloud Storage so that only traffic originating from a specific VPC network is allowed. They also need to prevent data exfiltration to other VPCs. Which two services should they use? (Choose two.)
An organization has a VPC with multiple subnets. They want to log all outbound connections from instances to the internet for compliance. They also want to use a cost-effective solution that doesn't require a proxy. Which three components are needed? (Choose three.)
An engineer needs to allow HTTP health checks from the Google Cloud health checker IP ranges to a set of instances. Which two methods can be used to target the firewall rule correctly? (Choose two.)
A company has Compute Engine instances without external IPs in a VPC. They need to reach Google APIs such as Cloud Storage and BigQuery. Which configuration will meet this requirement with minimal cost and operational overhead?
A network engineer wants to restrict access to a Cloud Storage bucket from only a specific set of Compute Engine instances in a VPC. The instances have no external IPs. What is the most effective way to enforce this restriction?
A company wants to protect its HTTP(S) Load Balancer against DDoS attacks and common web exploits like SQL injection and cross-site scripting. Which Google Cloud service should they use?
An organization has multiple VPCs in different projects that need to consume a common internal service hosted in a central project. The service runs on a set of Compute Engine instances with internal IPs. Which architecture allows the consumers to access the service using private IPs without VPC peering?
A company has a VPC with a subnet in us-central1. Compute Engine instances in that subnet have no external IPs but need to reach the internet for software updates. The engineer configured Cloud NAT with the default settings. However, instances fail to reach the internet. What is the most likely cause?
A network engineer needs to create a firewall rule that blocks all ingress traffic from the internet to Compute Engine instances tagged 'web-server', except for traffic from the organization's VPN gateway at IP 203.0.113.1. The engineer creates a rule with priority 1000, deny ingress, source IP ranges 0.0.0.0/0, and targets 'web-server'. To allow the VPN IP, what should the engineer do?
A company wants to ensure that Compute Engine instances in a VPC can resolve internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. What is required for this to work?
A company has deployed a network appliance (e.g., firewall) as a Compute Engine instance with two NICs: NIC0 for management and NIC1 for data traffic. The appliance must forward traffic from instances in subnet A to subnet B. The engineer has enabled IP forwarding on the appliance. What additional configuration is required on the VPC for the appliance to route traffic between subnets?
A company wants to apply consistent firewall rules across all projects in an organization. They need to block all traffic to ports 22 and 3389 from the internet to any VMs in any project. Which approach is most scalable and maintainable?
A developer is configuring a Compute Engine VM to host a web server. They want to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the internet is allowed. Which firewall rule should they create?
A company is using Cloud NAT to provide outbound internet access for instances without external IPs. They notice that the NAT gateway is running out of ports for connections to a single external IP address. To minimize port exhaustion, what should the engineer configure?
An organization needs to prevent exfiltration of data from a Cloud Storage bucket to external IPs. The bucket is accessed by Compute Engine instances in a VPC. The instances need to read and write data to the bucket but should not be able to copy data to external networks. Which combination of controls meets this requirement?
A company wants to allow access to a Cloud Storage bucket only from Compute Engine instances that have a specific service account and are within a specific VPC. They also want to prevent access from other networks. Which TWO services or features should they use together?
A company has an HTTP Load Balancer that distributes traffic to a backend service consisting of Compute Engine instance groups. They need to block traffic from specific geographic regions and also rate-limit requests from any IP. Which THREE Cloud Armor features should they configure?
An organization wants to publish an internal web service running on Compute Engine to consumers in different VPCs. The service must be accessible via private IPs without VPC peering. Which THREE components are required to set this up using Private Service Connect?
An engineer needs to provide outbound internet access to Compute Engine instances that do not have external IP addresses. The solution must allow instances to access a specific set of external IPs only. What should the engineer configure?
You need to configure firewall rules to allow HTTP (TCP 80) traffic from the internet to instances in a VPC. The instances are in different subnets and have a network tag 'web-server'. You want to minimize the number of rules. Which rule configuration is correct?
An organization has two VPCs in the same project: VPC-A and VPC-B. They want instances in VPC-A to reach Cloud Storage buckets without external IPs. What is the simplest solution?
A company uses hierarchical firewall policies at the organization level. They need to allow SSH (TCP 22) access from a specific range 10.0.0.0/8 to all VMs, but a child folder has a policy that denies all ingress traffic. Which rule priority ordering ensures SSH access is allowed?
Your VPC has instances with internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. You need to ensure that DNS resolution works for instances in the same zone using short names (e.g., 'instance1'). Which condition must be met?
You are deploying a third-party network appliance (e.g., firewall) in a GCP VPC. The appliance requires multiple network interfaces for traffic isolation. You create a VM with three NICs in different subnets. What is a key consideration for routing traffic through the appliance?
An organization wants to prevent data exfiltration from a project that uses Google Cloud Storage and BigQuery. They need to restrict access to these services from only the authorized VPC networks. Which service should they use?
You have a Cloud NAT gateway configured in a region with 256 available ports. You allocate static NAT ports to a specific VM for outbound connections. What is the minimum number of ports you should allocate to ensure the VM can handle 500 concurrent connections?
An engineer is troubleshooting connectivity from a Compute Engine instance (internal IP: 10.0.0.2) to an on-premises server (IP: 203.0.113.5) over a Cloud VPN tunnel. The traffic reaches the on-premises network, but the return traffic is dropped. What is the most likely cause?
A company wants to publish an internal service (e.g., a database) in their VPC so that consumers in other VPCs can connect to it privately via Private Service Connect (PSC). What must be created on the producer side?
You need to allow instances with network tag 'db' in subnet-a to only accept connections on TCP port 3306 from instances with network tag 'app' in subnet-b. Which TWO firewall rules should you create? (Choose 2)
You are configuring a VPC Service Controls perimeter to protect a project containing BigQuery datasets. Access should be allowed only from a specific VPC network and only for users with a specific access level. Which THREE components must you define? (Choose 3)
An engineer needs to deploy a VM that acts as a internet gateway for other instances in the same VPC. The VM must have IP forwarding enabled and must be able to accept traffic on multiple NICs. Which TWO actions are required? (Choose 2)
An engineer is configuring a Google Compute Engine instance that needs to send traffic to the internet. The instance has no external IP address. Which service must be configured to allow this outbound connectivity?
A company wants to restrict access to Google Cloud APIs from a specific set of VMs based on the VM's service account. Which type of firewall rule target should be used?
A network engineer needs to create a firewall rule that denies all inbound traffic to instances with the tag 'web-server' from source IP range 10.0.0.0/8. They also have an existing allow rule with priority 1000 that permits traffic from 10.0.0.0/8 to those instances. To ensure the deny rule takes precedence, what priority should the new rule have?
An organization has multiple projects and wants to apply a consistent set of firewall rules across all VPC networks in the organization. Which approach should they use?
A company wants to protect its external HTTPS load balancer from SQL injection and cross-site scripting attacks. Which Google Cloud service should they use?
A Compute Engine instance is running a network appliance that requires multiple network interfaces. What is the primary purpose of attaching additional NICs (e.g., NIC1, NIC2) to the instance?
An organization wants to allow on-premises hosts to connect to a Cloud SQL instance privately without traversing the public internet. They have a Cloud VPN tunnel set up. What additional step is required?
A company wants to restrict which Google Cloud APIs can be accessed by its VMs in a specific project. They also want to prevent data exfiltration. Which service should they use?
A company uses Cloud NAT with a static NAT IP address. They notice that connections from their instances are failing after a few minutes. What is the most likely cause?
An organization wants to allow only certain users to access a service published via Private Service Connect. They need to restrict access based on the source VPC network. What should they use?
A company wants to use Cloud Armor to block traffic from a specific IP range (198.51.100.0/24) and also apply rate limiting. Which TWO components are needed? (Select 2)
A network engineer needs to ensure that Compute Engine instances without external IP addresses can access Google APIs such as BigQuery and Cloud Storage. Which feature should be enabled on the subnet where the instances reside?
An engineer is configuring a Compute Engine instance with multiple network interfaces for use as a network appliance. Which interface is considered the primary interface for default routes and instance metadata?
A company wants to protect its HTTPS Load Balancer from DDoS attacks and common web application attacks like SQL injection and cross-site scripting (XSS). Which Google Cloud service should be used?
An organization has multiple VPCs in the same project. They want to apply consistent firewall rules to all VPCs at the project level. What is the most efficient way to achieve this?
An engineer is troubleshooting outbound connectivity from a Compute Engine instance that has no external IP. The instance needs to reach an external service on the internet. Cloud NAT is configured on the VPC network. However, the instance cannot connect. What is the most likely cause?
A company wants to publish a custom internal service running in their VPC so that consumers in other VPCs can access it using private IP addresses. Which service should they use?
An organization wants to restrict which Google APIs can be accessed by resources in a specific VPC. They also want to prevent data exfiltration to unauthorized projects. Which Google Cloud service should they use?
An engineer has configured a firewall rule with priority 1000 that allows ingress traffic on TCP port 443 from source IP range 10.0.0.0/8. Another rule with priority 500 denies ingress on TCP port 443 from source IP 10.0.1.0/24. What will happen to traffic from 10.0.1.5 destined to the instance on port 443?
A company wants to provide outbound internet access to Compute Engine instances without external IPs, while minimizing IP address consumption. Which Cloud NAT feature should be used to achieve minimal static IP usage?
An engineer needs to create a firewall rule that applies only to instances with the tag 'web-server' in a specific VPC network. The rule should allow ingress from any source on TCP port 80. Which combination of fields must be set in the gcloud command?
A company uses VPC Service Controls with a service perimeter that includes Project A. They want to allow an external identity from Project B (outside the perimeter) to access a Cloud Storage bucket in Project A, but only during business hours. Which VPC Service Controls feature should they use?
An engineer needs to configure Cloud Armor to block requests from a specific IP address (10.1.2.3) while allowing all other traffic. They create a security policy with a deny rule for that IP and an allow rule for all traffic. What priority should the deny rule have relative to the allow rule?
A company runs a web application on Compute Engine instances without external IPs. They need to ensure the instances can access Google APIs (e.g., Cloud Storage) and also provide outbound internet access for software updates. Which two features should be configured? (Choose two.)
An organization wants to enforce that only instances with specific service accounts can be accessed via SSH (TCP 22) from the internet. Which two attributes should be used in the firewall rule to achieve this? (Choose two.)
A company wants to deploy a network appliance (e.g., firewall) on a Compute Engine instance that requires inspecting traffic between two VPCs. The instance must have interfaces in both VPCs. Which three configurations are required? (Choose three.)
A company wants to allow instances in a VPC without external IPs to access Google APIs like BigQuery and Cloud Storage. Which configuration is required?
An engineer needs to set up a firewall rule that allows health check probes from Google Cloud's health check ranges (130.211.0.0/22 and 35.191.0.0/16) to a backend instance group. The rule should apply only to instances with the 'backend' network tag. What is the correct configuration?
An organization has multiple projects under an organization node. They need to enforce a security policy that denies all inbound SSH traffic (tcp:22) to all VMs across all projects, but must allow certain projects to override this. Which approach should be used?
An engineer is deploying a network appliance (e.g., a firewall) in a VPC. The appliance needs to handle traffic between different subnets. How many network interfaces should the appliance VM have, and why?
A company has an application running on Compute Engine that needs to send traffic to a third-party SaaS service on the internet. The VMs have no external IPs. Which solution provides outbound connectivity with minimal configuration and allows source IP preservation?
An engineer is troubleshooting a firewall rule issue. A VM with network tag 'web' is unable to receive HTTP traffic from the internet. The VPC has an ingress firewall rule allowing tcp:80 from 0.0.0.0/0 to targets with tag 'web' at priority 1000. Another ingress rule denies all ingress traffic at priority 65535. What is the likely cause?
An organization wants to consume a third-party SaaS service via a private endpoint in their VPC, using Private Service Connect. Which type of Private Service Connect endpoint should they create?
A security team wants to block traffic from specific geographic regions (e.g., Country A) to their HTTP(S) load balancer. Which Google Cloud service should they use?
An engineer has multiple projects with overlapping IP ranges. They want to create a single Cloud NAT gateway to provide outbound internet access for instances in two different VPCs that are connected via VPC Network Peering. Is this possible?
A company has deployed a Cloud Armor security policy with the following rules: Rule 1: allow from IP range 10.0.0.0/8 (priority 1000); Rule 2: deny from all (priority 2000). What will be the action for traffic from IP 10.1.1.1?
A company wants to restrict access to Google Cloud Storage from a specific VPC only, using VPC Service Controls. Which TWO components are required to create a service perimeter? (Choose two.)
An organization needs to deploy a multi-tier web application on Compute Engine. The web tier must be accessible from the internet, while the database tier must only be accessible from the web tier. The security team requires a defense-in-depth approach. Which THREE measures should be implemented? (Choose three.)
A company uses Cloud NAT for outbound internet access. They want to ensure that all connections from their VMs use a predictable public IP address for whitelisting with third-party services. Which TWO configurations should be applied? (Choose two.)
An engineer needs to provide outbound internet access to a set of Compute Engine instances that do not have external IP addresses. The instances are in a VPC subnet with a Cloud NAT configured. However, the instances still cannot reach the internet. The engineer verified that Cloud NAT is configured on the same region and VPC as the instances. What is the most likely cause?
A company wants to restrict access to Google Cloud APIs from a specific VPC network so that only the Google APIs listed in the VPC Service Controls perimeter can be accessed. Which configuration should be used?
A network engineer configured a hierarchical firewall policy at the organization level with a priority 100 rule that denies all ingress traffic. At the folder level, a policy with priority 110 allows ingress from a specific IP range. At the VPC level, a network firewall policy with priority 90 allows ingress from a different IP range. Which traffic will be allowed?
An engineer needs to configure a Compute Engine instance as a network appliance that routes traffic between two subnets within the same VPC. The instance must handle traffic for both subnets. Which TWO actions are required? (Choose TWO.)
A company wants to protect its HTTP(S) Load Balancer from layer 7 attacks, including SQL injection and cross-site scripting (XSS). Which TWO Google Cloud services or features should be used together? (Choose TWO.)
An organization wants to publish a private service using Private Service Connect (PSC) so that consumers in other VPCs can access it via private IPs. Which TWO resources are required on the producer side? (Choose TWO.)
A security team needs to block traffic from a specific geographic region (country) from reaching their HTTP Load Balancer. Additionally, they need to allow traffic from specific IP ranges that are known to be legitimate, even if they originate from that blocked region. Which THREE steps should they take? (Choose THREE.)
A company has a VPC with subnets in us-central1 and europe-west1. They need to allow Compute Engine instances in us-central1 (without external IPs) to access Google Cloud Storage buckets in the US multi-region. They also need to ensure the traffic does not traverse the public internet. Which TWO configurations are required? (Choose TWO.)
An engineer needs to configure Cloud NAT with logging enabled to monitor traffic from a specific subnet. The NAT gateway uses automatic NAT IP allocation. The engineer wants to ensure that if a single VM uses many connections, it does not exhaust the available ports for other VMs. Which THREE settings should be configured? (Choose THREE.)
A company wants to allow traffic to a specific set of Compute Engine instances only from a single management instance that uses a service account. The management instance has the service account 'sa-mgmt@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations can achieve this? (Choose TWO.)