Question 1mediummultiple choice
Full question →Question 113 of 300
mediummultiple choiceObjective-mapped
ACE Practice Question: A network security team wants to capture metadata…
This ACE practice question tests your understanding of a network security team wants to capture metadata…. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A network security team wants to capture metadata about all TCP flows entering and leaving VMs in a specific subnet — source IP, destination IP, port, and bytes transferred — for security analysis. Which GCP feature collects this data?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Cloud Armor security policies with logging enabled
Cloud Armor logs policy evaluations for HTTP requests at the load balancer — it doesn't capture raw TCP flow metadata for all VM traffic.
B
Best answer
VPC Flow Logs enabled on the subnet
VPC Flow Logs record sampled flow metadata (source/destination IPs, ports, protocol, bytes) for all traffic in the subnet — sent to Cloud Logging for analysis or export.
C
Distractor review
Cloud Packet Mirroring — captures all traffic for deep packet inspection
Packet Mirroring captures full packets (including payload) for deep inspection — it's more powerful but also more resource-intensive and costly than Flow Logs for metadata-only analysis.
D
Distractor review
Firewall Rules Logging on each firewall rule
Firewall Rules Logging records which firewall rule allowed or denied each connection — it doesn't capture full flow metadata like bytes transferred or flow duration.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Key takeaway
Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.
Related practice questions
Related ACE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
What is the correct order of the Google Cloud resource hierarchy from highest to lowest level?
Question 2
A compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?
Question 3
Which gcloud command creates a Compute Engine VM named 'web-01' using the e2-medium machine type in zone us-central1-a?
Question 4
A team wants to receive an email alert when the average CPU utilization of VMs in a managed instance group exceeds 80% for more than 5 minutes. What should they create in Cloud Monitoring?
Question 5
A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?
Question 6
A startup creates its first Google Cloud project. Before deploying any paid resources, what must be linked to the project?
Practice this exam
Start a free ACE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this ACE question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: VPC Flow Logs enabled on the subnet — VPC Flow Logs capture network flow metadata (5-tuple: source IP, destination IP, protocol, source port, destination port) for traffic in a VPC subnet. They're stored in Cloud Logging and can be exported to BigQuery or Pub/Sub for analysis. They provide visibility into network traffic patterns without full packet capture.
What should I do if I get this ACE question wrong?
Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related ACE subnetting questions on CIDR, address ranges, and subnet selection.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Discussion
Loading comments…
Sign in to join the discussion.
This ACE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ACE exam.