Question 1hardmultiple choice
Full question →Question 150 of 300
hardmultiple choiceObjective-mapped
ACE Practice Question: A compliance requirement mandates that all…
This ACE practice question tests your understanding of a compliance requirement mandates that all…. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A compliance requirement mandates that all VM-to-VM traffic within a GCP project must be encrypted in transit, even for internal VPC traffic. Which feature enforces this for Compute Engine?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Mutual TLS (mTLS) enforced at the application layer between VMs
GCP's VPC doesn't automatically encrypt VM-to-VM traffic. mTLS at the application layer (using certificate-based authentication) is the standard method to enforce encrypted communication between services.
B
Distractor review
Shielded VMs with Secure Boot enabled
Shielded VMs protect against boot-level attacks using TPM and Secure Boot — they don't encrypt network traffic between VMs.
C
Distractor review
Enabling VPC Flow Logs on all subnets
VPC Flow Logs capture traffic metadata for analysis — they don't encrypt traffic.
D
Distractor review
VPC firewall rules denying all non-encrypted traffic
VPC firewall rules control whether traffic is allowed or denied based on port/protocol/IP — they can't inspect or enforce encryption of allowed traffic.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Key takeaway
Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.
Related practice questions
Related ACE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
What is the correct order of the Google Cloud resource hierarchy from highest to lowest level?
Question 2
A compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?
Question 3
Which gcloud command creates a Compute Engine VM named 'web-01' using the e2-medium machine type in zone us-central1-a?
Question 4
A team wants to receive an email alert when the average CPU utilization of VMs in a managed instance group exceeds 80% for more than 5 minutes. What should they create in Cloud Monitoring?
Question 5
A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?
Question 6
A startup creates its first Google Cloud project. Before deploying any paid resources, what must be linked to the project?
Practice this exam
Start a free ACE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this ACE question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Mutual TLS (mTLS) enforced at the application layer between VMs — VM-to-VM encryption within a VPC is not automatically provided by GCP's network layer. Application-level TLS or Cloud VPN between VMs can encrypt traffic. However, GCP offers VM-level encryption for inter-VM traffic via 'Confidential VMs' with AMD SEV, but for network-in-transit specifically, mTLS at the application layer is the standard approach. For GKE, Anthos Service Mesh provides mTLS between Pods.
What should I do if I get this ACE question wrong?
Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related ACE subnetting questions on CIDR, address ranges, and subnet selection.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Discussion
Loading comments…
Sign in to join the discussion.
This ACE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ACE exam.