A security engineer needs to restrict access to Cloud Storage buckets so that only resources in a specific VPC can reach the Google APIs. Which Google Cloud service should be used?
An organization wants to enforce a security policy that denies all egress traffic to the internet from all projects in the organization, except for traffic from a specific set of VMs tagged with 'allow-egress'. Which approach should be used?
A company uses VPC Service Controls to protect a BigQuery dataset. They need to allow an external on-premises application to query the dataset without being inside the service perimeter. The external application has a static IP address. Which configuration is required?
A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?
A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?
An organization uses VPC Service Controls in dry-run mode for a project containing Google Cloud Storage. They notice that BigQuery jobs are being logged as violations. How should they interpret this?
A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?
A service provider wants to expose an internal service to external consumers in a controlled manner, without giving them direct access to the VPC. Which Google Cloud service should be used?
An organization uses SSL policies for their HTTPS load balancer. They need to allow TLS 1.2 and 1.3 only, and use the most secure cipher profile available. Which SSL policy configuration should they choose?
A company wants to detect and block SQL injection attacks targeting their web application hosted on Compute Engine behind a Cloud Load Balancer. Which TWO steps should they take? (Choose TWO.)
A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)
An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)
An organization wants to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can reach it, without using public IP addresses. Which solution should they implement?
A security engineer needs to allow HTTP (port 80) traffic from all VMs in the production environment to a specific set of VMs running a web server. The web server VMs are identified by a service account 'web-sa@...'. Which firewall rule configuration should the engineer create?
A company wants to enforce that all VPC firewall rules in an organization must be centrally managed and cannot be overridden by lower-level projects. Which approach should they use?
An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?
A company wants to provide private connectivity from its VPC to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs or NAT. The solution must also support on-premises connectivity via Cloud VPN. Which service should they use?
A web application behind an HTTPS load balancer is experiencing a high volume of malicious requests with SQL injection patterns. The security team wants to block these requests with minimal latency impact. Which Cloud Armor feature should they use?
An organization uses a global HTTPS load balancer with a Google-managed SSL certificate. The certificate was automatically provisioned and renewed. Recently, the certificate renewal failed and the site shows a warning. The load balancer's frontend uses the certificate. What is the most likely cause?
A security engineer needs to monitor network traffic for potential threats in a VPC. They want to inspect all traffic for malware signatures and alert on high-severity threats. The solution should be natively integrated with GCP. Which service should they use?
A company wants to enforce that traffic between two projects in the same organization must go through a central inspection VPC. They need a firewall rule that denies all traffic between the projects except through the inspection VPC. Which type of firewall rule should they use?
An organization needs to restrict access to Cloud Storage buckets so that only requests from a specific range of IP addresses (e.g., corporate VPN) are allowed. They also want to block all other IPs. Which combination of services should they use?
A company has a global HTTPS load balancer and wants to use a self-managed SSL certificate. They have uploaded the PEM-encoded certificate and private key to the load balancer. However, the certificate is about to expire. What is the correct way to renew it without downtime?
A security team wants to block all incoming traffic from a specific country to their web application behind a global HTTPS load balancer. They also need to allow traffic from all other countries. Which Cloud Armor feature should be used?
A company wants to enable private connectivity from its on-premises network to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs. They have a Cloud VPN connection to a VPC. Which TWO services or configurations are required? (Choose two.)
A security engineer is designing a VPC Service Controls perimeter to protect sensitive BigQuery data. They need to allow a specific on-premises application (source IP range 203.0.113.0/24) to query BigQuery, and also allow a managed instance group in another project (project 'analytics') to export data from BigQuery to Cloud Storage. Which THREE configurations are required? (Choose three.)
A security team wants to enforce SSL/TLS best practices for their HTTPS load balancer. They need to require TLS 1.2 or higher and restrict ciphers to strong ones only. Which TWO actions should they take? (Choose two.)
An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only requests originating from a specific VPC network are allowed. Which Google Cloud service should they use?
A security team needs to apply a set of firewall rules that enforce baseline security for all VPC networks across multiple projects in an organization. These rules must be inherited and cannot be overridden by project-level rules. What should they use?
An engineer wants to allow egress traffic from a group of VM instances with a specific service account to a set of IP addresses. They need to choose between using tags or service accounts as targets in a VPC firewall rule. Which approach is recommended for better security and why?
A company uses VPC Service Controls to protect a project containing BigQuery datasets. They have an ingress rule that allows traffic from an on-premises network via a Cloud VPN tunnel. The on-premises IP range is 10.0.0.0/8. However, users on-premises are still getting access denied errors when querying BigQuery. The VPC Service Controls perimeter is in dry-run mode. What is the most likely cause?
An organization wants to provide private, on-premises access to Google Cloud APIs (e.g., Cloud Storage, BigQuery) without traversing the public internet. They have a Direct Connect link to Google Cloud. Which solution should they implement?
A company uses Cloud Armor security policies to protect their HTTP load balancer. They need to block requests from a specific geographic region (country X) and also limit requests from any IP to 1000 requests per second. They also want to use preconfigured rules for SQL injection prevention. What is the correct way to combine these requirements in a single security policy?
A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?
A security engineer needs to detect and alert on network-based threats such as malware and command-and-control traffic within their Google Cloud VPC. They want a managed service that provides deep packet inspection and integrates with their existing security operations. Which service should they use?
An organization uses VPC Service Controls with a service perimeter that includes Cloud Storage and BigQuery. They need to allow a specific on-premises service account to write data to a Cloud Storage bucket inside the perimeter. The on-premises network connects via Cloud VPN. What must be configured in the perimeter?
A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?
A company is using Cloud Armor with adaptive protection enabled. They notice that adaptive protection has generated a rule that is blocking some legitimate traffic. What should they do to minimize false positives while still benefiting from adaptive protection?
An organization has multiple VPC networks in different projects. They need to centrally manage firewall rules that apply to all VPCs in the organization and ensure that project owners cannot override them. Which solution should they use?
A company is implementing VPC Service Controls to protect a project that contains Cloud Storage and BigQuery. They want to allow a specific on-premises service account to read data from Cloud Storage and write to BigQuery. The on-premises network connects via Cloud VPN. Which TWO components must be configured in the service perimeter? (Choose two.)
A security team is configuring Cloud Armor to protect a web application. They need to block requests that contain SQL injection patterns, block requests from a known malicious IP list, and limit requests from any single IP to 2000 requests per minute. Which THREE actions must they take? (Choose three.)
A company is deploying a new internal application on Google Cloud. They want to ensure that VM instances in a specific subnet can only communicate with each other and with a load balancer that fronts the application. They also want to allow SSH access from a bastion host. Which TWO firewall rules should they create? (Choose two.)
A security engineer wants to restrict access to a Cloud Storage bucket so that only requests originating from within a specific VPC network can access the bucket. Which Google Cloud service should they use?
An organization needs to block all inbound SSH traffic (port 22) to a set of VM instances that have a common tag 'ssh-restricted'. They want to deny this traffic at the VPC firewall level. Which firewall rule configuration should they use?
A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?
An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?
A company uses hierarchical firewall policies at the organization level to enforce a baseline deny-all rule. A project administrator wants to create a firewall rule that allows HTTP traffic to a specific VM. Which statement is correct?
A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?
An organization wants to use Cloud IDS to detect network threats within their VPC. They have enabled the Cloud IDS endpoint and configured packet mirroring. Which of the following is required for the packet mirroring policy to work?
A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They do not want to manually manage certificate files. Which approach should they use?
A security team needs to apply a security policy that blocks requests to their HTTP load balancer from a specific geographic region (e.g., Country A). Which Cloud Armor feature should they use?
An organization uses VPC Service Controls to protect BigQuery. They want to test a new access level that allows access only from a specific IP range before enforcing it. Which mode should they use?
A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?
A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?
A security engineer is configuring a VPC Service Controls perimeter to protect a Cloud Storage bucket. They want to allow a specific on-premises network (IP range 203.0.113.0/24) to access the bucket, while still blocking other external networks. Which TWO components must they configure? (Choose TWO.)
An organization wants to enforce that all egress traffic from a VPC to the internet must go through a Cloud NAT gateway for logging and IP management. They also need to block all other direct outbound traffic. Which THREE steps should they take? (Choose THREE.)
A company wants to use Cloud IDS to detect threats in their VPC. They have created a Cloud IDS endpoint and need to configure packet mirroring. Which TWO resources must be in place for packet mirroring to work? (Choose TWO.)
A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?
An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?
An organization wants to allow only specific trusted IP ranges to access a web application behind a Cloud Load Balancer. Which Cloud Armor feature should be used?
A company is deploying an internal service on GKE that needs to be accessible privately from on-premises data centers over a VPN connection. The service should not be exposed to the internet. Which connectivity solution is MOST appropriate?
An organization has a security policy that requires TLS 1.2 or higher for all HTTPS traffic to their external HTTP(S) load balancer. They also need to disable weak cipher suites. Which configuration should be applied?
An engineer needs to allow a specific service account from another project to access a Cloud Storage bucket in the current project. The engineer wants to use the principle of least privilege. Which IAM role should be granted directly on the bucket to the service account?
A company wants to enforce that no Compute Engine firewall rule in any project under an organization can have a source range of 0.0.0.0/0 for RDP (port 3389). Which approach should be used?
An engineer needs to allow HTTP traffic from instances tagged 'web-server' to instances tagged 'app-server' on port 8080 within the same VPC. Which firewall rule should be created?
A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?
An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?
A company wants to prevent data exfiltration by restricting access to Google APIs from only authorized VPC networks. They also need to allow a specific on-premises IP range to access BigQuery. Which TWO services should be used together? (Choose 2)
A security team needs to inspect all egress traffic from Compute Engine instances for malware using a third-party security appliance. They want to deploy the appliance in a separate VPC and route all egress traffic through it. Which THREE components are required? (Choose 3)
An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)
A security engineer wants to allow egress traffic from Compute Engine instances to the internet only for updates to a specific set of packages. All other egress must be denied. Which VPC firewall rule configuration should the engineer use?
A company wants to restrict access to Cloud Storage buckets so that only resources in a specific VPC network can reach them, and data cannot be exfiltrated to other networks. Which Google Cloud service should they use?
A company uses VPC Service Controls in dry-run mode to test a new service perimeter that includes BigQuery. They want to monitor any violations without actually blocking access. Where can they view the logs of these dry-run violations?
An organization has a hub-and-spoke VPC setup with Shared VPC. The security team wants to enforce a rule that all egress traffic from any project in the organization must pass through a central inspection appliance in the hub VPC. Which firewall configuration approach meets this requirement?
A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?
A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?
A company uses Cloud Armor Managed Protection Plus to protect their applications. They want to automatically block IP addresses that are identified as malicious by adaptive protection. How should they configure this?
An organization needs to enforce a TLS minimum version of 1.2 for all traffic to their HTTPS load balancers. They have multiple load balancers serving different domains. Which Google Cloud feature should they use?
A security team wants to detect and block network-based threats such as malware and command-and-control traffic within their VPC. They need a managed service that provides deep packet inspection. Which Google Cloud service should they use?
A company has a VPC Service Controls perimeter that includes BigQuery and Cloud Storage. They need to allow a specific on-premises application (with a static IP) to access a BigQuery dataset within the perimeter. Which configuration should they use?
A company uses Cloud Armor to protect a web application. They want to block requests that contain SQL injection patterns based on the OWASP ModSecurity Core Rule Set. Which preconfigured rule set should they enable?
A security engineer needs to restrict access to a Cloud Storage bucket so that only a specific set of Compute Engine instances can read objects. The instances are in the same project and VPC network. The engineer wants to use VPC firewall rules for this purpose. Which two configurations are REQUIRED? (Choose two.)
A company is designing a secure multi-tenant environment in Google Cloud. Each tenant has its own VPC network and resources. The security team wants to centrally enforce a rule that denies all egress traffic to the internet from tenant VPCs, except for traffic to specific trusted IP ranges for software updates. They also want to ensure that tenant admins cannot override this rule. Which two actions should they take? (Choose two.)
A company is deploying a web application behind an external HTTPS load balancer. They want to protect against common web attacks such as XSS, SQLi, and LFI using preconfigured rules. They also need to allowlist specific IP addresses that belong to partners. Which three Cloud Armor features should they use? (Choose three.)
An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?
A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?
A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?
A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?
A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?
A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?
A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?
An organization has a hierarchical firewall policy at the organization level that denies all ingress traffic from the internet. A project team needs to allow HTTP traffic from the internet to a specific VM. How should they achieve this?
A company wants to detect and alert on potential network threats, such as malware and command-and-control traffic, within their VPC. They need a managed service that integrates with packet mirroring. Which Google Cloud service should they use?
A company's security policy requires that all traffic to a Google Cloud load balancer use TLS 1.2 or higher and only accept strong ciphers. They want to enforce this using a Google Cloud resource. Which resource should they configure?
A company wants to protect a web application hosted on Google Cloud from common web attacks like SQL injection and cross-site scripting (XSS). They have deployed a global external HTTPS load balancer. Which TWO services or configurations should they use?
An organization wants to use VPC Service Controls to protect BigQuery data. They need to allow a group of data analysts to access BigQuery from outside the perimeter (e.g., from their laptops) while maintaining the perimeter for all other users. Which TWO configurations are necessary?
A company wants to deploy a web application with a global load balancer and needs to configure SSL/TLS termination. They want to use a certificate from their own CA and have the ability to manage multiple certificates for different domains. Which THREE steps should they take?
A security engineer is designing a network security architecture for a multi-project environment. They need to enforce a baseline set of firewall rules across all projects in the organization, but allow individual project teams to add their own specific rules. Which TWO components should they use?
A company wants to use Private Service Connect to publish a managed service (e.g., a custom application) so that consumers can access it privately within Google Cloud. Which THREE resources are involved in this setup?
Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?
You are designing a VPC Service Controls perimeter to protect a project containing BigQuery datasets accessible from a data analytics VPC. You need to allow a specific set of on-premises users (identified by IP range 203.0.113.0/24) to query BigQuery from outside the perimeter, but block all other external access. What is the correct configuration?
Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?
You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)
You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)