CCNA Gcp Network Security Questions

75 of 76 questions · Page 1/2 · Gcp Network Security topic · Answers revealed

1
MCQmedium

An organization has multiple VPC networks and wants to allow traffic between them with fine-grained control over which VMs can communicate. Which solution should they implement?

A.Cloud Interconnect.
B.Shared VPC.
C.VPC peering with firewall rules.
D.Cloud VPN between VPCs.
AnswerC

VPC peering connects networks and firewall rules provide granular control.

Why this answer

VPC peering with firewall rules is the correct solution because it allows direct, private connectivity between two VPC networks while enabling fine-grained control over which specific VMs can communicate via firewall rules (ingress/egress). Unlike Shared VPC, which centralizes management but does not inherently provide per-VM granularity across separate VPCs, VPC peering combined with firewall rules allows you to restrict traffic based on source and destination tags, service accounts, or CIDR ranges. This meets the requirement for both inter-VPC traffic and granular VM-level control.

Exam trap

Google Cloud often tests the misconception that Shared VPC is the solution for inter-VPC traffic, but Shared VPC actually consolidates multiple projects into a single VPC, not connecting separate VPCs, while VPC peering with firewall rules provides the required granular control across distinct VPC networks.

How to eliminate wrong answers

Option A is wrong because Cloud Interconnect provides dedicated, high-bandwidth connectivity between on-premises networks and Google Cloud, not between multiple VPC networks within the same organization. Option B is wrong because Shared VPC allows multiple projects to share a common VPC network but does not enable traffic between separate VPC networks; it centralizes resources into one VPC, which contradicts the requirement of having multiple VPC networks. Option D is wrong because Cloud VPN creates an encrypted tunnel over the public internet, which is typically used for hybrid connectivity (on-premises to VPC) and adds latency and complexity; it is not designed for fine-grained VM-level control between VPCs, and firewall rules still apply but the underlying architecture is less direct than VPC peering.

2
Drag & Dropmedium

Drag and drop the steps to set up a shared VPC in Google Cloud into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Shared VPC requires a host project with VPC, then granting access to service projects. Service projects then use the shared subnets.

3
MCQhard

A company has multiple VPC networks in the same project, each with its own Cloud NAT configuration. They notice that traffic from a VM in VPC-A that has an external IP address is being NATed through the Cloud NAT gateway, but they only want Cloud NAT to be used for VMs without external IPs. What configuration ensures this?

A.Disable the 'send-tosource-ip' flag on the Cloud NAT gateway.
B.Set the network tier of the VM to 'Standard' instead of 'Premium'.
C.Remove any NAT rules that match the source subnet and include external IP addresses; Cloud NAT automatically applies only to VMs without external IPs if not explicitly configured otherwise.
D.Enable Cloud NAT logging to track which VMs are NATed.
AnswerC

By default, Cloud NAT only applies to VMs without external IPs when using default configuration.

Why this answer

Option C is correct because Cloud NAT only performs source network address translation for VMs that do not have external IP addresses, unless you explicitly configure NAT rules that match traffic from VMs with external IPs. By removing any such custom NAT rules, the default behavior ensures that only VMs without external IPs are NATed through the Cloud NAT gateway, leaving VMs with external IPs to use their own public addresses directly.

Exam trap

The trap here is that candidates assume Cloud NAT always NATs all VMs in a subnet, but the default behavior explicitly excludes VMs with external IPs unless custom NAT rules are added to include them.

How to eliminate wrong answers

Option A is wrong because the 'send-tosource-ip' flag does not exist in Cloud NAT; the relevant flag is 'source_ip_ranges_to_nat' which controls which source IP ranges are NATed, and disabling a non-existent flag has no effect. Option B is wrong because the network tier (Standard vs. Premium) affects the routing path and pricing of egress traffic, but does not influence whether a VM with an external IP is NATed by Cloud NAT.

Option D is wrong because enabling Cloud NAT logging only provides visibility into which VMs are being NATed; it does not change the NAT behavior or prevent VMs with external IPs from being NATed.

4
MCQhard

A GCP environment has a VPC with a subnet that enables Private Google Access. Instances in that subnet can access Google APIs without external IPs. However, an instance cannot reach storage.googleapis.com from a private IP. Cloud NAT is configured for the subnet. What is the most likely reason for the failure?

A.The instance does not have a DNS resolution for storage.googleapis.com.
B.The subnet's Private Google Access is enabled, but Cloud NAT is also routing traffic to Google APIs via NAT, bypassing the internal access.
C.The VPC does not have a default route to the internet.
D.The instance does not have a firewall rule allowing egress to 199.36.153.4/30.
AnswerB

When Cloud NAT is enabled, the default route (0.0.0.0/0) points to NAT, which may override Private Google Access routes. Private Google Access requires a specific route for 199.36.153.4/30 with next hop 'default internet gateway'.

Why this answer

Private Google Access uses the default routes for Google APIs. If Cloud NAT is configured, it may override Private Google Access because traffic to Google APIs can be matched by a default route with a next hop of NAT. To fix, ensure the subnet has a Private Google Access route with a next hop 'default internet gateway' for the restricted VIPs.

Option B correctly identifies that Cloud NAT is incorrectly routing traffic.

5
MCQeasy

A company wants to restrict SSH access to a VM instance to only a specific subnet (10.0.1.0/24) and allow all traffic from the health check ranges (130.211.0.0/22 and 35.191.0.0/16) for load balancing. Which firewall rule configuration should be used for the SSH rule?

A.Create a rule allowing SSH from 0.0.0.0/0 and apply a tag to the VM.
B.Create a rule allowing SSH from 10.0.1.0/24 and another rule allowing SSH from health check ranges.
C.Create a rule with source ranges 10.0.1.0/24, 130.211.0.0/22, 35.191.0.0/16, protocol tcp:22, and target tag 'ssh-allowed'.
D.Create a rule allowing SSH only from health check ranges and deny all other traffic.
AnswerC

This rule correctly restricts SSH to the subnet and health check ranges.

Why this answer

Option D is correct because a single firewall rule can specify both source ranges and target tags. Priority is not needed to be lowest unless conflicting. Option A is wrong because allowing all traffic is too broad.

Option B is wrong because denying SSH would not allow health checks if not specified separately. Option C is wrong because it allows only health check ranges, not the subnet.

6
MCQeasy

You are a cloud network engineer for a company that runs a web application on Compute Engine instances in a managed instance group (MIG) behind an external HTTP(S) load balancer. The backend instances are in a subnet with CIDR 10.0.2.0/24 and are tagged 'web-backend'. The health checks are configured to use TCP port 80. Recently, the security team added new firewall rules to restrict traffic, and now the health checks are failing. The current firewall rules (in order of priority) are: 1. Priority 100: Deny ingress from 0.0.0.0/0 to all instances (deny-all). 2. Priority 200: Allow ingress from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'health-checked' on TCP port 80. 3. Priority 300: Allow ingress from 0.0.0.0/0 to instances with tag 'web-backend' on TCP port 80. The MIG instances are tagged 'web-backend' but not 'health-checked'. The health checks are failing. What is the most efficient course of action to fix the health checks while maintaining security?

A.Change the priority 300 rule to allow from 0.0.0.0/0 to instances with tag 'health-checked' on TCP port 80.
B.Add a new ingress firewall rule with priority 150 that allows traffic from 130.211.0.0/22 and 35.191.0.0/16 to instances with tag 'web-backend' on TCP port 80.
C.Delete the deny-all rule (priority 100) because it is blocking health checks.
D.Modify the existing priority 200 rule to set target tags to 'web-backend' instead of 'health-checked'.
AnswerD

This directly fixes the issue by allowing health checks to the MIG instances without creating an additional rule, maintaining the security posture.

Why this answer

The health check probes originate from Google's health checker IP ranges (130.211.0.0/22 and 35.191.0.0/16) and must reach the instances. The current priority 200 rule allows these ranges only to instances tagged 'health-checked', but the MIG instances are tagged 'web-backend'. By modifying the priority 200 rule to target 'web-backend' instead, you permit health check traffic to the correct instances without creating a new rule or lowering security, as the deny-all rule (priority 100) remains in place and the more specific allow rule (priority 200) will match first.

Exam trap

Google Cloud often tests the misconception that you must create a new firewall rule or delete the deny-all rule, rather than simply modifying the target tags of an existing allow rule that already has the correct source IP ranges and protocol.

How to eliminate wrong answers

Option A is wrong because changing the priority 300 rule to target 'health-checked' would allow all internet traffic (0.0.0.0/0) to instances tagged 'health-checked', which does not exist on the MIG instances and would not fix the health check failure; it also unnecessarily opens broad access. Option B is wrong because adding a new rule at priority 150 is redundant and less efficient; the existing priority 200 rule already permits the required health checker ranges, so simply modifying its target tags is sufficient and avoids adding extra rules that could complicate firewall management. Option C is wrong because deleting the deny-all rule would remove the baseline security posture, allowing all traffic to all instances, which is a significant security risk and not required to fix the health checks.

7
Multi-Selecthard

A financial services company is migrating sensitive workloads to Google Cloud. They need to implement a defense-in-depth strategy to protect their VPC networks. Which TWO actions should they take to meet their security requirements? (Choose two.)

Select 2 answers
A.Enable Private Google Access on subnets that host instances without external IP addresses.
B.Configure firewall rules with stateful packet inspection disabled to maximize throughput.
C.Use VPC Service Controls to create a perimeter around the sensitive data stored in Cloud Storage and BigQuery.
D.Use VPC Network Peering to isolate the sensitive workloads from other projects.
E.Create a Cloud NAT gateway to filter inbound traffic from the internet.
AnswersA, C

This allows instances to access Google APIs over the internal network, reducing exposure to the internet.

Why this answer

Option A is correct because Private Google Access allows VM instances that have only internal IP addresses (no external IPs) to reach Google APIs and services (e.g., Cloud Storage, BigQuery) through the Google Cloud network. This eliminates the need for an external IP address, reducing the attack surface and supporting a defense-in-depth strategy by keeping traffic within Google's internal infrastructure.

Exam trap

Google Cloud often tests the misconception that Cloud NAT can filter inbound traffic, but Cloud NAT is strictly an outbound proxy that does not inspect or filter inbound connections; inbound traffic must be controlled by firewall rules or Cloud Armor.

8
MCQhard

A company deploys a web application on Google Kubernetes Engine (GKE) with an Ingress resource handled by an external HTTPS load balancer. They want to enforce mutual TLS (mTLS) authentication where the load balancer verifies the client certificate and then passes the client's identity to the backend using a header. Which configuration should be used?

A.Enable Client Certificate Validation on the HTTPS backend service and configure the backend to read the X-Forwarded-Client-Cert header.
B.Use an SSL policy with mTLS and set the backend service to require client certificates.
C.Use Cloud Armor with mTLS and configure a custom request header to include the client certificate.
D.Configure the GKE Ingress to use an SSL certificate and set the annotation for client certificate validation.
AnswerA

This is the correct method for mTLS with the HTTPS load balancer.

Why this answer

Option A is correct because Google Cloud's external HTTPS load balancer supports mTLS by enabling Client Certificate Validation on the backend service. When enabled, the load balancer terminates TLS, validates the client certificate, and injects the client certificate details into the X-Forwarded-Client-Cert (XFCC) header, which the backend application can read to identify the client. This approach offloads certificate validation to the load balancer and passes identity via a standard header, meeting the requirement without modifying the GKE Ingress or backend application logic.

Exam trap

Google Cloud often tests the misconception that mTLS can be configured directly on the Ingress resource or via SSL policies, when in fact it requires enabling Client Certificate Validation on the backend service and using the XFCC header to pass client identity.

How to eliminate wrong answers

Option B is wrong because SSL policies on Google Cloud HTTPS load balancers do not support mTLS; they only configure TLS versions and cipher suites, not client certificate validation. Option C is wrong because Cloud Armor does not handle mTLS or client certificate validation; it provides WAF and DDoS protection, and cannot inject client certificate details into headers. Option D is wrong because GKE Ingress annotations do not support client certificate validation; the Ingress resource delegates to the load balancer, and client certificate validation must be configured on the backend service, not via Ingress annotations.

9
MCQmedium

A company uses Shared VPC with multiple service projects. The security team wants to ensure that only specific service projects can create firewall rules that allow ingress traffic to the Shared VPC network. What is the best practice?

A.Grant the compute.securityAdmin role to a group with a condition that limits access to only the service projects that need it, using the resource.name condition.
B.Disable firewall rule creation by setting an organization policy constraint.
C.Grant the compute.securityAdmin role to a group at the organization level.
D.Grant the compute.securityAdmin role to the service project owners at the host project level.
AnswerA

IAM conditions allow fine-grained access control.

Why this answer

Option A is correct because the compute.securityAdmin role allows users to create firewall rules, and by applying a condition on the resource.name, you can restrict this permission to only specific service projects. This ensures that only authorized service projects can create ingress firewall rules in the Shared VPC network, aligning with the security team's requirement.

Exam trap

Google Cloud often tests the misconception that granting roles at the organization level or to project owners is sufficient for granular control, but the trap here is that without IAM conditions, these broad grants allow all service projects to create firewall rules, failing the requirement for selective access.

How to eliminate wrong answers

Option B is wrong because disabling firewall rule creation with an organization policy constraint would block all firewall rule creation across the entire organization, which is too restrictive and not aligned with the requirement to allow specific service projects to create rules. Option C is wrong because granting the compute.securityAdmin role at the organization level would give all service projects the ability to create firewall rules, violating the security team's need to limit this capability to only specific projects. Option D is wrong because granting the compute.securityAdmin role to service project owners at the host project level would allow those owners to create firewall rules for the Shared VPC network, but it does not provide the granularity to restrict which service projects can do so, as it applies to all service projects owned by those users.

10
MCQhard

A company has a hybrid network with on-premises data center connected to Google Cloud via Dedicated Interconnect. They use Private Google Access for on-premises (on-premises hosts use the external IP addresses of Google APIs via the interconnect). However, they notice that traffic to certain Google APIs is being routed via the internet instead of the interconnect. What is a likely cause?

A.On-premises DNS is not configured to resolve Google API hostnames to the Private Google Access IP address range (199.36.153.4/30).
B.Firewall rules in the VPC are blocking the private API traffic.
C.Cloud NAT is not configured for the on-premises subnet.
D.VPC Flow Logs are not enabled, causing routing misconfiguration.
AnswerA

Without proper DNS, traffic goes to public IPs.

Why this answer

Private Google Access for on-premises requires on-premises DNS to resolve Google API hostnames to the specific IP range 199.36.153.4/30. If DNS resolution returns the public IP addresses instead, traffic will be routed over the internet rather than through the Dedicated Interconnect, even though the interconnect is available. This is because the on-premises hosts will use the public IPs and follow their default route to the internet.

Exam trap

Google Cloud often tests the misconception that firewall rules or Cloud NAT are the primary cause of routing failures in hybrid connectivity, when the real issue is DNS resolution not returning the correct private IP range for Private Google Access.

How to eliminate wrong answers

Option B is wrong because firewall rules in the VPC control traffic that has already entered Google Cloud; they do not affect how on-premises hosts route traffic before it reaches the interconnect. Option C is wrong because Cloud NAT is used for outbound traffic from Google Cloud VPC instances to the internet, not for on-premises traffic accessing Google APIs via Private Google Access. Option D is wrong because VPC Flow Logs are a monitoring feature that captures metadata about network flows; they do not cause or resolve routing misconfigurations.

11
MCQhard

A company uses Packet Mirroring to monitor traffic from a set of VMs. They want to ensure that mirrored traffic does not interfere with the production traffic. Which statement is correct?

A.Packet Mirroring uses a separate forwarding path and does not impact the performance of the monitored VMs.
B.If firewall rules block the mirrored traffic, the original traffic will also be blocked.
C.Packet Mirroring cannot capture traffic that is encrypted in transit.
D.Mirrored traffic is always sent over the same network path as the original traffic.
AnswerA

Mirroring is passive and does not affect the original traffic.

Why this answer

Packet Mirroring in Google Cloud (and similar platforms) operates by creating a separate, independent copy of the traffic at the virtual switch level, which is then forwarded to a collector destination without traversing the same network path as the original production traffic. This ensures that the mirrored traffic does not consume bandwidth or processing resources on the monitored VMs, and any issues with the mirroring pipeline (e.g., packet drops) have zero impact on the original traffic flow. The correct answer is A because the separate forwarding path guarantees no interference with production traffic.

Exam trap

Google Cloud often tests the misconception that mirrored traffic shares the same forwarding path as original traffic, leading candidates to incorrectly choose Option D, when in fact the entire purpose of mirroring is to use a separate path to avoid interference.

How to eliminate wrong answers

Option B is wrong because firewall rules apply to the original traffic path; mirrored traffic is a duplicate sent via a separate pipeline, so blocking the mirrored copy does not affect the original traffic. Option C is wrong because Packet Mirroring captures packets at Layer 2/3, including encrypted payloads (e.g., TLS), as it copies the entire packet regardless of encryption; it does not decrypt or inspect the content. Option D is wrong because mirrored traffic is explicitly sent over a different network path (e.g., via a separate VPC or tunnel) to avoid congestion or interference with the original traffic; it does not follow the same route.

12
MCQeasy

A company has a VPC with a subnet in us-central1. They have several private Compute Engine instances (no external IP) that need to download updates from a public repository on the internet. The network engineer has created a Cloud NAT gateway in the same region and attached it to the subnet. However, the instances still cannot reach the internet. The engineer has confirmed that the Cloud NAT gateway is correctly configured and that the subnet's Private Google Access is not relevant for this traffic. What should the engineer check first to resolve the issue?

A.Verify that the default route (0.0.0.0/0) is present in the VPC route table pointing to the internet gateway.
B.Confirm that the Cloud NAT router is configured with the correct network and subnet.
C.Ensure that the Cloud NAT gateway has a static external IP.
D.Check that the firewall rules allow egress traffic for the instances to the internet.
AnswerA

The default route is essential for internet-bound traffic to be routed to the NAT gateway.

Why this answer

Option A is correct because even with a properly configured Cloud NAT, instances require a default route (0.0.0.0/0) in the VPC route table that points to the internet gateway (IGW) to direct outbound traffic to the internet. Cloud NAT translates private IPs to public IPs, but it does not create the route; the route must exist for packets to leave the VPC. Without this route, traffic from the instances to 0.0.0.0/0 will be dropped, as there is no next-hop to forward packets to the internet.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone provides internet connectivity, but the trap here is that candidates overlook the fundamental requirement of a default route in the VPC route table, assuming NAT configuration is sufficient for outbound traffic.

How to eliminate wrong answers

Option B is wrong because the engineer has already confirmed that the Cloud NAT gateway is correctly configured with the correct network and subnet, so re-checking this is redundant and not the first step. Option C is wrong because Cloud NAT does not require a static external IP; it can use a dynamic IP or a pool of IPs, and the absence of a static IP does not prevent internet access. Option D is wrong because firewall rules are stateful in Google Cloud; if egress traffic is not explicitly blocked by a firewall rule (default allow egress), it is permitted, so checking firewall rules is not the primary issue when the route is missing.

13
MCQeasy

Refer to the exhibit. A network engineer is unable to SSH to instance-1 using IAP TCP forwarding. What is the most likely reason?

A.IAP TCP forwarding is not enabled for the project.
B.The instance does not have the 'ssh-iap' tag that the firewall rule applies to.
C.The instance's service account does not have the necessary IAP permissions.
D.SSH keys are not configured on the instance.
AnswerB

The firewall rule only applies to instances with tag 'ssh-iap'.

Why this answer

The exhibit shows a firewall rule that allows IAP TCP forwarding traffic from the IAP source range (35.235.240.0/20) to instances with the network tag 'ssh-iap'. Since instance-1 lacks this tag, the firewall rule does not apply, and SSH traffic from IAP is blocked. Without the tag, the instance's firewall policy drops the forwarded TCP connections, preventing SSH access.

Exam trap

Google Cloud often tests the distinction between IAM permissions (who can initiate the tunnel) and firewall rules (what traffic is allowed to reach the instance), leading candidates to incorrectly choose IAM-related options when the real issue is a missing network tag on the instance.

How to eliminate wrong answers

Option A is wrong because IAP TCP forwarding is enabled at the project level by default when IAP is activated; the exhibit does not indicate it is disabled, and the issue is specifically about the instance not matching the firewall rule's target tag. Option C is wrong because the instance's service account permissions for IAP (e.g., roles/iap.tunnelResourceAccessor) control authorization to initiate the tunnel, not the firewall rule that allows the forwarded traffic to reach the instance; the problem here is a network-level filter, not IAM. Option D is wrong because SSH keys are required for authentication once the SSH connection reaches the instance, but the failure occurs before that stage—the firewall is dropping the traffic, so SSH keys are irrelevant to the connectivity issue.

14
MCQeasy

A developer wants to SSH into a Compute Engine instance that has no public IP. Which service should they use?

A.Direct Peering.
B.Cloud NAT.
C.Identity-Aware Proxy (IAP) TCP forwarding.
D.Cloud VPN.
AnswerC

IAP allows SSH access without a public IP.

Why this answer

Identity-Aware Proxy (IAP) TCP forwarding allows secure, authenticated, and authorized SSH access to Compute Engine instances that have no public IP addresses. It works by establishing a tunnel through the IAP service, which proxies the SSH connection over HTTPS (port 443) to the instance's internal IP, eliminating the need for a public IP or bastion host.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or Cloud VPN can provide inbound SSH access to private instances, but Cloud NAT is outbound-only and Cloud VPN requires a routable private IP and does not include IAM-based authentication, making IAP TCP forwarding the only correct choice for secure, authenticated SSH without a public IP.

How to eliminate wrong answers

Option A is wrong because Direct Peering is a network connectivity option that connects your on-premises network to Google Cloud via a direct physical connection, but it does not provide a mechanism for SSH access to instances without public IPs; it still requires routing and firewall rules, not a proxy service. Option B is wrong because Cloud NAT provides outbound internet connectivity for private instances (e.g., for software updates) but does not allow inbound SSH connections; it translates private IPs to a public IP for outbound traffic only. Option D is wrong because Cloud VPN creates an encrypted tunnel between your on-premises network and VPC, but it requires the instance to have a private IP reachable via VPN and does not provide the authentication or authorization layer that IAP TCP forwarding offers for SSH access.

15
MCQmedium

Refer to the exhibit. Users report that HTTP (port 80) traffic is still reaching instances in my-vpc despite the deny-all rule. What is the most likely reason?

A.The allow-ssh rule has priority 1000 and is evaluated before the deny rule.
B.A default firewall rule allowing HTTP exists with a higher priority.
C.The deny-all rule does not specify target tags.
D.The deny-all rule has priority 2000, which is higher than the allow rule.
AnswerB

The default-allow-http rule (priority 1000) allows HTTP before the deny-all (priority 2000) is evaluated.

Why this answer

In Google Cloud Platform (GCP), firewall rules are evaluated in order of priority, with lower numbers having higher priority. The default-allow-http rule has a priority of 1000, which is higher (lower number) than the deny-all rule's priority of 2000. Therefore, HTTP traffic is allowed by the default rule before the deny rule is evaluated, causing HTTP traffic to still reach instances.

Exam trap

Google Cloud often tests the misconception that higher priority numbers mean higher precedence, but in GCP firewall rules, lower priority numbers are evaluated first, so a deny rule with a higher priority number (e.g., 2000) is actually evaluated after an allow rule with a lower priority number (e.g., 1000).

How to eliminate wrong answers

Option A is wrong because priority values in GCP firewall rules are evaluated with lower numbers having higher priority, not higher numbers; the allow-ssh rule (priority 1000) is actually evaluated before the deny rule (priority 2000), but it only permits SSH traffic, not HTTP. Option C is wrong because target tags are not required for a deny-all rule to function; a deny-all rule without target tags applies to all instances in the VPC, but it is still overridden by higher-priority allow rules. Option D is wrong because priority 2000 is lower (not higher) than priority 1000; the deny-all rule has a lower priority, meaning it is evaluated after the allow rule, so HTTP traffic is allowed first.

16
MCQhard

A company uses Cloud VPN tunnels to connect multiple sites to Google Cloud. They have a primary and a backup tunnel for redundancy, each with a different Cloud Router (both in the same region). BGP sessions are established on both routers. The network team notices that during a failover test, traffic fails over to the backup tunnel but then after 30 seconds, the backup tunnel traffic stops and does not recover until the primary tunnel comes back. The engineer finds that the backup Cloud Router is advertising the same routes as the primary, but the backup tunnel's BGP session shows that the routes are being withdrawn after 30 seconds. Additionally, the BGP session remains established. What is the most likely cause?

A.The backup Cloud Router is configured with a lower MED value, causing the routes to be withdrawn.
B.The backup Cloud Router's BGP session is experiencing a keepalive timeout due to incorrect timers.
C.The backup tunnel is using a static routing method instead of dynamic BGP.
D.The backup tunnel's Cloud Router is in a different region, and the routes are not propagated globally.
AnswerB

Keepalive timer mismatch can cause the on-premises router to withdraw routes while the session remains established from Google's perspective.

Why this answer

The backup Cloud Router's BGP session remains established, but routes are withdrawn after 30 seconds. This is classic behavior of a BGP keepalive or hold timer mismatch: if the backup router expects a keepalive within a shorter interval than the peer sends, the hold timer expires, causing the router to withdraw all routes learned from that peer while keeping the TCP session alive (or re-establishing it). The 30-second interval matches the default BGP hold timer (90 seconds) divided by three, suggesting a timer misconfiguration on the backup router.

Exam trap

The trap here is that candidates assume route withdrawal always indicates a BGP session failure, but Google Cloud often tests the nuance that hold timer expiration can cause route withdrawal while the TCP session remains established (or quickly re-establishes), leading to the mistaken belief that the session is stable when routes are actually being withdrawn.

How to eliminate wrong answers

Option A is wrong because a lower MED value would influence route selection (preferring the lower MED), not cause route withdrawal; MED is a metric exchanged in UPDATE messages, not a trigger for withdrawing all routes. Option C is wrong because the question explicitly states BGP sessions are established on both routers, so the backup tunnel is using dynamic BGP, not static routing; static routing would not have BGP sessions or route withdrawals. Option D is wrong because both Cloud Routers are in the same region (as stated in the scenario), and even if they were in different regions, Cloud Router routes are propagated globally by default in Google Cloud; region mismatch does not cause route withdrawal.

17
Multi-Selectmedium

Which TWO of the following are valid use cases for Cloud IDS? (Choose TWO)

Select 2 answers
A.Blocking malicious traffic at the network perimeter.
B.Inspecting traffic between an on-premises network and Google Cloud via Cloud VPN.
C.Replacing VPC firewall rules for access control.
D.Only inspecting traffic that is destined for the internet.
E.Detecting and alerting on malware spreading between VMs in the same VPC.
AnswersB, E

Cloud IDS can inspect traffic traversing VPN.

Why this answer

Cloud IDS (Intrusion Detection System) inspects traffic for threats like malware and policy violations. Option B is correct because Cloud IDS can inspect traffic traversing Cloud VPN, enabling east-west and hybrid traffic inspection between on-premises and Google Cloud networks, which is a key use case for detecting threats in encrypted VPN tunnels.

Exam trap

Google Cloud often tests the misconception that IDS can block traffic (like a firewall), but Cloud IDS is detection-only and requires separate mitigation tools like Cloud Armor or firewall rules for blocking.

18
MCQhard

A company uses Cloud Armor with WAF rules to protect an HTTPS load balancer. They notice that legitimate traffic from certain IPs is being blocked. How should they troubleshoot?

A.Check firewall rule logs.
B.Enable Packet Mirroring.
C.Review Cloud Armor security policy logs.
D.Use VPC Flow Logs.
AnswerC

Cloud Armor logs show exactly which rules matched and blocked traffic.

Why this answer

Option C is correct because Cloud Armor security policy logs record the actions taken by WAF rules, including which requests were blocked and why. By reviewing these logs, you can identify the specific rule that is blocking legitimate traffic and adjust its configuration, such as modifying IP allowlists or threshold values.

Exam trap

Google Cloud often tests the distinction between different logging mechanisms (firewall logs, flow logs, WAF logs) to see if candidates understand which logs capture application-layer security policy decisions versus network-layer traffic metadata.

How to eliminate wrong answers

Option A is wrong because firewall rule logs apply to VPC firewall rules, which operate at the network layer (L3/L4) and are not involved in Cloud Armor WAF decisions at the application layer (L7). Option B is wrong because Packet Mirroring copies traffic for analysis but does not provide logs of WAF rule evaluations; it is used for network monitoring and troubleshooting, not for reviewing security policy actions. Option D is wrong because VPC Flow Logs capture metadata about IP traffic flows (e.g., source/destination, ports, protocols) but do not include information about Cloud Armor WAF rule matches or blocking decisions.

19
Multi-Selecteasy

Which TWO of the following are valid methods to restrict access to a Compute Engine VM that has no external IP?

Select 2 answers
A.Using a NAT gateway to allow SSH from the internet.
B.Configuring a SOCKS proxy on a bastion host.
C.A Cloud VPN tunnel from an on-premises network.
D.Assigning an external IP and using firewall rules.
E.Identity-Aware Proxy (IAP) TCP forwarding.
AnswersC, E

VPN provides private connectivity from on-premises.

Why this answer

Option C is correct because a Cloud VPN tunnel creates an encrypted, RFC-compliant IPsec tunnel between an on-premises network and a VPC, allowing on-premises hosts to reach the VM over its internal IP without requiring an external IP on the VM. Option E is correct because Identity-Aware Proxy (IAP) TCP forwarding uses the IAP service as a proxy to establish an SSH or RDP connection to a VM that has no external IP, by tunneling traffic through the IAP service using the `gcloud compute start-iap-tunnel` command.

Exam trap

Google Cloud often tests the misconception that a NAT gateway or a bastion host with a SOCKS proxy can provide inbound access to a private VM, when in fact NAT gateways only support outbound traffic and SOCKS proxies require the bastion to have an external IP and the VM to be reachable from the bastion, which does not satisfy the 'no external IP' constraint for the target VM itself.

20
MCQeasy

Refer to the exhibit. A user within the perimeter project '111111111111' tries to access BigQuery from a VM that has an external IP address. The request is denied. What is the most likely reason?

A.The VPC Accessible Services restriction requires that the request originate from an internal IP address or through VPC-controlled access.
B.BigQuery is not listed in the restricted services, so it is blocked.
C.The user does not meet the access level conditions defined in 'trusted_ips'.
D.The VM's project is not in the resources list.
AnswerA

With vpcAccessibleServices enabled, requests from external IPs are blocked unless allowed.

Why this answer

The VPC Accessible Services restriction, when enabled, forces all traffic to Google APIs to use internal IP addresses or VPC-controlled access (such as Private Google Access or Private Service Connect). Since the VM has an external IP address and the request is denied, the most likely reason is that this restriction is in place, requiring the request to originate from an internal IP or through a VPC endpoint, not from a public external IP.

Exam trap

Google Cloud often tests the distinction between network-level restrictions (VPC Accessible Services) and identity/access-level conditions (Access Context Manager), causing candidates to confuse the 'trusted_ips' condition with IP-based network restrictions.

How to eliminate wrong answers

Option B is wrong because BigQuery is a supported service for VPC Accessible Services; it is not blocked by default, and the restriction only applies to services listed in the 'restricted services' list, but BigQuery is typically allowed unless explicitly restricted. Option C is wrong because the 'trusted_ips' access level condition applies to Identity-Aware Proxy (IAP) or Access Context Manager policies, not to VPC Accessible Services; the question describes a network-level restriction, not an identity or access level condition. Option D is wrong because the VM's project being in the resources list is irrelevant to VPC Accessible Services; the restriction applies to all projects in the perimeter unless the VM uses internal IP or VPC-controlled access.

21
MCQmedium

A company uses Cloud Armor to protect an HTTPS Load Balancer. They notice that legitimate traffic from a specific geographic region is being blocked. The security policy has a deny rule for that region. What is the correct way to allow traffic from that region while still protecting against attacks?

A.Remove the deny rule for that region and rely on other security measures
B.Add a new allow rule for that region with a lower priority number than the deny rule
C.Remove all rules and add a single allow rule for the legitimate region
D.Reorder the rules so that the deny rule is at the bottom of the list
AnswerB

Lower priority number means higher precedence, so the allow rule will be evaluated first.

Why this answer

Cloud Armor security rules are evaluated in order of priority, where a lower priority number means higher precedence. To allow traffic from a specific region that is currently blocked by a deny rule, you must add an allow rule with a lower priority number (e.g., 100) than the deny rule (e.g., 1000). This ensures the allow rule is evaluated first, permitting the legitimate traffic before the deny rule can block it, while the deny rule still protects against attacks from other regions.

Exam trap

Google Cloud often tests the misconception that reordering rules in the list (like moving the deny rule to the bottom) changes evaluation order, but Cloud Armor strictly uses priority numbers, not list order, to determine which rule is evaluated first.

How to eliminate wrong answers

Option A is wrong because simply removing the deny rule for that region would leave the region unprotected against attacks, as there would be no rule to block malicious traffic from that region. Option C is wrong because removing all rules and adding a single allow rule for the legitimate region would remove all other security protections, leaving the load balancer vulnerable to attacks from other regions and sources. Option D is wrong because reordering rules so that the deny rule is at the bottom does not change the evaluation order; Cloud Armor uses priority numbers, not list order, and the deny rule would still block the traffic if its priority is higher (lower number) than any allow rule for that region.

22
MCQmedium

An organization has a Shared VPC with several service projects. They want to restrict which service projects can create firewall rules in the host project. What should they do?

A.Use IAM roles with compute.firewalls.create permission at the host project level.
B.Use VPC Service Controls.
C.Use hierarchical firewall policies.
D.Use organization policies to deny firewall rule creation.
AnswerA

IAM allows fine-grained control over who can create firewall rules in the host project.

Why this answer

Option A is correct because IAM roles with the `compute.firewalls.create` permission at the host project level allow you to precisely control which service projects can create firewall rules in the Shared VPC host project. By assigning a custom or predefined role (e.g., Compute Security Admin) that includes this permission to specific service project identities, you can restrict firewall rule creation to only authorized service projects while preventing others from doing so.

Exam trap

The trap here is that candidates confuse VPC Service Controls or hierarchical firewall policies with IAM-based permission control, mistakenly thinking these features can restrict which service projects can create firewall rules, when they actually serve different purposes (data exfiltration prevention and rule enforcement, respectively).

How to eliminate wrong answers

Option B is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs from outside a service perimeter, not to manage IAM permissions for creating firewall rules within a Shared VPC. Option C is wrong because hierarchical firewall policies are used to enforce consistent firewall rules across an organization hierarchy (folders, projects) and do not control which service projects can create rules; they apply rules, not permissions. Option D is wrong because organization policies can deny firewall rule creation globally (e.g., using a constraint like `compute.disableFirewallCreation`), but they cannot selectively allow or deny specific service projects; they are a blunt instrument that would block all firewall rule creation in the host project, including for authorized service projects.

23
Multi-Selecteasy

Which THREE of the following are required to use Private Google Access for on-premises hosts through a Cloud VPN or Interconnect? (Choose THREE)

Select 3 answers
A.Firewall rules allowing traffic from on-premises to the restricted VIP IP range.
B.VPC Flow Logs enabled on the VPC.
C.Configuring DNS on-premises to resolve Google API hostnames to the restricted Google APIs IP address (199.36.153.4/30).
D.A Cloud VPN tunnel or Dedicated Interconnect connection to Google Cloud.
E.Cloud NAT configured for the on-premises subnet.
AnswersA, C, D

Traffic must be allowed to reach the VIP.

Why this answer

Private Google Access for on-premises hosts requires firewall rules that allow traffic from on-premises to the restricted VIP IP range (199.36.153.4/30). This is necessary because on-premises hosts must be able to reach the restricted Google APIs VIP over the VPN or Interconnect, and firewall rules control which source IPs can access that VIP. Without these rules, traffic from on-premises would be blocked at the Google Cloud perimeter.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for on-premises traffic, but Cloud NAT is only for Google Cloud VMs without external IPs, not for on-premises hosts using Private Google Access.

24
MCQmedium

An organization has a Cloud NAT configured for a VPC network to allow outbound internet access for private instances. They notice that some instances are failing to connect to a specific external API that requires a static source IP. What should they do to resolve this?

A.Use Private Google Access instead of Cloud NAT.
B.Assign a static external IP to the instances and use Cloud NAT with static IPs.
C.Configure Cloud NAT with a static NAT IP address and ensure all traffic uses that IP.
D.Use a VPN tunnel to the API provider's network.
AnswerC

This provides a consistent source IP for all outbound traffic, meeting the API's requirement.

Why this answer

Cloud NAT with a static NAT IP address ensures that all outbound traffic from private instances uses a consistent, predictable source IP. This satisfies the external API's requirement for a static source IP without needing to assign public IPs directly to instances. Option C correctly configures Cloud NAT to use a static IP, which is the intended solution for this scenario.

Exam trap

Google Cloud often tests the misconception that assigning static external IPs to instances is necessary for static source IP requirements, when in fact Cloud NAT with a static IP achieves the same goal without compromising the private nature of the instances.

How to eliminate wrong answers

Option A is wrong because Private Google Access only enables access to Google APIs and services, not to external third-party APIs, and does not provide a static source IP. Option B is wrong because assigning a static external IP to instances defeats the purpose of using private instances and Cloud NAT; Cloud NAT with static IPs is designed to handle this without exposing instances directly. Option D is wrong because a VPN tunnel provides encrypted connectivity to a specific network but does not inherently provide a static source IP for outbound internet traffic to an external API; it would require additional NAT configuration.

25
Multi-Selecthard

Which THREE of the following are valid use cases for VPC Service Controls?

Select 3 answers
A.Controlling access to a Cloud SQL database from a specific VPC.
B.Preventing data exfiltration from Google Cloud Storage.
C.Allowing access to a managed instance group from the internet.
D.Enabling private access to Cloud APIs from on-premises.
E.Restricting access to BigQuery from outside a perimeter.
AnswersA, B, E

VPC SC can restrict Cloud SQL access to authorized VPC networks.

Why this answer

Option A is correct because VPC Service Controls allow you to define a service perimeter that restricts access to a Cloud SQL database (or other Google Cloud services) to requests originating from a specific VPC network. This is achieved by configuring an access level that references the VPC network, ensuring that only traffic from that VPC can reach the database, even if the database is exposed via private IP.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls are a general-purpose network access control tool (like firewall rules or VPN), when in fact they are specifically for creating a data exfiltration prevention perimeter around Google Cloud services, not for allowing inbound internet access or extending access to on-premises networks.

26
MCQmedium

A company has deployed a web application behind an External HTTP(S) Load Balancer with Cloud Armor. They want to restrict access to a specific URL path /admin to only users from a specific IP range (198.51.100.0/24). The engineer creates a Cloud Armor security policy with two rules: Rule 1 (priority 1000) with match expression "request.path == '/admin' && inIpRange(source.ip, '198.51.100.0/24')" and action "allow". Rule 2 (priority 2147483647) with match "request.path == '/admin'" and action "deny". After testing, users from the allowed IP range receive a 403 error when accessing /admin. The Cloud Armor logs show that the request was denied. The engineer confirms that the policy is attached to the backend service and that the source IP in the logs matches the allowed range. What is the most likely cause of the denial?

A.The allow rule is missing a condition to also check the request path because the path condition is not supported in Cloud Armor.
B.The allow rule's condition is incorrect because it should use "origin.ip" instead of "source.ip".
C.The user's source IP is being translated by a NAT or proxy, so it doesn't match the allowed range.
D.The allow rule's priority is 1000, which is lower than the deny rule, but the deny rule still overrides.
AnswerC

This is the most likely cause; the actual source IP seen by the load balancer is different.

Why this answer

Option C is correct because the most likely cause is that the user's source IP is being translated by a NAT or proxy before reaching the load balancer. Cloud Armor evaluates the source IP as seen by the load balancer, which may differ from the original client IP if traffic passes through an intermediate device. The logs confirm the source IP matches the allowed range, but if the request arrives via a proxy, the actual source IP in the packet could be the proxy's IP, not the user's, causing the deny rule to match.

Exam trap

Google Cloud often tests the misconception that the source IP in Cloud Armor logs is always the original client IP, when in reality it is the IP of the last hop before the load balancer, which can be a NAT or proxy.

How to eliminate wrong answers

Option A is wrong because Cloud Armor fully supports the request.path condition in match expressions; the path condition is valid and commonly used. Option B is wrong because Cloud Armor uses 'source.ip' (not 'origin.ip') to refer to the client IP address in match expressions; 'origin.ip' is not a valid attribute. Option D is wrong because the priority system works as intended: lower numeric priority (1000) is evaluated before higher priority (2147483647), so the allow rule should take precedence; the deny rule only applies if the allow rule does not match, but here the allow rule should match based on the IP range.

27
MCQhard

Refer to the exhibit. A Cloud Armor security policy with the shown rules is applied to an HTTPS load balancer. Users from IP 10.0.1.1 are reporting they cannot access the website. What is the issue?

A.The load balancer is not configured to use the security policy.
B.The allow rule with priority 2000 does not apply because the deny rule is evaluated first.
C.The deny rule has higher priority and blocks traffic from 10.0.0.0/8.
D.The IP range in the deny rule is too broad.
AnswerC

The deny rule with priority 1000 matches 10.0.1.1 and blocks it.

Why this answer

Option C is correct because Cloud Armor security policies evaluate rules in priority order, with lower numbers having higher priority. The deny rule at priority 1000 matches the source IP range 10.0.0.0/8, which includes the user's IP 10.0.1.1, and is evaluated before the allow rule at priority 2000. Since the deny rule is matched first, the request is blocked, preventing access to the HTTPS load balancer.

Exam trap

Google Cloud often tests the misconception that deny rules are always evaluated before allow rules, but the trap here is that Cloud Armor uses numeric priority to determine evaluation order, not rule type.

How to eliminate wrong answers

Option A is wrong because the exhibit explicitly states the security policy is applied to the HTTPS load balancer, so the load balancer is configured to use it. Option B is wrong because Cloud Armor does not evaluate rules in a 'deny-first' order; it uses numeric priority, and the deny rule at priority 1000 is evaluated before the allow rule at priority 2000, not because it is a deny rule but because it has higher priority. Option D is wrong because the IP range 10.0.0.0/8 is not too broad for the intended purpose; the issue is that the deny rule's priority causes it to block the user's IP, not that the range is excessively wide.

28
Multi-Selecthard

A company wants to prevent data exfiltration from a Google Cloud Storage bucket that contains sensitive data. They plan to use VPC Service Controls. Which two steps are necessary to implement this? (Choose two.)

Select 2 answers
A.Add the storage bucket to a VPC Service Controls perimeter and restrict access to only trusted VPC networks.
B.Enable VPC Service Controls on the project and define ingress and egress rules.
C.Set up an Organization Policy to deny all public access to storage buckets.
D.Configure the service perimeter to allow access only from authorized IP ranges.
E.Create a service perimeter that includes the storage bucket and the VPC network.
AnswersA, B

The bucket (via its project) is added to the perimeter, and ingress rules restrict access from trusted VPCs.

Why this answer

Option A is correct because VPC Service Controls allows you to define a service perimeter that includes a Cloud Storage bucket, and within that perimeter you can restrict access to only trusted VPC networks. This prevents data exfiltration by ensuring that only resources within the specified VPC networks can access the bucket, blocking any access from outside the perimeter, including the public internet or other networks.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls uses IP-based allowlisting (like firewall rules) or that you can add individual resources (like a bucket) directly to a perimeter, when in reality perimeters are project-based and rely on network context rather than IP addresses.

29
MCQeasy

A company has two VPCs in the same project: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). They want to allow SSH from VPC-A to instances in VPC-B. The network admin creates a firewall rule with source range 10.0.0.0/16 and protocol tcp:22, but connectivity fails. What is the most likely cause?

A.The rule is created in VPC-A instead of VPC-B.
B.The source range should be 10.0.0.0/8.
C.The target tag is not specified.
D.The source tag is missing.
AnswerA

Firewall rules apply to the VPC they are created in. An ingress rule for VPC-B must be created in VPC-B.

Why this answer

Firewall rules in Google Cloud are applied at the network level, not the instance level. To allow inbound SSH traffic from VPC-A to instances in VPC-B, the firewall rule must be created in VPC-B (the destination network) with the source range set to 10.0.0.0/16. Creating the rule in VPC-A would only affect traffic destined for instances in VPC-A, not VPC-B.

Exam trap

Google Cloud often tests the misconception that firewall rules are applied at the source network or that rules are global across VPCs, when in fact each VPC has its own independent set of firewall rules and ingress rules must be in the destination VPC.

How to eliminate wrong answers

Option B is wrong because using 10.0.0.0/8 would unnecessarily broaden the source range to include other RFC 1918 addresses, which is not the cause of the failure and could introduce security risks. Option C is wrong because target tags are optional; if no target tags are specified, the rule applies to all instances in the VPC, so missing tags would not prevent connectivity. Option D is wrong because source tags are not used in this scenario; source filtering is done via source ranges (CIDR blocks), not tags, and omitting a source tag does not affect the rule's operation.

30
MCQhard

Refer to the exhibit. A request arrives with User-Agent 'GoodBot' and path '/admin'. What action does Cloud Armor take?

A.Deny the request because the rule with priority 300 has a higher priority number but matches path.
B.Allow the request because of the default rule at priority 1000.
C.Deny the request because both rules match and deny takes precedence.
D.Allow the request because the rule with priority 200 matches and allows it.
AnswerD

Priority 200 is evaluated before 300 and matches.

Why this answer

Option D is correct because Cloud Armor evaluates rules in order of priority (lowest number = highest priority). The rule with priority 200 matches the request (User-Agent 'GoodBot' and path '/admin') and explicitly allows it. Once a matching allow rule is found, evaluation stops, and the request is allowed, overriding any lower-priority rules.

Exam trap

Google Cloud often tests the misconception that deny rules always override allow rules, but in Cloud Armor, the first matching rule (by priority) determines the action, regardless of whether it is allow or deny.

How to eliminate wrong answers

Option A is wrong because priority 300 is a higher number (lower priority) than 200, and Cloud Armor evaluates rules from lowest to highest priority number; the rule at priority 200 matches first and allows the request, so the rule at priority 300 is never reached. Option B is wrong because the default rule at priority 1000 only applies if no higher-priority rule matches; here, priority 200 matches and allows the request, so the default rule is not invoked. Option C is wrong because deny does not automatically take precedence; Cloud Armor uses first-match semantics based on priority, and the first matching rule (priority 200) allows the request, so no deny action occurs.

31
Multi-Selectmedium

A company is designing a network architecture with multiple VPCs and on-premises connectivity via Cloud VPN. They want to avoid IP address conflicts and ensure secure communication. Which three best practices should they follow? (Choose three.)

Select 3 answers
A.Use Cloud NAT for all outbound internet traffic from private VMs.
B.Use unique RFC 1918 IP address ranges for each VPC.
C.Enable VPC Network Peering between all VPCs to enable direct communication.
D.Set up firewall rules to allow only required traffic between VPCs and on-premises.
E.Configure Cloud Router with BGP to advertise on-premises prefixes to Cloud VPN.
AnswersB, D, E

Prevents IP overlap and routing issues.

Why this answer

Option B is correct because using unique RFC 1918 IP address ranges for each VPC prevents overlapping IP spaces, which is critical when connecting multiple VPCs and on-premises networks via Cloud VPN. Overlapping ranges would cause routing conflicts and make it impossible for Cloud Router and BGP to establish proper path selection, leading to dropped or misrouted traffic.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering alone solves IP conflicts, but in reality, peering requires non-overlapping IP ranges to function correctly, and overlapping ranges will cause peering to fail or produce unpredictable routing behavior.

32
Multi-Selectmedium

A company is implementing VPC Service Controls to protect a managed project containing BigQuery datasets. They want to allow access from a specific service account in a different project. Which two configurations are required? (Choose TWO.)

Select 2 answers
A.Add the project containing the service account to the VPC Service Controls perimeter
B.Create a firewall rule in the client VPC allowing egress to the BigQuery API
C.Configure an IAM condition on the service account's roles to restrict access to the perimeter
D.Grant the appropriate IAM roles (e.g., BigQuery Data Viewer) to the service account on the BigQuery dataset
E.Enable Private Google Access on the subnet where the service account's VMs are located
AnswersA, D

Accessible resources are limited to perimeters that include the client project.

Why this answer

Option A is correct because VPC Service Controls use a perimeter to restrict access to managed services like BigQuery. Adding the project containing the service account to the perimeter allows that service account to access the protected BigQuery datasets, as the perimeter explicitly includes the project as an allowed member.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewall rules, Private Google Access) can bypass VPC Service Controls, but the perimeter operates at the API layer and requires explicit project inclusion and IAM permissions.

33
Multi-Selectmedium

Which TWO of the following are benefits of using Cloud NAT?

Select 1 answer
A.Enables instances without public IPs to access the internet.
B.Automatically scales with the number of instances.
C.Allows instances to receive incoming connections from the internet.
D.Provides static external IP for outbound traffic.
E.Integrates with IAP for SSH access.
AnswersB

Cloud NAT uses Cloud Router and scales automatically.

Why this answer

Cloud NAT is a Google Cloud managed service that allows private instances (without external IPs) to initiate outbound connections to the internet. It automatically scales to handle the traffic from all instances in a region, using NAT gateways that are managed by Google, so you do not need to pre-provision or resize the NAT gateway as the number of instances changes.

Exam trap

Google Cloud often tests the misconception that Cloud NAT provides static IPs or allows inbound connections, but the key trap is that candidates confuse Cloud NAT with a traditional NAT gateway that supports port forwarding or static mappings, whereas Cloud NAT is purely for outbound-only traffic with ephemeral IPs by default.

34
MCQhard

An organization uses VPC Service Controls to protect Google Cloud APIs. They need to allow a specific service account in a peripheral project to access a managed service in a protected service perimeter. What should they configure?

A.IAM conditions on the service account.
B.Access levels in VPC Service Controls.
C.Private Google Access.
D.Ingress and egress rules in the perimeter.
AnswerD

Ingress/egress rules grant access to specific service accounts from outside the perimeter.

Why this answer

VPC Service Controls uses ingress and egress rules to control data exchange between a protected service perimeter and resources outside it. To allow a specific service account in a peripheral project to access a managed service inside the perimeter, you configure an egress rule on the perimeter that permits traffic from that service account to the protected service. This rule explicitly defines the allowed source identity (the service account) and the target service, enabling secure cross-perimeter access.

Exam trap

Google Cloud often tests the distinction between IAM conditions (which control permissions within a project) and VPC Service Controls rules (which control network-level access across perimeters), leading candidates to mistakenly choose IAM conditions when the question explicitly involves crossing a service perimeter boundary.

How to eliminate wrong answers

Option A is wrong because IAM conditions on the service account can restrict when the account's permissions apply (e.g., based on IP address or resource tags), but they cannot override VPC Service Controls perimeter boundaries; the perimeter blocks all traffic by default regardless of IAM. Option B is wrong because access levels in VPC Service Controls define client attributes (e.g., IP range, device policy) for granting access to a perimeter, but they do not specify which service accounts or projects are allowed to exit the perimeter; ingress/egress rules handle identity-based flow. Option C is wrong because Private Google Access enables on-premises or VM instances without external IPs to reach Google APIs via private IP addresses, but it does not control cross-project or cross-perimeter access governed by VPC Service Controls.

35
MCQeasy

A network engineer is troubleshooting connectivity from an on-premises network to a GCE VM through a VPN tunnel. The tunnel is established, but traffic is not reaching the VM. What should the engineer check first?

A.Check VPC firewall rules to ensure ingress traffic from the on-premises subnet is allowed to the VM
B.Check the VM's OS firewall to see if it is blocking incoming traffic
C.Verify that the VPN tunnel is using the correct pre-shared key
D.Review Cloud Armor security policies that may be blocking the traffic
AnswerA

Firewall rules must allow traffic from the on-premises IP range to the VM's target tags or service account.

Why this answer

Option A is correct because VPC firewall rules are the first line of defense for controlling traffic to GCE VMs. Even though the VPN tunnel is established, the default-deny ingress posture of GCP means that traffic from the on-premises subnet must be explicitly allowed by a VPC firewall rule. Without this rule, packets arriving via the tunnel are dropped before they ever reach the VM's network interface.

Exam trap

Google Cloud often tests the misconception that a working tunnel implies all traffic flows, but the trap here is that VPC firewall rules are independent of tunnel status and must be explicitly configured for the on-premises subnet as the source.

How to eliminate wrong answers

Option B is wrong because the VM's OS firewall is a secondary concern; the VPC firewall operates before traffic reaches the VM, so checking the OS firewall first would be premature. Option C is wrong because the tunnel is already established, which confirms that the pre-shared key is correct; a mismatched PSK would prevent the tunnel from coming up. Option D is wrong because Cloud Armor security policies apply to HTTP(S) load balancing and external traffic, not to traffic arriving through a VPN tunnel, which is internal to the VPC.

36
Multi-Selectmedium

A company is designing a secure multi-VPC architecture in Google Cloud. They have three VPCs: Production, Staging, and Shared Services. The Shared Services VPC hosts a Cloud NAT for outbound internet access and a set of managed instance groups. The Production and Staging VPCs are peered to the Shared Services VPC. The company wants to ensure that: (1) instances in Staging cannot initiate connections to instances in Production, (2) instances in Production cannot initiate connections to instances in Staging, (3) all VPCs can communicate with Shared Services, and (4) traffic between VPCs must be inspected by a firewall appliance in Shared Services. Which TWO actions should the company take?

Select 2 answers
A.Delete the VPC peering connection between the Staging and Production VPCs.
B.Set up a Cloud VPN between each spoke VPC and the Shared Services VPC to enable transitive routing.
C.Configure static routes in each spoke VPC with a next hop to the firewall appliance's internal IP for the destination VPC's subnet ranges.
D.Remove the default route (0.0.0.0/0) from the spoke VPCs to prevent direct internet access.
E.Enable the export of custom routes from the Shared Services VPC to the peered VPCs.
AnswersC, E

This forces traffic between spokes to go through the firewall.

Why this answer

Option C is correct because configuring static routes in each spoke VPC with a next hop to the firewall appliance's internal IP ensures that traffic between Production and Staging is forced through the firewall in Shared Services for inspection. This satisfies the requirement that all inter-VPC traffic must be inspected, as VPC peering alone does not support transitive routing or traffic inspection.

Exam trap

The trap here is that candidates often assume VPC peering provides transitive routing automatically, but Google Cloud explicitly does not support transitive peering, requiring manual route configuration to direct traffic through a central inspection appliance.

37
MCQmedium

A network engineer notices that VPC Flow Logs show connections from a Compute Engine instance to an IP address that should have been blocked by firewall rules. What is the most likely cause?

A.The firewall rule has a lower priority than a deny rule.
B.The instance is using an external IP.
C.VPC Flow Logs are inaccurate.
D.The firewall rule is not applied to the instance's network tag.
AnswerD

If the instance doesn't have the required tag, the firewall rule doesn't apply.

Why this answer

Option D is correct because if a firewall rule is not applied to the instance's network tag, the rule will not affect that instance. In Google Cloud, firewall rules can target instances by specifying target tags; if the rule's target tag does not match the instance's tag, the rule is not enforced on that instance, allowing traffic that should have been blocked.

Exam trap

Google Cloud often tests the misconception that firewall rules are automatically applied to all instances in a VPC, when in reality they must be explicitly associated via target tags or service accounts, and candidates may overlook the tag mismatch as the root cause.

How to eliminate wrong answers

Option A is wrong because a lower priority number means higher priority in Google Cloud firewall rules (priority 1000 is higher than 2000), so a deny rule with a lower priority number would take precedence over an allow rule with a higher priority number; the scenario describes traffic that should have been blocked, implying the allow rule is incorrectly allowing it, not that a deny rule is being overridden. Option B is wrong because using an external IP does not bypass firewall rules; firewall rules in Google Cloud are stateful and apply to all traffic regardless of whether the instance uses an internal or external IP, as they operate at the VPC network level. Option C is wrong because VPC Flow Logs are accurate; they capture metadata about network flows and are not prone to inaccuracies that would show connections that do not actually occur—they reflect actual traffic seen by the network.

38
MCQmedium

A company uses VPC Service Controls to protect a managed service (e.g., BigQuery) within a service perimeter. Developers need to access the service from an on-premises network via a Cloud VPN tunnel with a specific IP address. However, access is being denied. What is the most likely cause?

A.The project containing the VPN tunnel is not in the same perimeter.
B.The VM instances in the perimeter do not have public IP addresses.
C.The on-premises source IP is not included in the allowed external IP addresses list in the perimeter.
D.The Cloud VPN tunnel is not using IKEv2.
AnswerC

VPC Service Controls can restrict by source IP; the on-prem IP must be allowed.

Why this answer

VPC Service Controls enforce access to managed services like BigQuery by restricting which source IPs can reach the service. When accessing from on-premises via Cloud VPN, the source IP seen by the service is the on-premises client's IP, not the VPN gateway's IP. If that on-premises source IP is not explicitly added to the allowed external IP addresses list in the service perimeter, access is denied, even though the VPN tunnel is established.

Exam trap

Google Cloud often tests the misconception that placing the VPN tunnel's project inside the service perimeter or using a specific IKE version is required, when the real issue is that VPC Service Controls evaluate the source IP of the original client, not the VPN gateway, and that IP must be explicitly allowed.

How to eliminate wrong answers

Option A is wrong because the VPN tunnel is a network resource, not a managed service; VPC Service Controls perimeters apply to projects containing the managed service (e.g., BigQuery), not to the project hosting the VPN tunnel. Option B is wrong because VPC Service Controls do not require VM instances to have public IPs; the perimeter controls access based on identity and source IP, not the presence of public IPs on VMs. Option D is wrong because Cloud VPN tunnels support both IKEv1 and IKEv2; the IKE version does not affect VPC Service Controls access decisions, which operate at the application layer.

39
Multi-Selecthard

A network engineer is troubleshooting connectivity issues with VPC Flow Logs. Which TWO statements about VPC Flow Logs are correct? (Choose TWO)

Select 2 answers
A.VPC Flow Logs capture only egress traffic.
B.VPC Flow Logs only capture traffic that is allowed by firewall rules.
C.VPC Flow Logs can be used to diagnose overly permissive firewall rules.
D.VPC Flow Logs capture all packets for every flow in the VPC.
E.VPC Flow Logs do not capture traffic that is generated by GCP health checks.
AnswersC, E

By analyzing logs, you can see allowed traffic and identify rules that are too broad.

Why this answer

Option C is correct because VPC Flow Logs capture metadata about accepted and rejected traffic, including traffic that is allowed by overly permissive firewall rules. By analyzing the logs, you can identify flows that should have been blocked, revealing rules that are too broad in scope (e.g., allowing all traffic from 0.0.0.0/0). This diagnostic capability directly helps tighten security posture.

Exam trap

Google Cloud often tests the misconception that VPC Flow Logs capture every packet or only allowed traffic, when in reality they sample flows and log both accepted and rejected traffic, making options B and D common traps.

40
MCQhard

A large organization uses Shared VPC with hundreds of projects. They want to implement fine-grained access control for SSH access to Compute Engine instances using IAP TCP forwarding. They have created a custom IAM role with the necessary permissions (iap.tunnel.dest, iap.tunnel.getIamPolicy, compute.instances.use) and granted it to a group of developers. The developers have also been granted the iap.tunnelUser role on the project. However, when they try to use `gcloud compute ssh --tunnel-through-iap instance-name`, they get a permission error: "Permission 'iap.tunnel.dest' denied on resource 'projects/project/zones/zone/instances/instance'". The network admin has verified that the custom role includes the required permissions and that the developers are members of the group with the role. What is the most likely missing configuration?

A.The developers need the `iap.tunnel` resource-level permission on the IAP TCP forwarding resource.
B.IAP TCP forwarding is not enabled for the project or VPC.
C.The instances do not have the required network tags for IAP.
D.The developers need the `compute.instances.osLogin` permission.
AnswerB

IAP TCP forwarding must be explicitly enabled at the project level. If not enabled, the permission check fails.

Why this answer

IAP TCP forwarding requires the IAP API to be enabled on the project and the service to be activated for the VPC. Without this, the IAP proxy cannot intercept and forward TCP traffic to the instance, even if the IAM permissions are correctly assigned. The error 'Permission 'iap.tunnel.dest' denied' typically occurs when the IAP TCP forwarding service itself is not enabled, as the permission check fails at the service level before evaluating the IAM role.

Exam trap

The trap here is that candidates assume the error is due to missing IAM permissions or instance configuration, when in fact the IAP TCP forwarding service must be explicitly enabled at the project level, which is a prerequisite often forgotten in Shared VPC environments.

How to eliminate wrong answers

Option A is wrong because 'iap.tunnel.dest' is already a resource-level permission on the instance, not a separate 'iap.tunnel' resource; IAP TCP forwarding uses resource-level permissions on the Compute Engine instance, not a distinct IAP resource. Option C is wrong because network tags are used for firewall rules, not for IAP TCP forwarding; IAP works through the IAP proxy and does not require specific tags on instances. Option D is wrong because 'compute.instances.osLogin' is for OS Login authentication, not for IAP TCP forwarding; the error is about IAP tunnel permissions, not OS-level access.

41
MCQhard

An organization wants to restrict access to a Cloud Storage bucket so that only VMs within a specific VPC network can download objects. They are using VPC Service Controls and Private Google Access. Which configuration is required?

A.Enable Cloud NAT and configure a firewall rule to allow egress to 0.0.0.0/0
B.Configure a Service Directory endpoint and attach an IAM policy to the bucket allowing access only from that endpoint
C.Create a firewall rule allowing egress to the storage.googleapis.com service IP range and enable VPC flow logs
D.Enable Private Google Access on the subnet and create a VPC Service Controls perimeter that includes the bucket project
AnswerD

Private Google Access enables internal IP access to Google APIs, and VPC Service Controls restricts access to the perimeter.

Why this answer

D is correct because VPC Service Controls create a security perimeter around the Cloud Storage bucket's project, preventing data exfiltration even if the bucket is publicly accessible. Private Google Access on the subnet allows VMs to reach Google APIs (including storage.googleapis.com) via internal IPs, avoiding the public internet. Together, they ensure only VMs within the specified VPC network can download objects, as the perimeter restricts access to authorized networks and Private Google Access provides the private connectivity path.

Exam trap

Google Cloud often tests the misconception that firewall rules alone (Option C) or NAT (Option A) are sufficient for restricting access, when in fact VPC Service Controls are required to enforce network-level boundaries beyond IAM and connectivity.

How to eliminate wrong answers

Option A is wrong because Cloud NAT provides outbound internet access for private VMs, but it does not restrict access to the bucket; it would actually allow VMs to reach the bucket via the public internet, violating the requirement to restrict access to only the VPC network. Option B is wrong because Service Directory is a service for service discovery and does not provide network-level access control; attaching an IAM policy to a Service Directory endpoint does not restrict network access to the bucket. Option C is wrong because a firewall rule allowing egress to storage.googleapis.com service IP range only enables connectivity, but without VPC Service Controls, any VM (or even external hosts) with the correct IP range could access the bucket; VPC flow logs are for monitoring, not access control.

42
MCQeasy

A company uses an HTTPS load balancer with SSL certificates. They want to ensure only strong cipher suites are accepted. Which Google Cloud service should they use to enforce this?

A.Identity-Aware Proxy (IAP).
B.Cloud Armor security policy.
C.SSL policies on the target HTTPS proxy.
D.Firewall rules on the backend instances.
AnswerC

SSL policies control TLS versions and ciphers for load balancers.

Why this answer

SSL policies on the target HTTPS proxy allow you to define a set of allowed SSL/TLS cipher suites and protocols for the load balancer. By configuring an SSL policy with a 'RESTRICTED' profile or a custom list of strong ciphers, you can enforce that only secure cipher suites (e.g., TLS 1.2+ with ECDHE and AES-GCM) are accepted, rejecting weak or deprecated ciphers like RC4 or 3DES.

Exam trap

The trap here is that candidates confuse Cloud Armor (which enforces security policies at the application layer) with SSL policies (which control TLS cipher suites at the transport layer), leading them to pick Cloud Armor when the question specifically asks about cipher suite enforcement.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access to applications based on identity and context, not cipher suite enforcement; it operates at the application layer, not the TLS negotiation layer. Option B is wrong because Cloud Armor security policies provide web application firewall (WAF) and DDoS protection at Layer 7, but they do not control SSL/TLS cipher suites or protocol versions. Option D is wrong because firewall rules on backend instances control network traffic at Layers 3/4 (IP/port), not the cryptographic parameters of the TLS handshake, which is terminated at the load balancer.

43
MCQmedium

A company has an on-premises data center connected to Google Cloud via a Dedicated Interconnect using VLAN attachments. They have set up a Cloud Router with BGP to exchange routes. The on-premises network advertises a prefix 10.0.0.0/8, and Google Cloud advertises the VPC's subnet ranges (10.0.0.0/24 and 10.0.1.0/24). After configuration, on-premises hosts cannot reach the Google Cloud instances in those subnets. The engineer checks the BGP session status and it is established. The Cloud Router shows that the on-premises prefix is learned, and the on-premises router shows that the specific /24 prefixes are received. However, traffic from on-premises to the Google Cloud subnets is not working. What is the most likely cause?

A.The on-premises router has a local route for 10.0.0.0/8 that overrides the BGP-learned /24 routes.
B.The VPN connection needs to be configured for the Interconnect.
C.The Google Cloud VPC has a custom static route that overrides the dynamically learned route.
D.The on-premises firewall is blocking the traffic.
AnswerA

A local route with a lower administrative distance can shadow the BGP routes.

Why this answer

The most likely cause is that the on-premises router has a local route for the larger prefix 10.0.0.0/8, which is more specific than the BGP-learned /24 routes. Since the local route has a lower administrative distance (typically 0 for directly connected or 1 for static) compared to BGP's administrative distance of 20 for eBGP, the on-premises router prefers the local route and forwards traffic locally instead of sending it over the Dedicated Interconnect to Google Cloud. This results in traffic not reaching the VPC subnets.

Exam trap

Google Cloud often tests the concept that administrative distance overrides prefix length in route selection when comparing routes from different sources, leading candidates to incorrectly assume that more specific prefixes are always preferred regardless of administrative distance.

How to eliminate wrong answers

Option B is wrong because a Dedicated Interconnect does not require a VPN connection; it is a direct physical connection that uses VLAN attachments and BGP for routing, not IPsec VPNs. Option C is wrong because Google Cloud VPC custom static routes have a lower priority (higher administrative distance) than dynamically learned routes from Cloud Router, so they would not override the BGP-learned routes; the issue is on the on-premises side. Option D is wrong because the firewall would typically block traffic at a higher layer, but the core routing issue is that traffic never reaches the firewall due to the local route overriding BGP-learned routes.

44
MCQeasy

A company deploys a web application behind a global external HTTP(S) load balancer and wants to protect against SQL injection attacks. Which Google Cloud security product should they use?

A.Identity-Aware Proxy (IAP)
B.VPC firewall rules
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor provides WAF capabilities.

Why this answer

Cloud Armor is the correct choice because it provides web application firewall (WAF) capabilities, including pre-configured rules to filter SQL injection (SQLi) attacks at the edge of Google's network, before traffic reaches the backend. It integrates directly with the global external HTTP(S) load balancer to inspect HTTP/HTTPS requests and block malicious payloads based on OWASP Top 10 signatures.

Exam trap

Google Cloud often tests the distinction between network-layer security (VPC firewall rules, Cloud IDS) and application-layer security (Cloud Armor), leading candidates to confuse IDS/IPS capabilities with WAF functionality.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) controls access based on user identity and context (e.g., OAuth, SAML), not application-layer attack patterns like SQL injection. Option B is wrong because VPC firewall rules operate at the network layer (IP/port/protocol) and cannot inspect HTTP request bodies or query strings for SQL injection signatures. Option C is wrong because Cloud IDS is a network-based intrusion detection system that monitors for network-level threats (e.g., malware, C2 traffic) using packet mirroring, but it does not provide inline blocking or HTTP-layer WAF rules for SQL injection.

45
MCQeasy

A company wants to allow HTTP traffic from the internet to a web server running on a Compute Engine VM in a VPC. The web server should only be accessible on port 80. Which firewall rule should be created?

A.Egress rule: allow tcp:80 from 0.0.0.0/0 (target tags: web-server)
B.Ingress rule: allow tcp:80 from 0.0.0.0/0 (target tags: web-server)
C.Ingress rule: allow tcp:443 from 0.0.0.0/0 (target tags: web-server)
D.Ingress rule: allow tcp:80 from 0.0.0.0/0 (target tags: default)
AnswerB

Correct: Ingress, port 80, any source, target tag 'web-server'.

Why this answer

Option B is correct because HTTP traffic from the internet (source 0.0.0.0/0) must be allowed by an ingress firewall rule targeting the web server VM. The rule specifies TCP port 80, which is the standard HTTP port, and uses target tags 'web-server' to apply the rule only to VMs with that tag, ensuring the web server is accessible on port 80 from any source.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates may confuse the direction of traffic (ingress for inbound, egress for outbound) or select a rule with the wrong port (e.g., 443 instead of 80) or incorrect target tags (e.g., 'default' instead of 'web-server').

How to eliminate wrong answers

Option A is wrong because it defines an egress rule, which controls outbound traffic from the VM, not inbound HTTP traffic from the internet. Option C is wrong because it allows TCP port 443 (HTTPS), not port 80 (HTTP), which does not meet the requirement to allow HTTP traffic on port 80. Option D is wrong because it uses target tags 'default', which would apply the rule to all VMs in the VPC with the default tag, rather than specifically targeting the web server VM with the 'web-server' tag, potentially exposing other VMs to inbound HTTP traffic.

46
MCQeasy

Refer to the exhibit. A project has the IAM policy shown. Alice is trying to delete a VPC firewall rule but receives a permission error. What is the most likely reason?

A.Alice has the role roles/compute.securityAdmin, which should allow deletion; perhaps the rule is managed by another service
B.The IAM policy has a condition that denies deletion after business hours
C.An organization policy prevents deletion of firewall rules in this project
D.Bob has the role roles/compute.networkAdmin, which does not include permissions to delete firewall rules
AnswerA

roles/compute.securityAdmin includes firewall rule deletion. If Alice still gets an error, it might be due to hierarchical policies or the rule being managed by another service like Firewall Insights.

Why this answer

Alice has the role roles/compute.securityAdmin, which includes the compute.firewalls.delete permission. However, if the VPC firewall rule is managed by another service (e.g., Firewall Rules Manager, Google Cloud Armor, or a managed service like GKE), the rule may have a 'managed' label or be part of a service-managed resource hierarchy that prevents direct deletion via the compute.firewalls.delete API. In such cases, the rule must be deleted through the managing service, not directly via the firewall rules API, leading to a permission error despite having the correct role.

Exam trap

Google Cloud often tests the misconception that having the correct IAM role (like compute.securityAdmin) always grants full control over all firewall rules, ignoring that managed services can impose additional deletion restrictions that override the base IAM permissions.

How to eliminate wrong answers

Option B is wrong because the IAM policy shown does not include any conditions; the exhibit only shows a simple binding with roles/compute.securityAdmin for Alice, and there is no mention of a condition that denies deletion after business hours. Option C is wrong because an organization policy would apply at the organization or folder level, not within a project's IAM policy; the exhibit shows a project-level IAM policy, and organization policies are separate constraints (e.g., constraints/compute.restrictFirewallRules) that would appear in the Organization Policies section, not in the IAM policy. Option D is wrong because Bob's role is irrelevant to Alice's permission error; the question asks why Alice cannot delete the rule, and Bob's role does not affect Alice's permissions.

47
Drag & Dropmedium

Drag and drop the steps to migrate an on-premises network to Google Cloud using a VPN and VPC peering into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Migration steps: VPN, BGP, new VPC, peering, then moving workloads.

48
Matchingmedium

Match each Google Cloud interconnect or peering type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Direct physical connection between on-premises and Google

Connection via a supported service provider

Direct BGP peering between on-premises and Google edge

Peering via a carrier's network

Encrypted tunnel over the internet to your VPC

Why these pairings

These options provide varying levels of connectivity to Google Cloud.

49
MCQmedium

A company uses Identity-Aware Proxy (IAP) to secure access to Compute Engine VMs. Users report that they can SSH into some VMs but not others, even though they have the IAP-secured Tunnel User role. Both VMs are in the same project and have the same network tags. What is the most likely reason?

A.Firewall rules allow ingress from IAP's IP ranges only for some VMs.
B.The VMs are in different zones with different DNS resolution.
C.The VMs that can be accessed have external IP addresses; the others only have internal IP addresses.
D.The VMs do not have OS Login enabled.
AnswerC

IAP requires that the VM can be reached from IAP proxies, which typically requires an external IP.

Why this answer

Option C is correct because IAP for TCP forwarding requires the target VM to have an external IP address (or be accessible via a Cloud NAT with specific routing) for the IAP service to establish the tunnel. Without an external IP, the IAP tunnel cannot reach the VM, even if the user has the IAP-secured Tunnel User role and the firewall rules allow ingress from IAP's IP ranges (35.235.240.0/20).

Exam trap

The trap here is that candidates assume IAP works with any VM in the project as long as firewall rules and IAM roles are correct, overlooking the requirement for an external IP address (or Cloud NAT) for the IAP tunnel to reach the VM.

How to eliminate wrong answers

Option A is wrong because firewall rules in a project apply to all VMs with the same network tags; if the rules allow ingress from IAP's IP ranges (35.235.240.0/20) for one VM with a given tag, they apply equally to all VMs with that tag, so this cannot explain why some VMs are inaccessible. Option B is wrong because DNS resolution is not a factor in IAP tunneling; IAP uses IP addresses, not DNS names, and zones do not affect DNS resolution for internal VM connectivity. Option D is wrong because OS Login is not required for IAP tunneling; IAP works with standard SSH keys or gcloud auth, and OS Login is an optional authentication method that does not affect the ability to establish the IAP tunnel itself.

50
MCQhard

A company with a hub-and-spoke VPC topology uses Shared VPC and VPC Network Peering. They want to ensure that only specific VMs in a spoke project can connect to a database instance in the hub project. What is the most secure approach?

A.Deploy the Cloud SQL Auth Proxy on each VM and configure IAM permissions for each VM's service account
B.Use Shared VPC and assign the specific VMs to a subnet with a dedicated secondary IP range, then restrict database access to that range
C.Use Private Service Connect to publish the database as a managed service and create a Private Service Connect endpoint in the spoke VPC with IAM permissions for the specific VM service accounts
D.Configure firewall rules in the hub project to allow traffic only from the specific VM internal IPs
AnswerC

Private Service Connect provides per-service account authorization and network isolation.

Why this answer

Option C is correct because Private Service Connect (PSC) allows you to publish a managed service (like Cloud SQL) and create a PSC endpoint in the spoke VPC. By combining the PSC endpoint with IAM permissions on the VM service accounts, you ensure that only specific VMs can connect to the database, providing fine-grained, identity-aware access control without exposing the database to the entire network.

Exam trap

Google Cloud often tests the misconception that network-level controls (firewall rules or IP ranges) are sufficient for securing access to managed services, when in fact identity-based controls (IAM + Private Service Connect) provide a more secure and auditable solution in a shared VPC topology.

How to eliminate wrong answers

Option A is wrong because Cloud SQL Auth Proxy provides authentication and encryption but does not restrict network-level access; any VM with the proxy installed and valid IAM credentials could connect, and it does not leverage the hub-and-spoke topology for isolation. Option B is wrong because Shared VPC with a dedicated secondary IP range only controls IP addressing, not access; firewall rules would still be needed, and any VM in that subnet could reach the database, not just the specific VMs. Option D is wrong because firewall rules in the hub project filter traffic based on source IPs, which can be spoofed within the VPC or bypassed if VMs are moved; they lack identity-based controls and do not prevent traffic from other VMs in the same subnet.

51
MCQeasy

A team has deployed Compute Engine instances with internal IPs only. They need to allow these instances to download updates from specific external IP ranges. Which action should they take?

A.Create egress firewall rules with target tags and allowed IP ranges.
B.Configure Cloud NAT and allow all traffic.
C.Attach a public IP to each instance.
D.Use Private Google Access.
AnswerA

Egress firewall rules can restrict outbound traffic to specific IP ranges.

Why this answer

Egress firewall rules with target tags allow you to control outbound traffic from Compute Engine instances based on destination IP ranges. By specifying the allowed external IP ranges for updates and applying the rule to instances with a specific tag, you enable secure outbound access without exposing the instances to inbound traffic or requiring public IPs.

Exam trap

Google Cloud often tests the misconception that Cloud NAT alone can restrict outbound traffic to specific destinations, but Cloud NAT only provides source NAT and does not filter traffic by destination; egress firewall rules are required for that control.

How to eliminate wrong answers

Option B is wrong because Cloud NAT provides outbound connectivity to the internet for instances without public IPs, but it does not restrict traffic to specific external IP ranges; allowing all traffic would violate the requirement to limit updates to specific IP ranges. Option C is wrong because attaching a public IP to each instance would expose them to inbound traffic from the internet, increasing the attack surface and contradicting the requirement to use internal IPs only. Option D is wrong because Private Google Access enables instances with internal IPs to reach Google APIs and services, not external third-party update servers.

52
Multi-Selecteasy

A network engineer needs to configure firewall rules to allow health checks from Google Cloud's health check systems to a backend service. Which two source IP ranges should they allow? (Choose two.)

Select 2 answers
A.169.254.0.0/16
B.10.0.0.0/8
C.130.211.0.0/22
D.35.191.0.0/16
E.0.0.0.0/0
AnswersC, D

This is the other health check range.

Why this answer

Google Cloud health check probes originate from the specific IP ranges 130.211.0.0/22 and 35.191.0.0/16. Allowing these source ranges in firewall rules is necessary to permit health check traffic to reach backend instances, ensuring load balancers can determine instance health.

Exam trap

Google Cloud often tests the misconception that health checks originate from the same subnet as the load balancer or from private IP ranges, leading candidates to incorrectly select 10.0.0.0/8 or 169.254.0.0/16 instead of the documented Google Cloud health check source ranges.

53
MCQmedium

A company uses Cloud Armor to protect its HTTP(S) load balancer. They need to block requests from a specific geographic region and also apply a rate limiting rule. What is the correct order of evaluation for Cloud Armor security policies?

A.Rate limiting rules are evaluated separately from other rules.
B.Evaluate rules in priority order and apply all matching rules.
C.Evaluate rules in priority order; the first matching rule determines the action.
D.Evaluate all rules and apply the most restrictive action.
AnswerC

This is the correct behavior of Cloud Armor security policies.

Why this answer

Cloud Armor security policies evaluate rules in priority order, and the first rule that matches the request determines the action (allow or deny). This means that if a rate limiting rule matches first, it will be applied, and subsequent rules are not evaluated. Option C correctly describes this behavior.

Exam trap

Google Cloud often tests the misconception that all matching rules are applied or that the most restrictive action is taken, but Cloud Armor uses first-match semantics, not cumulative or most-restrictive logic.

How to eliminate wrong answers

Option A is wrong because rate limiting rules are not evaluated separately; they are integrated into the same priority-ordered rule set as other rules. Option B is wrong because Cloud Armor does not apply all matching rules; it stops at the first match and applies only that rule's action. Option D is wrong because Cloud Armor does not evaluate all rules and apply the most restrictive action; it uses the first match in priority order, not the most restrictive.

54
MCQhard

A large enterprise uses hierarchical firewall policies across multiple VPCs. They have an organization policy that requires all VPCs to block SSH from the internet. However, a development team needs SSH from a specific external IP range for a building. How can they create a firewall rule that allows that range without violating the organization policy?

A.Remove the organization policy and implement firewall rules at the project level only.
B.Create a project-level firewall policy with a priority higher than the organization policy's deny rule, allowing the specific source range.
C.Use VPC firewall rules instead of hierarchical policies to allow the range, as they are evaluated after hierarchical policies.
D.Add the external IP range to an exception list in the organization policy.
AnswerB

In hierarchical firewall policies, lower priority numbers take precedence. A project-level rule with a higher priority (lower number) than the organization's deny rule will be evaluated first and allow the traffic.

Why this answer

In Google Cloud, hierarchical firewall policies are evaluated before VPC firewall rules, and the effective rule is the one with the highest priority (lowest numeric value). By creating a project-level firewall policy rule with a higher priority (e.g., priority 100) than the organization policy's deny rule (e.g., priority 1000), the allow rule for the specific external IP range will take precedence, effectively overriding the deny for that traffic while keeping the organization policy intact.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules are evaluated after hierarchical policies and can override them, but in reality, hierarchical policies are evaluated first and their deny rules will block traffic unless a higher-priority allow rule exists within the hierarchical policy hierarchy.

How to eliminate wrong answers

Option A is wrong because removing the organization policy violates the enterprise's security requirements and is not necessary; the goal is to allow a specific exception without removing the global block. Option C is wrong because VPC firewall rules are evaluated after hierarchical policies, so a VPC rule allowing SSH would be overridden by the hierarchical deny rule, not the other way around. Option D is wrong because Google Cloud hierarchical firewall policies do not support an 'exception list' mechanism; exceptions must be implemented via higher-priority allow rules within the hierarchical policy or at a lower level.

55
MCQhard

A company is designing a hub-and-spoke VPC architecture in Google Cloud. The hub VPC hosts a set of shared services, including a third-party firewall appliance (NGFW) in a managed instance group behind a TCP load balancer. Spoke VPCs need to send traffic to the hub's internal TCP load balancer IP (10.0.0.10) for inspection. The firewall appliance inspects traffic and forwards it to the final destination. The network team notices that traffic from one spoke to the load balancer is being dropped. They have verified that VPC peering is established, routes are propagated, and firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

A.The spoke VPC's subnet routes are not advertised to the hub VPC via VPC peering.
B.The spoke VPC does not have a route to the hub's internal load balancer IP via the peering connection.
C.The internal TCP load balancer's forwarding rule is misconfigured, pointing to the wrong target.
D.The hub VPC uses Cloud NAT, which is not compatible with VPC peering.
AnswerA

VPC peering does not automatically export custom static routes; the load balancer IP is in the hub's subnet, but the spoke needs a route to that IP via peering, which is automatically present. However, if the load balancer is in a different subnet, static routes may be needed. But the most likely cause is that the spoke VPC uses custom static routes that are not exported to the hub, causing asymmetric routing.

Why this answer

The most likely cause is that the spoke VPC's subnet routes are not advertised to the hub VPC via VPC peering. For traffic from a spoke to reach the hub's internal TCP load balancer (10.0.0.10), the hub must have a route back to the spoke's source IP range. Without the spoke advertising its subnet routes, the hub's firewall appliance cannot return traffic to the spoke, causing asymmetric routing and dropped packets.

Exam trap

The trap here is that candidates assume VPC peering automatically handles all routing in both directions, but they forget that custom routes or non-default subnet ranges must be explicitly advertised to the hub for return traffic to work.

How to eliminate wrong answers

Option B is wrong because the spoke VPC does have a route to the hub's internal load balancer IP via the peering connection — VPC peering automatically installs routes for the entire peered VPC's subnet ranges, so the spoke can reach 10.0.0.10. Option C is wrong because the forwarding rule misconfiguration would cause traffic to never reach the load balancer, but the question states traffic is being dropped (not that it fails to arrive), and the team has verified firewall rules and routes, implying the forwarding rule is correct. Option D is wrong because Cloud NAT is used for outbound internet access from instances without external IPs, and it is fully compatible with VPC peering — it does not interfere with traffic to internal load balancers.

56
Multi-Selecthard

A company is using Cloud NAT for outbound internet access. They want to ensure that traffic from certain VMs always uses a specific set of NAT IPs for auditing purposes. Which three steps are necessary to achieve this? (Choose THREE.)

Select 3 answers
A.Ensure the VMs have a default route (0.0.0.0/0) with next hop set to the Cloud NAT gateway's subnet
B.Configure IAM conditions on the Cloud NAT resource to restrict which VMs can use it
C.Enable VPC Flow Logs on the subnet to monitor which NAT IPs are used
D.Create a separate Cloud NAT gateway with the desired IPs and associate it with the VMs via a subnet or tags
E.Configure VPC firewall rules to allow egress from the VMs to the internet
AnswersA, D, E

The default route sends traffic to Cloud NAT.

Why this answer

Option A is correct because for Cloud NAT to function, the VM must have a default route (0.0.0.0/0) that points to the Cloud NAT gateway's subnet as the next hop. Without this route, the VM's outbound traffic will not be directed to the NAT gateway, and the NAT IPs will not be used. This ensures that traffic from the VM is routed through the NAT gateway, allowing the specific set of NAT IPs to be applied for auditing.

Exam trap

Google Cloud often tests the misconception that IAM conditions can control Cloud NAT usage per VM, but in reality, Cloud NAT uses subnet or tag-based association, not IAM, and VPC Flow Logs are for monitoring, not configuration.

57
MCQmedium

An organization wants to restrict data exfiltration from a GCP project. They need to prevent users from copying data to external cloud storage services like AWS S3, but allow access to Google Cloud Storage. Which VPC Service Controls (VPC-SC) configuration should they use?

A.Combine VPC Service Controls with a Cloud Firewall that denies egress to non-Google IPs.
B.Use Cloud Firewall rules to block egress to AWS IP ranges.
C.Enable Data Loss Prevention (DLP) API to inspect outgoing data.
D.Create a VPC Service Controls perimeter that includes the project and set access levels to allow only Google Cloud Storage.
AnswerA

VPC-SC secures Google services, and firewall rules can block external destinations.

Why this answer

Option A is correct because VPC Service Controls (VPC-SC) can create a perimeter that restricts data movement to only Google Cloud Storage, while Cloud Firewall egress rules can deny traffic to non-Google IP ranges (including AWS S3 endpoints). This combination ensures that even if a user attempts to copy data to an external cloud storage service, the firewall blocks the egress traffic, and VPC-SC prevents access to Google Cloud Storage from outside the perimeter.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls alone can block data exfiltration to external cloud storage services, when in fact they only control access to Google Cloud services and must be combined with network-level controls like Cloud Firewall egress rules to block traffic to non-Google endpoints.

How to eliminate wrong answers

Option B is wrong because Cloud Firewall rules alone cannot distinguish between Google Cloud Storage and external cloud storage services like AWS S3 based on IP ranges alone, as both may share overlapping or dynamic IP ranges; also, firewall rules do not enforce data exfiltration policies at the application layer. Option C is wrong because the Data Loss Prevention (DLP) API inspects data for sensitive content but does not block data exfiltration to external cloud storage services; it is a detection tool, not a prevention mechanism. Option D is wrong because setting access levels to allow only Google Cloud Storage within a VPC-SC perimeter does not prevent users from copying data to external cloud storage services like AWS S3, as VPC-SC perimeters control access to Google Cloud services, not egress traffic to non-Google endpoints.

58
Multi-Selectmedium

A company is deploying a new application across three VPCs in the same project, using Shared VPC. The security team wants to restrict traffic such that only the frontend subnet (10.0.1.0/24) can send traffic to the backend subnet (10.0.2.0/24) on TCP port 8080. The backend instances have the service account 'backend-sa@project.iam.gserviceaccount.com'. Which TWO firewall rule configurations achieve this goal?

Select 2 answers
A.Create an ingress firewall rule on the backend VPC with source service account 'frontend-sa@project.iam.gserviceaccount.com', protocol tcp:8080, and target service account 'backend-sa@project.iam.gserviceaccount.com'.
B.Create an egress firewall rule on the frontend VPC with source CIDR 10.0.1.0/24, protocol tcp:8080, and target CIDR 10.0.2.0/24.
C.Create an ingress firewall rule on the backend VPC with source CIDR 10.0.1.0/24, protocol tcp:8080, and target tag 'backend-tag'.
D.Create an ingress firewall rule on the backend VPC with source tag 'frontend-tag', protocol tcp:8080, and target tag 'backend-tag'.
E.Create a VPC firewall rule with priority 1000 that denies all traffic from 10.0.1.0/24 to 10.0.2.0/24, and then a higher priority rule allowing tcp:8080.
AnswersA, C

Using source and target service accounts precisely restricts traffic to only the frontend service account communicating to the backend service account on tcp:8080.

Why this answer

Option A is correct because it uses service accounts as both source and target in an ingress rule on the backend VPC. This allows only instances with the frontend service account to send traffic to instances with the backend service account on TCP 8080, meeting the security requirement without relying on IP addresses or network tags.

Exam trap

The trap here is that candidates often assume egress rules on the source VPC are sufficient to control inbound traffic to the backend, but Google Cloud requires ingress rules on the destination VPC to filter incoming packets, and service account-based rules are often overlooked in favor of IP-based rules.

59
MCQmedium

A company is using Cloud NAT for internet access from private subnets. Security team notices that traffic from a specific VM is being blocked by external firewalls because the source IP is not the Cloud NAT IP. What is the most likely cause?

A.The VM is in a different zone than the Cloud NAT gateway
B.The VPC firewall rules are blocking outbound traffic from the VM to the Cloud NAT IP
C.Cloud Router is misconfigured and not advertising the Cloud NAT IP
D.The VM has a custom route that does not use the default route through Cloud NAT
AnswerD

Traffic must match the default route to be source NATed by Cloud NAT.

Why this answer

Option D is correct because Cloud NAT relies on the default route (0.0.0.0/0) pointing to the Cloud Router to direct traffic through the NAT gateway. If a VM has a custom route that overrides the default route (e.g., a more specific route to an external IP or a route to a different next hop), the VM's outbound traffic will bypass Cloud NAT entirely, resulting in the source IP being the VM's private IP instead of the Cloud NAT IP. This causes external firewalls to block the traffic as the source IP is not the expected NAT IP.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is zone-dependent or that firewall rules are the cause, when in reality the issue is almost always a routing override that prevents traffic from reaching the NAT gateway.

How to eliminate wrong answers

Option A is wrong because Cloud NAT operates at the VPC level and is not zone-specific; a VM in any zone within the same region can use the same Cloud NAT gateway as long as the subnet is associated with the NAT configuration. Option B is wrong because VPC firewall rules control traffic at the instance level (ingress/egress) but do not affect the routing path; if outbound traffic were blocked by firewall rules, the traffic would not reach the Cloud NAT IP at all, but the symptom here is that traffic reaches the internet with the wrong source IP, indicating a routing issue, not a firewall block. Option C is wrong because Cloud Router is used for dynamic routing (e.g., BGP) with on-premises or VPN connections, not for advertising Cloud NAT IPs; Cloud NAT IPs are not advertised via BGP—they are used for source NAT and are not routable from the internet.

60
Multi-Selecteasy

Which TWO of the following methods can be used to encrypt traffic between VPC networks?

Select 2 answers
A.Use of SSL/TLS at the application layer.
B.VPC peering.
C.Cloud Interconnect with VLAN attachments.
D.Cloud VPN with IPsec.
E.Cloud NAT.
AnswersA, D

SSL/TLS encrypts application data end-to-end.

Why this answer

Option A is correct because SSL/TLS operates at the application layer (Layer 7) of the OSI model, providing end-to-end encryption for traffic between VPC networks. When applications use HTTPS (HTTP over TLS), the payload is encrypted before leaving the source, ensuring confidentiality even if the underlying network path is untrusted. This method is independent of the underlying network connectivity, making it suitable for encrypting traffic across VPCs connected via any means, including the public internet.

Exam trap

Google Cloud often tests the misconception that VPC peering or Cloud Interconnect inherently encrypts traffic, when in fact they only provide private connectivity without encryption, and candidates must remember that encryption requires explicit protocols like IPsec or TLS.

61
MCQmedium

A company uses Identity-Aware Proxy (IAP) to secure access to a group of Compute Engine instances running a web application. The instances have no external IP addresses and are accessed via IAP TCP forwarding. Recently, the security team discovered that some users can access the instances directly via SSH from other instances within the same VPC, bypassing IAP. What is the most effective way to ensure all SSH access goes through IAP?

A.Modify the VPC firewall rule to deny ingress traffic on TCP port 22 from all sources except the IAP IP range (35.235.240.0/20).
B.Assign a service account to each instance with the IAP-secured Tunnel User role.
C.Remove SSH keys from the instances and use OS Login.
D.Create a new firewall rule that allows SSH only from the IAP IP range and delete the existing SSH rule.
AnswerA

This ensures only IAP can initiate SSH connections.

Why this answer

Option A is correct because the IAP TCP forwarding source IP range (35.235.240.0/20) is the only range that should be allowed to initiate SSH connections to the instances. By modifying the VPC firewall rule to deny all other sources on TCP port 22, you ensure that any SSH traffic not originating from the IAP IP range is blocked, even from other instances within the same VPC. This directly addresses the bypass scenario where users SSH from other internal instances.

Exam trap

Google Cloud often tests the misconception that IAP alone enforces access control, when in reality it relies on VPC firewall rules to restrict traffic to only the IAP source IP range; candidates may incorrectly choose options that change authentication (OS Login) or authorization (service account roles) instead of addressing the network path.

How to eliminate wrong answers

Option B is wrong because assigning a service account with the IAP-secured Tunnel User role controls who can use IAP to connect, but does not prevent direct SSH access from other instances within the VPC; it does not enforce traffic to go through IAP. Option C is wrong because removing SSH keys and using OS Login changes the authentication method but does not restrict the network path; instances can still be reached directly via SSH from other VPC instances, bypassing IAP. Option D is wrong because creating a new firewall rule that allows SSH only from the IAP IP range and deleting the existing SSH rule is functionally identical to Option A, but the question asks for the most effective way; Option A is more precise as it modifies the existing rule rather than deleting and recreating, but both achieve the same result; however, the key distinction is that Option D's wording could imply a less controlled change, and in practice, modifying the existing rule is the recommended approach to avoid accidental exposure during the transition.

62
MCQhard

Refer to the exhibit. A user cannot SSH into test-vm from their workstation (public IP 203.0.113.5) using the VM's external IP 34.67.89.10. The firewall rule allow-ssh exists. What is the most likely cause?

A.The firewall rule allow-ssh is missing a source IP range or has a source IP range that does not include the user's IP
B.The firewall rule allow-ssh is for the wrong network
C.The firewall rule allow-ssh is disabled
D.The VM's external IP (34.67.89.10) is blocked by Cloud NAT
AnswerA

If the rule does not specify sourceRanges, it defaults to 0.0.0.0/0, but if it was created with an incorrect source range, traffic from 203.0.113.5 would be blocked. The exhibit does not show sourceRanges, but a common misconfiguration is to set sourceRanges to an internal range.

Why this answer

The most likely cause is that the firewall rule 'allow-ssh' is missing a source IP range or has a source IP range that does not include the user's public IP (203.0.113.5). In Google Cloud, firewall rules are stateful and by default deny all ingress traffic unless explicitly allowed; without a source IP range (or with an incorrect one), the SSH traffic from the user's workstation is dropped at the VPC firewall level, preventing access to the VM's external IP (34.67.89.10).

Exam trap

Google Cloud often tests the misconception that a firewall rule's existence alone is sufficient, but the trap here is that the source IP range must be explicitly defined or set to 0.0.0.0/0 for external access; candidates may overlook the source filter configuration and assume the rule name implies it works for all sources.

How to eliminate wrong answers

Option B is wrong because the firewall rule 'allow-ssh' is associated with the VM's network (as per the exhibit), and if it were for the wrong network, the VM would not be reachable at all, but the question states the rule exists and is likely correctly assigned. Option C is wrong because if the rule were disabled, the user would see a different error (e.g., 'connection refused' or timeout), but the question implies the rule exists and is active; disabling would be a more obvious configuration issue. Option D is wrong because Cloud NAT is used for outbound traffic from private instances to the internet, not for inbound SSH traffic to a VM's external IP; blocking by Cloud NAT would not affect ingress traffic destined to the VM's public IP.

63
MCQhard

A company is deploying a GKE cluster with Dataplane V2 and wants to enforce micro-segmentation using network policies. They also need to monitor policy violations. What should they do?

A.Enable Packet Mirroring.
B.Use Cloud IDS to monitor traffic.
C.Use VPC firewall rules with pod IP ranges.
D.Enable GKE Dataplane V2 and use Kubernetes Network Policies with audit logging.
AnswerD

Dataplane V2 natively enforces network policies and audit logs record violations.

Why this answer

Option D is correct because Dataplane V2 uses eBPF to implement Kubernetes Network Policies directly in the kernel, providing native support for micro-segmentation. Enabling audit logging on the cluster captures denied or allowed policy actions, allowing the company to monitor policy violations without additional infrastructure.

Exam trap

The trap here is that candidates confuse VPC firewall rules (Option C) with Kubernetes Network Policies, not realizing that VPC firewalls cannot enforce pod-level segmentation because they lack pod IP awareness and are applied at the node or subnet level.

How to eliminate wrong answers

Option A is wrong because Packet Mirroring copies pod traffic for analysis but does not enforce or monitor network policy violations; it is a troubleshooting tool, not a policy enforcement or audit mechanism. Option B is wrong because Cloud IDS is an intrusion detection service that inspects traffic for threats, not a tool for monitoring Kubernetes Network Policy violations; it operates at a different layer and does not integrate with policy audit logs. Option C is wrong because VPC firewall rules operate at the node network level, not at the pod level, and cannot enforce Kubernetes Network Policies; they lack the pod identity awareness needed for micro-segmentation within a cluster.

64
MCQeasy

A company has a single VPC with subnets in us-central1 and europe-west1. They have Compute Engine instances in both subnets that need to communicate with each other. The security team wants to ensure that only specific instances in us-central1 can connect to a database instance in europe-west1 on port 3306. Currently, the default firewall rules allow all internal traffic (priority 65535). The network engineer first creates a new ingress firewall rule to allow TCP traffic on port 3306 from instances with the network tag 'app' to instances with the tag 'db', with priority 1000. Then, to enforce the restriction, they delete the default allow internal rule (priority 65535). However, after applying the changes, the app instances (tagged 'app') in us-central1 cannot connect to the database instance (tagged 'db') in europe-west1. The engineer verifies that the tags are correctly applied to the instances. What is the most likely cause of the connectivity failure?

A.The firewall rule only allows ingress from instances with tag 'app' but the egress traffic from app instances is blocked.
B.The app instances need a firewall rule to allow egress traffic to the database on port 3306.
C.The firewall rule is applied to the wrong VPC network.
D.The database instance's network tag 'db' was not applied to the database instance.
AnswerB

With the default allow internal rule removed, egress must be explicitly allowed.

Why this answer

B is correct because in Google Cloud VPC, firewall rules are stateful for ingress but not for egress. The ingress rule allowing traffic from 'app' to 'db' on port 3306 only controls incoming packets to the database instance. The app instance still needs an egress firewall rule to allow outbound traffic on port 3306, otherwise the outbound SYN packet is dropped before it reaches the database.

Deleting the default allow internal rule (priority 65535) removed the implicit egress permission, so a specific egress rule is required.

Exam trap

Google Cloud often tests the misconception that an ingress rule alone is sufficient for bidirectional communication, but in Google Cloud VPC, egress rules are required for outbound traffic initiation unless a default allow egress rule exists.

How to eliminate wrong answers

Option A is wrong because the ingress rule is correctly defined to allow traffic from 'app' to 'db' on port 3306; the issue is not that ingress is blocked but that egress from the app instance is missing. Option C is wrong because the question states there is a single VPC, and the rule is applied to that same VPC; there is no indication of a wrong VPC selection. Option D is wrong because the engineer verified that the tags are correctly applied, so the database instance does have the 'db' tag; the failure is not due to missing tags.

65
Multi-Selectmedium

Which THREE components are required to set up Identity-Aware Proxy (IAP) for TCP forwarding to a VM?

Select 3 answers
A.A firewall rule that allows ingress from 35.235.240.0/20 to the VM on the desired port.
B.The user or group must have the IAP-secured Tunnel User role on the project.
C.The VM must have an external IP address.
D.IAP API enabled in the project.
E.A NAT gateway configured for the VPC.
AnswersA, B, D

This IP range is used by IAP.

Why this answer

Option A is correct because IAP TCP forwarding requires that the VM allows ingress traffic from the IAP health-check and forwarding source IP range (35.235.240.0/20) on the desired TCP port. Without this firewall rule, the IAP proxy cannot establish a connection to the VM, even if the user is authenticated and authorized.

Exam trap

Google Cloud often tests the misconception that a VM must have a public IP to be accessed remotely, but IAP TCP forwarding specifically eliminates that requirement by tunneling through the internal network.

66
MCQhard

A financial services company is deploying a new payment processing application in Google Cloud. The architecture consists of: a VPC named 'payment-vpc' with subnet 'payment-subnet' (10.1.0.0/16), a managed instance group (MIG) of backend servers in payment-subnet, an internal TCP load balancer (ILB) with IP 10.1.0.10 distributing traffic to the MIG, and a Cloud NAT for outbound internet access. The application must communicate with an external payment gateway over TLS. The security policy requires that all outbound traffic from the backend servers to the internet must egress through a single, centralized Cloud NAT instance to allow traffic inspection. To meet this requirement, the network team has configured: a Cloud Router, a Cloud NAT gateway named 'payment-nat' in payment-vpc, and a default route (0.0.0.0/0, next hop: default internet gateway) in payment-vpc. They have also configured VPC firewall rules to allow outbound HTTPS traffic. During testing, the backend servers cannot connect to the external payment gateway. The team has verified that the Cloud NAT is properly configured and that the VPC firewall rules allow egress traffic. What is the most likely cause of the connectivity failure?

A.The VPC firewall rules are blocking outbound HTTPS traffic from the backend servers.
B.The default route (0.0.0.0/0) with next hop 'default internet gateway' preempts the Cloud NAT route.
C.The Cloud NAT gateway is not in the same region as the backend servers.
D.The Cloud Router's BGP ASN is not properly configured.
AnswerB

The default route sends traffic directly to the internet, bypassing Cloud NAT. Cloud NAT requires that the default route have a higher priority (lower number) than the automatically created route for Cloud NAT, or the default route must be removed.

Why this answer

The default route (0.0.0.0/0) with next hop 'default internet gateway' directs all outbound internet traffic directly to the internet gateway, bypassing the Cloud NAT gateway. Cloud NAT only applies when the next hop for 0.0.0.0/0 is the Cloud Router (or when no default route to the internet gateway exists), because NAT is performed on packets that are routed through the Cloud Router. Since the default route with next hop 'default internet gateway' has a higher priority (lower numeric value) than any dynamically learned route, it preempts the Cloud NAT path, causing outbound traffic to egress without NAT and thus fail to reach the external payment gateway if the backend servers have only private IPs.

Exam trap

Google Cloud often tests the misconception that Cloud NAT automatically intercepts all outbound traffic regardless of routing, when in fact the default route's next hop must point to the Cloud Router for NAT to apply.

How to eliminate wrong answers

Option A is wrong because the team has verified that VPC firewall rules allow outbound HTTPS traffic, so firewall rules are not blocking the connection. Option C is wrong because Cloud NAT is a regional resource that can be configured to serve all zones within a region; the backend servers in payment-subnet are in the same region as the Cloud NAT, and the subnet is within that region, so region mismatch is not the issue. Option D is wrong because the Cloud Router's BGP ASN configuration is irrelevant for Cloud NAT; Cloud NAT does not use BGP for its operation—it relies on the Cloud Router only to hold the NAT configuration and to enable dynamic routing, but the ASN does not affect NAT functionality.

67
MCQmedium

A network engineer notices unexpected traffic being allowed through a VPC firewall rule. They want to analyze the logs to identify the source and destination. What is the best way to enable detailed logging for firewall rules?

A.Enable firewall rule logging on the specific rule and view logs in Cloud Logging.
B.Enable VPC Flow Logs for the subnet.
C.Create a custom router with a log export.
D.Use Packet Mirroring to capture all traffic.
AnswerA

Firewall rule logging logs each packet that matches the rule.

Why this answer

Firewall rule logging in VPC is designed specifically to log metadata (source IP, destination IP, action, etc.) for each packet matched by a firewall rule. Enabling it on the specific rule and viewing logs in Cloud Logging provides the granular, per-rule detail needed to identify the source and destination of unexpected traffic. This is the direct and intended method for firewall rule analysis.

Exam trap

Google Cloud often tests the distinction between VPC Flow Logs (subnet-level flow metadata) and firewall rule logging (per-rule, per-packet decision logs), and the trap here is that candidates confuse VPC Flow Logs as a substitute for firewall rule logging, but Flow Logs lack rule-specific context.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs capture metadata about network flows at the subnet level (e.g., 5-tuple, packet/byte counts), but they do not log firewall rule-specific actions (allow/deny) or rule IDs, so they cannot pinpoint which firewall rule allowed the traffic. Option C is wrong because a custom router with a log export is used for exporting routes or BGP events, not for logging firewall rule traffic; it has no mechanism to capture per-packet firewall decisions. Option D is wrong because Packet Mirroring copies all traffic (including payloads) to a collector for deep packet inspection, which is overkill and not focused on firewall rule logging; it also incurs significant cost and complexity, and does not natively associate traffic with specific firewall rules.

68
MCQmedium

A company uses Shared VPC with multiple service projects. The network admin wants to restrict access to certain Compute Engine instances so that only specific service accounts can SSH into them. What is the best practice to achieve this?

A.Configure firewall rules that allow SSH only from source IP ranges of the allowed service accounts.
B.Use Identity-Aware Proxy (IAP) TCP forwarding with IAM conditions restricting which service accounts can use IAP.
C.Use Organization Policies to restrict SSH access.
D.Use VPC Service Controls with a service perimeter.
AnswerB

IAP provides secure access and IAM conditions allow granular control by service account.

Why this answer

Option B is correct because Identity-Aware Proxy (IAP) TCP forwarding allows SSH access to Compute Engine instances without exposing them to the public internet. By combining IAP with IAM conditions, the network admin can restrict which service accounts are permitted to use IAP, thereby controlling SSH access at the identity level rather than relying on source IP addresses. This approach aligns with Google Cloud's best practice for zero-trust network security.

Exam trap

The trap here is that candidates may confuse IAP with traditional firewall rules or VPC Service Controls, mistakenly thinking source IP filtering or perimeter-based controls can enforce identity-based access, whereas IAP is the only option that directly integrates service account identity with SSH access.

How to eliminate wrong answers

Option A is wrong because firewall rules filter traffic based on source IP addresses, not service accounts; service accounts are identities, not IP ranges, so this approach cannot restrict access by service account. Option C is wrong because Organization Policies are used to set constraints on resource configurations (e.g., disabling serial port access), not to control SSH access per service account. Option D is wrong because VPC Service Controls are designed to protect data exfiltration by defining perimeters around managed services (e.g., BigQuery, Cloud Storage), not to manage SSH access to Compute Engine instances.

69
MCQhard

A company has multiple on-premises networks connected to a Cloud VPN hub in GCP. Each on-premises site uses BGP to advertise its prefixes. The security team wants to ensure that only specific prefixes from each site are accepted into the VPC routes. What should they configure?

A.Configure BGP route filtering on the Cloud Router to accept only specific prefixes from each on-premises site.
B.Create firewall rules to block traffic from unwanted prefixes.
C.Set up a separate VPN tunnel for each prefix.
D.Use VPC Service Controls to restrict the prefixes.
AnswerA

Cloud Router allows filtering inbound and outbound routes.

Why this answer

Option A is correct because Cloud Router supports BGP route filtering, allowing you to define inbound route policies that accept only specific prefixes from each on-premises BGP peer. This ensures that only the desired prefixes are installed into the VPC route table, providing granular control over route advertisement acceptance without affecting the VPN tunnel or firewall state.

Exam trap

Google Cloud often tests the distinction between route filtering (control plane) and firewall rules (data plane), so the trap here is that candidates mistakenly think firewall rules can prevent unwanted route injection, when in fact they only block traffic after the route is already learned.

How to eliminate wrong answers

Option B is wrong because firewall rules control traffic flow based on IP addresses and ports, but they do not prevent unwanted prefixes from being injected into the VPC route table; the routes would still exist and could influence routing decisions. Option C is wrong because creating a separate VPN tunnel for each prefix is inefficient and unnecessary; BGP route filtering on a single Cloud Router can selectively accept prefixes without multiplying tunnel configurations. Option D is wrong because VPC Service Controls are designed to restrict data exfiltration and access to Google-managed services, not to filter BGP route advertisements or control which on-premises prefixes are learned into VPC routes.

70
Multi-Selecthard

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC flow logs show traffic being dropped. Firewall rules are correctly configured. Which TWO actions should the engineer take to identify the cause?

Select 2 answers
A.Ensure that the subnets in both VPCs don't overlap.
B.Use Packet Mirroring to capture traffic on both sides and compare.
C.Check for asymmetric routing by reviewing the VPC peering routes and Cloud Router sessions.
D.Disable the firewall rules to see if traffic flows.
E.Verify that the VPCs are in the same project.
AnswersB, C

Packet Mirroring can help identify if traffic is reaching the destination instance.

Why this answer

Packet Mirroring allows you to capture and inspect actual traffic at the packet level on both sides of the VPC peering connection. Since firewall rules are correctly configured but flow logs still show drops, the issue is likely at a lower layer (e.g., routing, MTU, or asymmetric traffic). By comparing mirrored packets, you can see if traffic is actually reaching the destination interface and whether responses are being sent back, which flow logs alone cannot reveal.

Exam trap

Google Cloud often tests the misconception that flow logs provide enough detail to diagnose all connectivity issues, when in fact they only show summary statistics and cannot capture packet-level details needed to identify asymmetric routing or MTU problems.

71
Matchingmedium

Match each Cloud DNS record type to its use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maps a hostname to an IPv4 address

Maps a hostname to an IPv6 address

Alias of one hostname to another

Specifies mail servers for a domain

Holds arbitrary text, often for verification

Why these pairings

These are common DNS record types used in Cloud DNS.

72
MCQmedium

A company has deployed a globally distributed application on Google Cloud using Cloud Load Balancing and managed instance groups across multiple regions. They need to restrict access to the application's backend instances so that only traffic from the load balancer's health check ranges and the load balancer's source IP addresses is allowed. Which firewall rule configuration should be used?

A.Create an ingress firewall rule that allows traffic from the load balancer's health check ranges and uses a service account filter to allow traffic from the cloud-services service account (used by the load balancer).
B.Create an ingress firewall rule allowing all traffic from 0.0.0.0/0 with a target tag applied to the backend instances.
C.Create an ingress firewall rule that denies all traffic except from the load balancer's frontend IP address.
D.Create an ingress firewall rule allowing traffic from the health check ranges (35.191.0.0/16, 130.211.0.0/22) and the load balancer's source IP ranges (e.g., 130.211.0.0/22) to the backend instances.
AnswerA

This ensures that only traffic from the load balancer's health check probes and the load balancer itself (via service account) reaches the backend instances.

Why this answer

Option A is correct because it uses a service account filter to allow traffic from the cloud-services service account, which is the identity used by Cloud Load Balancing to forward traffic to backend instances. This ensures that only traffic originating from the load balancer (including health check probes) is permitted, while also automatically covering the health check ranges (35.191.0.0/16, 130.211.0.0/22) without needing to hardcode IP ranges. This approach is more secure and scalable than IP-based rules, as it avoids the risk of IP range changes and provides identity-based access control.

Exam trap

Google Cloud often tests the misconception that you can simply allow the load balancer's frontend IP address, but the trap here is that the frontend IP is a virtual IP that never appears as the source IP in packets reaching the backend—instead, the source IP is the load balancer's internal IP or health check ranges, so candidates must understand the difference between frontend and backend traffic flows.

How to eliminate wrong answers

Option B is wrong because allowing all traffic from 0.0.0.0/0 would permit any source on the internet to reach the backend instances, completely bypassing the load balancer and violating the requirement to restrict access only to the load balancer's health check ranges and source IPs. Option C is wrong because denying all traffic except from the load balancer's frontend IP address is ineffective; the frontend IP is a virtual IP (VIP) that does not appear as the source IP in packets arriving at the backend instances—the actual source IPs are the load balancer's internal IPs (e.g., 130.211.0.0/22) and health check ranges, so this rule would block legitimate traffic. Option D is wrong because it relies on static IP ranges (35.191.0.0/16, 130.211.0.0/22) which can change over time as Google updates its infrastructure, leading to potential access failures; additionally, it does not cover all possible load balancer source IPs in all scenarios (e.g., when using internal load balancers or cross-region load balancing).

73
MCQeasy

A company wants to ensure that only traffic from specific source IP ranges can reach a Cloud Load Balancer. How should they enforce this?

A.Use IAP.
B.Configure Cloud Armor with IP allowlist.
C.Set up Cloud NAT.
D.Use VPC firewall rules on the load balancer's backend.
AnswerB

Cloud Armor can filter traffic to the load balancer based on source IP.

Why this answer

Cloud Armor is a web application firewall (WAF) that can be attached to a Cloud Load Balancer to filter incoming traffic based on IP addresses, including allowlisting specific source IP ranges. This directly meets the requirement to restrict access to the load balancer by source IP without affecting backend instance configurations.

Exam trap

The trap here is that candidates confuse VPC firewall rules (which apply to VM instances) with Cloud Armor (which applies to the load balancer frontend), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option A is wrong because IAP (Identity-Aware Proxy) controls access based on user identity and context, not source IP ranges, and it operates at the application layer, not the network layer. Option C is wrong because Cloud NAT provides outbound internet access for private instances, not inbound traffic filtering or allowlisting. Option D is wrong because VPC firewall rules apply to the load balancer's backend instances, not to the load balancer itself, and they cannot filter traffic arriving at the load balancer's frontend IP.

74
MCQeasy

A company wants to enforce that all HTTPS load balancer traffic uses TLS 1.2 or higher. Which Google Cloud resource should they configure?

A.SSL certificate resource
B.SSL policy attached to the target HTTPS proxy
C.VPC firewall rule to block TLS 1.0/1.1
D.Identity-Aware Proxy (IAP)
AnswerB

SSL policy specifies minimum TLS version and ciphers.

Why this answer

Option B is correct because an SSL policy in Google Cloud can be attached to a target HTTPS proxy to enforce minimum TLS version requirements, such as TLS 1.2 or higher. This policy directly controls the TLS handshake parameters at the load balancer level, ensuring that only clients supporting TLS 1.2 or above can establish HTTPS connections.

Exam trap

The trap here is that candidates often confuse SSL certificates (which only provide cryptographic material) with SSL policies (which enforce protocol and cipher restrictions), leading them to select the SSL certificate resource as the answer.

How to eliminate wrong answers

Option A is wrong because an SSL certificate resource only stores the certificate and private key for TLS termination; it does not enforce TLS protocol version restrictions. Option C is wrong because VPC firewall rules operate at the network layer (IP/port) and cannot inspect or enforce TLS protocol versions, which are part of the application layer handshake. Option D is wrong because Identity-Aware Proxy (IAP) provides access control based on identity and context, not TLS version enforcement; it does not replace the need for an SSL policy on the load balancer.

75
MCQeasy

A security engineer wants to allow SSH access to a VM that has no external IP. The VM is in a VPC with IAP configured. What is the simplest way to enable secure SSH without a bastion host?

A.Use Identity-Aware Proxy (IAP) TCP forwarding with the gcloud compute start-iap-tunnel command.
B.Create a VPN tunnel to the VPC and SSH over the VPN.
C.Configure a SOCKS proxy on a bastion host.
D.Assign an external IP to the VM and use a firewall rule to restrict access.
AnswerA

IAP TCP forwarding provides secure access without external IPs.

Why this answer

Identity-Aware Proxy (IAP) TCP forwarding allows secure SSH access to a VM without an external IP by tunneling traffic through the IAP service. The `gcloud compute start-iap-tunnel` command establishes an encrypted tunnel from your local machine to the VM via the IAP proxy, using the VM's internal IP and port 22. This eliminates the need for a bastion host or public IP while leveraging IAP's identity-based access controls.

Exam trap

Google Cloud often tests the misconception that IAP is only for web-based access (HTTP/HTTPS) and not for TCP forwarding, causing candidates to overlook the `gcloud compute start-iap-tunnel` command as a valid solution for SSH without a bastion host.

How to eliminate wrong answers

Option B is wrong because creating a VPN tunnel adds unnecessary complexity and cost, and it does not leverage IAP which is already configured in the VPC; it also requires additional VPN gateway setup. Option C is wrong because configuring a SOCKS proxy on a bastion host contradicts the requirement of 'without a bastion host' and introduces an extra hop and management overhead. Option D is wrong because assigning an external IP directly exposes the VM to the internet, violating the security intent of having no external IP and requiring firewall rules that could be misconfigured.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Gcp Network Security questions.