Question 190 of 497
Implementing network securityhardMultiple SelectObjective-mapped

Quick Answer

The answer is to enable VPC Service Controls on the project and define ingress and egress rules. This is correct because VPC Service Controls creates a service perimeter around your Cloud Storage bucket, effectively isolating it from the public internet and untrusted networks; ingress rules specify which trusted VPC networks can send traffic into the perimeter, while egress rules control what data can leave the perimeter, directly preventing data exfiltration by blocking unauthorized access paths. On the Google Professional Cloud Network Engineer exam, this question tests your understanding of how perimeters enforce data boundaries, and a common trap is to confuse VPC Service Controls with firewall rules—firewalls control network traffic at the instance level, but VPC Service Controls controls data access at the API level across services. A helpful memory tip is to think of the perimeter as a castle wall: ingress is the drawbridge that lets trusted visitors in, and egress is the gate that stops treasure from being smuggled out.

PCNE Implementing network security Practice Question

This PCNE practice question tests your understanding of implementing network security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company wants to prevent data exfiltration from a Google Cloud Storage bucket that contains sensitive data. They plan to use VPC Service Controls. Which two steps are necessary to implement this? (Choose two.)

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Add the storage bucket to a VPC Service Controls perimeter and restrict access to only trusted VPC networks.

Option A is correct because VPC Service Controls allows you to define a service perimeter that includes a Cloud Storage bucket, and within that perimeter you can restrict access to only trusted VPC networks. This prevents data exfiltration by ensuring that only resources within the specified VPC networks can access the bucket, blocking any access from outside the perimeter, including the public internet or other networks.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Add the storage bucket to a VPC Service Controls perimeter and restrict access to only trusted VPC networks.

    Why this is correct

    The bucket (via its project) is added to the perimeter, and ingress rules restrict access from trusted VPCs.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable VPC Service Controls on the project and define ingress and egress rules.

    Why this is correct

    Enabling VPC SC and defining ingress/egress rules are essential steps.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Set up an Organization Policy to deny all public access to storage buckets.

    Why it's wrong here

    This is separate from VPC Service Controls.

  • Configure the service perimeter to allow access only from authorized IP ranges.

    Why it's wrong here

    IP ranges are configured via access levels, but this is not a necessary step; other conditions can be used.

  • Create a service perimeter that includes the storage bucket and the VPC network.

    Why it's wrong here

    The perimeter includes projects, not VPC networks directly.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Google Cloud often tests the misconception that VPC Service Controls uses IP-based allowlisting (like firewall rules) or that you can add individual resources (like a bucket) directly to a perimeter, when in reality perimeters are project-based and rely on network context rather than IP addresses.

Detailed technical explanation

How to think about this question

VPC Service Controls uses service perimeters to create a security boundary around Google Cloud services, such as Cloud Storage, by restricting access to only authorized VPC networks and identities. Under the hood, this is enforced at the Google Front End (GFE) layer, where requests are evaluated against the perimeter's ingress and egress rules before reaching the service API. A real-world scenario is a financial institution that needs to prevent data exfiltration from a sensitive bucket by ensuring that only compute instances in a specific VPC (with no internet gateway) can access it, even if an attacker compromises a service account key outside that network.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNE question test?

Implementing network security — This question tests Implementing network security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Add the storage bucket to a VPC Service Controls perimeter and restrict access to only trusted VPC networks. — Option A is correct because VPC Service Controls allows you to define a service perimeter that includes a Cloud Storage bucket, and within that perimeter you can restrict access to only trusted VPC networks. This prevents data exfiltration by ensuring that only resources within the specified VPC networks can access the bucket, blocking any access from outside the perimeter, including the public internet or other networks.

What should I do if I get this PCNE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More PCNE practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNE exam.