CCNA Pcne Implementing VPC Questions

75 of 100 questions · Page 1/2 · Pcne Implementing VPC topic · Answers revealed

1
MCQeasy

A developer is configuring a Compute Engine VM to host a web server. They want to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the internet is allowed. Which firewall rule should they create?

A.Egress allow rule for TCP ports 80 and 443 to 0.0.0.0/0.
B.Ingress deny rule for all ports except 80 and 443.
C.Egress deny rule for all ports.
D.Ingress allow rule for TCP ports 80 and 443 from 0.0.0.0/0.
AnswerD

This allows incoming HTTP/HTTPS traffic from any source.

Why this answer

For web server traffic, you need ingress rules that allow TCP on ports 80 and 443 from source 0.0.0.0/0. The target should be the VM (by tag or service account). A single rule can specify multiple ports.

2
MCQmedium

A company wants to publish an internal service (e.g., a database) in their VPC so that consumers in other VPCs can connect to it privately via Private Service Connect (PSC). What must be created on the producer side?

A.A Cloud VPN tunnel to the consumer VPC.
B.A VPC peering connection.
C.A Private Service Connect endpoint in the producer VPC.
D.A Service Attachment that exposes the service.
AnswerD

The Service Attachment defines the service to be consumed via PSC.

Why this answer

Private Service Connect allows producers to publish services via a Service Attachment. The service attachment is created on a Network Endpoint Group (NEG) that points to the internal service (e.g., a backend service). Consumers then create PSC endpoints to connect.

3
MCQmedium

An engineer needs to configure DNS resolution for a Compute Engine instance named "web-1" in zone us-central1-a of project my-project. What is the internal DNS name for this instance?

A.web-1.us-central1-a.c.my-project.internal
B.web-1.us-central1.c.my-project.internal
C.web-1.c.my-project.us-central1-a.internal
D.web-1.us-central1-a.my-project.internal
AnswerA

Correct format.

Why this answer

GCP internal DNS uses the format: [instance name].[zone].c.[project id].internal

4
MCQmedium

A company has an application running on Compute Engine that needs to send traffic to a third-party SaaS service on the internet. The VMs have no external IPs. Which solution provides outbound connectivity with minimal configuration and allows source IP preservation?

A.Configure a proxy instance with an external IP and route traffic through it
B.Use Cloud NAT with a static NAT IP
C.Assign external IPs to each VM
D.Use Private Google Access
AnswerB

Cloud NAT provides outbound internet access for VMs without external IPs. Using a static NAT IP preserves source IP and provides consistent IP for whitelisting.

Why this answer

Cloud NAT allows VMs without external IPs to reach the internet. It preserves the source IP (the NAT IP) for outbound connections. It is regional and can be configured per subnet.

5
Multi-Selecthard

A security team needs to block traffic from a specific geographic region (country) from reaching their HTTP Load Balancer. Additionally, they need to allow traffic from specific IP ranges that are known to be legitimate, even if they originate from that blocked region. Which THREE steps should they take? (Choose THREE.)

Select 3 answers
A.Attach the security policy to the backend service of the HTTPS Load Balancer
B.Create a Cloud Armor security policy with a rule that denies traffic from the country
C.Add a firewall rule in the VPC to deny traffic from the country
D.Create a Cloud Armor security policy with a higher-priority rule that allows the specific IP ranges
E.Use VPC Service Controls to restrict access from the country
AnswersA, B, D

Cloud Armor policies are applied to backend services.

Why this answer

Cloud Armor allows you to create security policies with rules. Geo-blocking can be implemented by denying traffic based on geographic origin. To allow specific IP ranges from the blocked region, you need a rule with higher priority that allows those IPs before the deny rule.

Attach the policy to the backend service of the HTTPS Load Balancer.

6
MCQmedium

An organization has two VPCs in the same project: VPC-A and VPC-B. They want instances in VPC-A to reach Cloud Storage buckets without external IPs. What is the simplest solution?

A.Create a Cloud NAT gateway in VPC-A and configure firewall rules to allow traffic to Cloud Storage.
B.Peer VPC-A with VPC-B and enable Private Google Access on VPC-B.
C.Enable Private Google Access on the subnets in VPC-A.
D.Assign external IPs to the instances in VPC-A.
AnswerC

Private Google Access allows instances to reach Google APIs using internal IPs.

Why this answer

Private Google Access enables instances without external IPs to reach Google API endpoints (including Cloud Storage) via the private IP range. The feature is enabled per subnet, so enabling it on subnets in VPC-A allows those instances to access Cloud Storage.

7
MCQeasy

A company wants to protect its HTTPS Load Balancer from DDoS attacks and common web application attacks like SQL injection and cross-site scripting (XSS). Which Google Cloud service should be used?

A.Cloud IDS
B.Cloud Armor
C.VPC Service Controls
D.Firewall Rules
AnswerB

Correct. Cloud Armor provides WAF and DDoS protection for HTTPS Load Balancers.

Why this answer

Cloud Armor provides DDoS protection and WAF capabilities including preconfigured rules for OWASP, XSS, and SQLi. It attaches to HTTPS Load Balancers.

8
MCQhard

An organization has multiple projects under an organization node. They need to enforce a security policy that denies all inbound SSH traffic (tcp:22) to all VMs across all projects, but must allow certain projects to override this. Which approach should be used?

A.Use VPC Service Controls to create a service perimeter that blocks SSH traffic to all projects.
B.Create a hierarchical firewall policy at the organization level with a rule that allows SSH for specific projects (using target service accounts or tags) at priority 1000, and a deny rule for all SSH at priority 2000.
C.Create a network firewall policy for each VPC with a deny rule for SSH. Use service accounts for exceptions.
D.Create a hierarchical firewall policy at the organization level denying SSH (tcp:22). Then create a network firewall policy at each VPC allowing SSH for exempted projects.
AnswerB

The allow rule has higher priority (lower number) than the deny rule, so it takes precedence for matching targets. This allows per-project exceptions within the same hierarchical policy.

Why this answer

Hierarchical firewall policies can be applied at the organization or folder level and have priority over VPC-level rules. By setting a low-priority allow rule at the project level, you can override a higher-priority deny rule if the policy allows overrides. However, hierarchical firewall policies have a higher precedence than network firewall rules; a deny at the org level cannot be overridden by a lower-precedence allow at the VPC level.

The correct approach is to use a hierarchical firewall policy with a deny rule at high priority (e.g., 100) and allow exceptions at lower priority (e.g., 1000) for specific projects via tags or service accounts. But careful: If you set a deny rule with priority 100 at org level, and an allow rule with priority 200 at project level, the deny takes precedence because it has higher priority (lower number). To allow exceptions, you need to set the allow rule at a priority level that is evaluated first (lower number) than the deny.

So you need to allow at lower number (e.g., 10) and deny at higher number (e.g., 1000). But that would allow all. The correct architecture is to use hierarchical firewall policies with both rules: allow SSH for specific targets at priority 1000, and deny SSH for all at priority 2000.

The allow rule with lower number takes precedence for matching targets. Actually, evaluation order: priority lower number = higher priority. So if you want to allow some and deny others, you need to set allow rules with higher priority (lower number) than deny rules.

So you can have a hierarchical firewall policy with an allow rule for specific tags (e.g., 'allowed-ssh') at priority 1000, and a deny rule for all at priority 2000. Then, in projects that need SSH, you apply the tag to instances. But the question says 'must allow certain projects to override this'.

The best way is to use a network firewall policy (VPC-level) that can be applied per VPC, allowing override at the project level. However, hierarchical firewall policies are evaluated before network firewall rules. To override, you would need to use a hierarchical policy with higher priority to allow.

The simplest answer is to use a network firewall policy at the VPC level and an organization policy that grants exception. But given options, the correct one likely involves using a network firewall policy with appropriate priority. Let's analyze: Option A: Create a hierarchical firewall policy at the organization level with a deny rule for SSH.

Then create a network firewall policy at the VPC level with an allow rule for SSH. However, hierarchical firewall policies are evaluated before network firewall policies, and the deny would block SSH even if network firewall allows. So that doesn't work.

Option B: Create a network firewall policy with a deny rule for SSH and use service accounts to allow exceptions. But that doesn't apply across projects. Option C: Use a hierarchical firewall policy with both allow and deny rules, setting allow at a higher priority (lower number) for specific projects.

This allows override. Option D: Use VPC Service Controls to block SSH. This is not relevant.

So the answer is likely C.

9
MCQeasy

An engineer needs to provide outbound internet access to Compute Engine instances that do not have external IP addresses. The solution must allow instances to access a specific set of external IPs only. What should the engineer configure?

A.Use Private Google Access only, which provides access to Google APIs and services.
B.Create a Cloud NAT gateway and configure firewall egress rules to allow traffic only to the specific IPs.
C.Assign external IPs to instances and use firewall rules to restrict outbound traffic.
D.Deploy a NAT instance with iptables rules to restrict destination IPs.
AnswerB

Cloud NAT provides outbound connectivity for instances without external IPs, and firewall rules can restrict traffic to specific destinations.

Why this answer

Cloud NAT with firewall rules can restrict outbound traffic to specific destinations. By default, Cloud NAT uses the instance's network tags and firewall egress rules to control traffic. The engineer can create an egress deny rule with higher priority for all destinations, then an egress allow rule for the specific IPs.

10
MCQhard

An engineer is troubleshooting connectivity from a Compute Engine instance (internal IP: 10.0.0.2) to an on-premises server (IP: 203.0.113.5) over a Cloud VPN tunnel. The traffic reaches the on-premises network, but the return traffic is dropped. What is the most likely cause?

A.The Cloud VPN tunnel is down.
B.The MTU is set to 1500 on the VPN tunnel.
C.The instance's firewall is blocking ICMP.
D.The on-premises router is not advertising the return route via BGP, causing asymmetric routing.
AnswerD

Return traffic may take a different path, which GCP drops because it doesn't match the expected ingress interface.

Why this answer

For asymmetric routing, GCP may drop return traffic if it does not match the forwarding route. Cloud VPN supports dynamic routing (BGP) which advertises the on-premises prefix. However, if the on-premises router forwards return traffic through a different path (e.g., internet), GCP's firewall drops it because the return packet does not come via the VPN tunnel (asymmetric).

11
Multi-Selecthard

An engineer needs to configure Cloud NAT with logging enabled to monitor traffic from a specific subnet. The NAT gateway uses automatic NAT IP allocation. The engineer wants to ensure that if a single VM uses many connections, it does not exhaust the available ports for other VMs. Which THREE settings should be configured? (Choose THREE.)

Select 3 answers
A.Set the minimum ports per VM to a reasonable value
B.Set the NAT IP allocation to manual
C.Enable logging on the NAT gateway
D.Enable endpoint-independent mapping
E.Set the maximum ports per VM to a reasonable value
AnswersA, B, E

This guarantees each VM gets a minimum number of ports.

Why this answer

To prevent port exhaustion, the engineer should enable manual port allocation to set limits, configure endpoint-independent mapping for UDP (not directly related to port exhaustion), and set a minimum ports per VM to guarantee each VM gets a baseline. Manual allocation allows setting a maximum number of ports per VM, which prevents a single VM from using all ports.

12
MCQhard

A Compute Engine instance is running a network appliance that requires multiple network interfaces. What is the primary purpose of attaching additional NICs (e.g., NIC1, NIC2) to the instance?

A.To provide failover if one NIC fails
B.To enable load balancing across interfaces
C.To increase network throughput
D.To separate traffic between different subnets or networks
AnswerD

Multiple NICs allow an instance to be on different VPC networks or subnets for traffic isolation.

Why this answer

Multiple NICs are used to separate traffic planes such as management, data, and control, and to route traffic through different subnets without relying on internal routing.

13
MCQeasy

A company wants to allow instances in a VPC without external IPs to access Google APIs like BigQuery and Cloud Storage. Which configuration is required?

A.Create a VPC peering with the Google APIs VPC
B.Enable Private Google Access on the subnet
C.Assign external IPs to all instances
D.Configure a Cloud NAT gateway in the region
AnswerB

Private Google Access is a subnet-level setting that allows instances without external IPs to reach Google APIs via internal IP addresses.

Why this answer

Private Google Access enables instances without external IPs to reach Google APIs via internal IP addresses using the private.googleapis.com (199.36.153.8/30) or restricted.googleapis.com (199.36.153.4/30) VIPs. It must be enabled per subnet.

14
MCQmedium

Your VPC has instances with internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. You need to ensure that DNS resolution works for instances in the same zone using short names (e.g., 'instance1'). Which condition must be met?

A.Custom DNS must be configured via Cloud DNS.
B.The VPC must have Private Google Access enabled.
C.The instances must be in the same zone and VPC network.
D.The instance must have a network tag 'dns-enabled'.
AnswerC

Internal DNS resolves short names only for instances in the same zone and network.

Why this answer

Google Cloud internal DNS automatically resolves short names for instances within the same zone and network. The instance must be in the same zone and VPC network. No additional configuration is needed as long as instances are in the same zone.

15
MCQmedium

A company wants to restrict which Google Cloud APIs can be accessed by its VMs in a specific project. They also want to prevent data exfiltration. Which service should they use?

A.Cloud NAT
B.Private Google Access
C.VPC Service Controls
D.IAM Conditions
AnswerC

VPC Service Controls enforce perimeters around APIs to prevent data exfiltration.

Why this answer

VPC Service Controls allow you to create service perimeters that restrict access to Google Cloud APIs and prevent data exfiltration.

16
MCQhard

An engineer has multiple projects with overlapping IP ranges. They want to create a single Cloud NAT gateway to provide outbound internet access for instances in two different VPCs that are connected via VPC Network Peering. Is this possible?

A.No, each VPC must have its own Cloud NAT gateway
B.Yes, by enabling 'NAT support' on the VPC peering connection
C.No, but you can use a single instance with an external IP as a NAT instance
D.Yes, by configuring the Cloud NAT gateway in one VPC and adding a route in the peered VPC with next hop as the NAT gateway
AnswerA

Cloud NAT is per VPC and per region. It cannot be shared across VPCs, even with peering.

Why this answer

Cloud NAT is a regional resource that belongs to a single VPC network and router. It cannot be shared across VPCs via peering. Each VPC needs its own Cloud NAT gateway.

Peering does not allow using the other VPC's NAT.

17
MCQeasy

Which statement about Cloud Armor security policies is true?

A.They can be attached to any GCP resource, including Compute Engine instances.
B.They support both allow and deny actions for incoming requests.
C.They are evaluated after the firewall rules.
D.They cannot be used with internal load balancers.
AnswerB

Rules can allow or deny traffic based on conditions.

Why this answer

Cloud Armor security policies can be attached to HTTPS Load Balancers. They support rules with conditions like IP addresses, geographic regions, and preconfigured WAF rules. They also support rate limiting.

18
Multi-Selecthard

An organization needs to deploy a multi-tier web application on Compute Engine. The web tier must be accessible from the internet, while the database tier must only be accessible from the web tier. The security team requires a defense-in-depth approach. Which THREE measures should be implemented? (Choose three.)

Select 3 answers
A.Place web and database instances in the same subnet to minimize latency
B.Use firewall rules to allow ingress from the web subnet to the database subnet on the database port (e.g., 3306)
C.Create separate subnets for web and database tiers
D.Assign external IPs to database instances for easy maintenance
E.Use firewall rules to allow ingress from the internet to the web subnet on port 80/443
AnswersB, C, E

This restricts database access to only the web tier.

Why this answer

Defense-in-depth includes using separate subnets, firewall rules, and possibly service accounts. Tags help target rules. Using separate subnets isolates tiers.

Firewall rules control traffic between tiers. Using service accounts can further restrict access.

19
MCQeasy

What is the default MTU for Compute Engine virtual machines?

A.1400
B.1500
C.8896
D.1460
AnswerD

The default MTU is 1460 bytes to accommodate the GCP network virtualization overhead.

Why this answer

Compute Engine instances use an MTU of 1460 bytes by default (the Ethernet maximum 1500 minus the IP/GRE overhead for tunneling). Some instance types support jumbo frames (MTU 8896).

20
MCQmedium

A company wants to publish a service running on Compute Engine instances in their VPC so that consumers in other VPCs can access it via private IPs without needing VPC peering. Which service should they use?

A.VPC peering
B.Private Service Connect
C.Cloud VPN
D.Cloud NAT
AnswerB

PSC enables publishing services accessible via private endpoints across VPCs.

Why this answer

Private Service Connect allows a producer to publish a service via a private endpoint that consumers can access from their own VPCs without peering.

21
MCQmedium

A network engineer wants to restrict access to a Cloud Storage bucket from only a specific set of Compute Engine instances in a VPC. The instances have no external IPs. What is the most effective way to enforce this restriction?

A.Assign a unique service account to the instances and use IAM conditions to allow the service account access to the bucket only when connecting from the VPC network.
B.Enable Private Google Access on the subnet and use VPC Service Controls with a service perimeter that includes the VPC and the Cloud Storage bucket.
C.Configure a firewall rule that allows egress traffic to the Cloud Storage API only from the instances' subnet.
D.Create an IAM condition that restricts access based on the instance's internal IP address range.
AnswerB

VPC Service Controls provide a security perimeter around Google APIs, restricting access from unauthorized networks.

Why this answer

Using Private Google Access with Private Service Connect allows instances to reach Google APIs via internal IPs. By using VPC Service Controls, you can create a service perimeter that restricts access to the Cloud Storage bucket from the specific VPC and projects. This provides a defense-in-depth approach.

22
MCQhard

An engineer needs to create a firewall rule that applies only to instances with the tag 'web-server' in a specific VPC network. The rule should allow ingress from any source on TCP port 80. Which combination of fields must be set in the gcloud command?

A.--direction=INGRESS --priority=1000 --network=default --allow=tcp:80 --target-tags=web-server --source-tags=0.0.0.0/0
B.--direction=INGRESS --priority=1000 --network=default --allow=tcp:80 --target-tags=web-server --source-ranges=0.0.0.0/0
C.--direction=INGRESS --priority=1000 --network=default --allow=tcp:80 --target-service-accounts=web-server@project.iam.gserviceaccount.com
D.--direction=INGRESS --priority=1000 --network=default --allow=tcp:80 --source-tags=web-server
AnswerB

Correct. This applies the rule to instances with tag web-server, allowing TCP 80 from any source.

Why this answer

To target instances by tag, use --target-tags. For source, --source-ranges (any source: 0.0.0.0/0). For protocol/port, --allow tcp:80.

Network is specified with --network. Direction is implied by 'ingress'.

23
Multi-Selectmedium

An engineer needs to configure a Compute Engine instance as a network appliance that routes traffic between two subnets within the same VPC. The instance must handle traffic for both subnets. Which TWO actions are required? (Choose TWO.)

Select 2 answers
A.Set the MTU to 1500 on both interfaces
B.Create a route with a next-hop of the instance's internal IP
C.Enable IP forwarding on the instance
D.Attach two network interfaces to the instance, one in each subnet
E.Assign external IPs to both interfaces
AnswersC, D

IP forwarding allows the instance to forward packets between interfaces.

Why this answer

To act as a router between subnets, the instance needs two network interfaces, each attached to a different subnet, and IP forwarding must be enabled so the kernel can forward packets between interfaces.

24
Multi-Selectmedium

An engineer needs to allow HTTP health checks from the Google Cloud health checker IP ranges to a set of instances. Which two methods can be used to target the firewall rule correctly? (Choose two.)

Select 2 answers
A.Use source service accounts on the health checkers.
B.Use source tags on the health checkers.
C.Use target service accounts on the instances.
D.Use target tags on the instances.
E.Use instance names in the firewall rule.
AnswersC, D

Service accounts are also a valid target.

Why this answer

Firewall rules can target instances using tags or service accounts. The health checker IP ranges are well-known and can be used as source.

25
MCQmedium

A company is using Cloud NAT to provide outbound internet access for instances without external IPs. They notice that the NAT gateway is running out of ports for connections to a single external IP address. To minimize port exhaustion, what should the engineer configure?

A.Change the NAT port allocation to static.
B.Reduce the endpoint-independent mapping timeout.
C.Enable Cloud NAT logging to diagnose the issue.
D.Increase the number of NAT IP addresses assigned to the Cloud NAT gateway.
AnswerD

More NAT IPs provide more source ports, reducing contention.

Why this answer

Cloud NAT uses NAT IP addresses and ports. To increase capacity for connections to a single destination IP, you can either allocate more NAT IP addresses (which increases the number of ports) or use dynamic port allocation. Static port allocation is used for endpoints that require predictable source ports.

For minimizing exhaustion, adding more NAT IPs is the direct solution.

26
MCQeasy

An engineer is configuring a Google Compute Engine instance that needs to send traffic to the internet. The instance has no external IP address. Which service must be configured to allow this outbound connectivity?

A.Cloud NAT
B.Cloud VPN
C.VPC peering
D.Private Google Access
AnswerA

Cloud NAT enables outbound internet access for private instances.

Why this answer

Cloud NAT provides outbound internet connectivity for instances without external IPs. It translates private IPs to a public IP and allows instances to reach the internet.

27
MCQeasy

What is the internal DNS name format for a Compute Engine instance named 'web-server' in the 'us-central1-a' zone within the project 'my-project'?

A.web-server.c.my-project.internal
B.web-server.us-central1.internal
C.web-server.my-project.internal
D.web-server.us-central1-a.c.my-project.internal
AnswerD

This is the correct format: instance name, zone, 'c', project ID, 'internal'.

Why this answer

Compute Engine instances get an internal DNS name in the format: [instance_name].[zone].c.[project_id].internal. For example, web-server.us-central1-a.c.my-project.internal.

28
MCQhard

An engineer is troubleshooting a firewall rule issue. A VM with network tag 'web' is unable to receive HTTP traffic from the internet. The VPC has an ingress firewall rule allowing tcp:80 from 0.0.0.0/0 to targets with tag 'web' at priority 1000. Another ingress rule denies all ingress traffic at priority 65535. What is the likely cause?

A.The firewall rule is an egress rule instead of ingress
B.The VM does not have the network tag 'web' assigned
C.The priority of the allow rule is lower (higher number) than the deny rule
D.The VM has an external IP but the firewall rule only applies to internal IPs
AnswerB

Firewall rules with target tags apply only to instances with those tags. If the VM lacks the 'web' tag, the allow rule does not apply, and the implied deny blocks traffic.

Why this answer

Priority lower number = higher priority. The allow rule at priority 1000 should allow HTTP. However, if there is a default deny ingress rule (priority 65535) that denies all, the allow rule should override it.

But if there is a higher priority deny rule (lower number) that blocks HTTP, that would cause the issue. The scenario likely includes a hidden deny rule or misconfiguration. The most common cause is that the allow rule has a lower priority than a deny rule that matches.

But the given allow rule has priority 1000, which is higher than 65535. So it should work. Maybe the firewall rule is not applied because the target tag is not assigned? Or the rule is in the wrong VPC.

The question is tricky. Possibly the issue is that the default deny ingress rule has priority 65535 and is overridden, but the rule might be an implied deny? Actually, VPCs have an implied deny ingress rule at priority 65535. That should be overridden by the allow rule.

So if it's not working, the cause could be that the allow rule has a lower priority than the deny rule? No. Maybe there is a hierarchical firewall policy denying. But the scenario doesn't mention that.

The best answer: The target tag 'web' is not applied to the VM. But that's not a firewall rule issue per se. The possible correct answer: The firewall rule's source IP range is incorrect.

But it's 0.0.0.0/0. I'll go with: The VM does not have the network tag 'web' assigned. However, options might include that.

Let's construct options: A) The firewall rule is egress instead of ingress; B) The VM does not have the network tag 'web'; C) The priority is too low; D) There is a conflicting route. The correct one: B.

29
MCQmedium

An engineer has configured a firewall rule with priority 1000 that allows ingress traffic on TCP port 443 from source IP range 10.0.0.0/8. Another rule with priority 500 denies ingress on TCP port 443 from source IP 10.0.1.0/24. What will happen to traffic from 10.0.1.5 destined to the instance on port 443?

A.The traffic is allowed because allow rules override deny rules
B.The traffic is allowed because the allow rule covers a broader range
C.The traffic is denied only if the instance has a tag matching the deny rule
D.The traffic is denied because the deny rule has higher priority
AnswerD

Correct. The deny rule (priority 500) has higher priority than the allow rule (priority 1000).

Why this answer

Firewall rules are evaluated by priority (lower number = higher priority). Rule with priority 500 (deny) takes precedence over priority 1000 (allow). So traffic from 10.0.1.5 is denied.

30
MCQhard

A company uses hierarchical firewall policies at the organization level. They need to allow SSH (TCP 22) access from a specific range 10.0.0.0/8 to all VMs, but a child folder has a policy that denies all ingress traffic. Which rule priority ordering ensures SSH access is allowed?

A.Folder allow rule priority 100, folder deny rule priority 200.
B.Remove the folder deny rule and use network firewall rules.
C.Organization allow rule priority 200, folder deny rule priority 100.
D.Organization allow rule priority 100, folder deny rule priority 200.
AnswerD

Priority 100 is higher (lower number) than 200, so allow overrides deny.

Why this answer

Hierarchical firewall rules have priorities; higher priority (lower number) wins. To override a deny-all, the allow rule must have a lower priority number than the deny rule. The organization policy can have a lower priority than the folder policy, but the folder's deny-all would block.

The organization's allow rule must have higher priority (lower number) than the folder's deny rule.

31
MCQeasy

A network engineer needs to ensure that Compute Engine instances without external IP addresses can access Google APIs such as BigQuery and Cloud Storage. Which feature should be enabled on the subnet where the instances reside?

A.Private Service Connect
B.VPC Service Controls
C.Private Google Access
D.Cloud NAT
AnswerC

Correct. Private Google Access enables instances without external IPs to reach Google APIs through internal IPs.

Why this answer

Private Google Access allows instances without external IPs to reach Google APIs using private IP addresses. It is enabled per subnet.

32
MCQmedium

A company has deployed a Cloud Armor security policy with the following rules: Rule 1: allow from IP range 10.0.0.0/8 (priority 1000); Rule 2: deny from all (priority 2000). What will be the action for traffic from IP 10.1.1.1?

A.Deny
B.Error: conflicting rules
C.Allow
D.Depends on the default rule
AnswerC

The allow rule with higher priority (1000) matches first, so traffic is allowed.

Why this answer

Cloud Armor evaluates rules in priority order (lower number = higher priority). Rule 1 matches and allows the traffic, so Rule 2 is not evaluated.

33
MCQhard

An organization needs to prevent exfiltration of data from a Cloud Storage bucket to external IPs. The bucket is accessed by Compute Engine instances in a VPC. The instances need to read and write data to the bucket but should not be able to copy data to external networks. Which combination of controls meets this requirement?

A.Use Cloud Armor with a WAF rule to block outbound traffic.
B.Configure VPC Service Controls with a service perimeter that includes the VPC and the Cloud Storage bucket.
C.Set up Private Google Access and restrict IAM permissions to the bucket.
D.Use Cloud NAT with a firewall rule that denies all egress except to Google APIs.
AnswerB

This prevents data from leaving the perimeter, including copying to external networks.

Why this answer

VPC Service Controls create a service perimeter that restricts data movement between Google services and external networks. Within the perimeter, data can flow between authorized services. IAM conditions can further restrict access based on context.

This is the primary method to prevent data exfiltration from Google Cloud-managed services.

34
MCQmedium

A company wants to publish a custom internal service running in their VPC so that consumers in other VPCs can access it using private IP addresses. Which service should they use?

B.Private Service Connect
C.VPC Peering
D.Cloud VPN
AnswerB

Correct. Private Service Connect enables publishing and consuming services privately.

Why this answer

Private Service Connect allows publishing internal services via private endpoints in your VPC and enabling consumption from other VPCs using private IPs.

35
MCQeasy

A company wants to restrict access to Google Cloud APIs from a specific VPC network so that only the Google APIs listed in the VPC Service Controls perimeter can be accessed. Which configuration should be used?

A.VPC Service Controls with VPC accessible services
B.Private Service Connect
C.Private Google Access
D.Cloud NAT with a firewall rule
AnswerA

VPC Service Controls perimeters can include VPC accessible services to restrict access to specific Google APIs from a VPC network.

Why this answer

VPC Service Controls allow you to define perimeters around Google Cloud resources, restricting access to Google APIs based on the perimeter's configuration. VPC accessible services is a feature within VPC Service Controls that limits access to only the APIs listed in the perimeter.

36
Multi-Selectmedium

An organization wants to enforce that only instances with specific service accounts can be accessed via SSH (TCP 22) from the internet. Which two attributes should be used in the firewall rule to achieve this? (Choose two.)

Select 2 answers
A.--source-service-accounts
B.--source-ranges 0.0.0.0/0
C.--target-tags
D.--destination-ranges
E.--target-service-accounts
AnswersB, E

Correct. Allows traffic from any source (internet).

Why this answer

To target instances based on service account, use --target-service-accounts. To specify the source from internet, use --source-ranges with 0.0.0.0/0.

37
MCQeasy

What is the default MTU for Compute Engine instances on Google Cloud?

A.1460
B.9000
C.1400
D.1500
AnswerA

GCP uses 1460 as default MTU.

Why this answer

The default MTU for Google Cloud VMs is 1460 bytes to accommodate encapsulation overhead.

38
MCQmedium

A company has a VPC with a subnet in us-central1. They launched a Compute Engine instance named "app-server" in that subnet without an external IP. They need the instance to be able to download updates from the internet. Which two steps must be taken?

A.Configure Private Google Access on the subnet.
B.Create a VPC firewall rule to allow egress to 0.0.0.0/0.
C.Create a Cloud NAT gateway and a Cloud Router in us-central1.
D.Assign a static external IP to the instance.
AnswerC

Cloud NAT requires a Cloud Router in the same region to provide outbound connectivity.

Why this answer

The instance needs outbound internet access via Cloud NAT, which requires a Cloud Router in the region.

39
MCQhard

You are deploying a third-party network appliance (e.g., firewall) in a GCP VPC. The appliance requires multiple network interfaces for traffic isolation. You create a VM with three NICs in different subnets. What is a key consideration for routing traffic through the appliance?

A.Custom routes must be created to direct traffic to a specific NIC using the VM's IP as next hop.
B.The VM must have an external IP on each NIC.
C.The VM must have IP forwarding disabled.
D.All NICs must be in the same subnet.
AnswerA

This allows traffic to be forwarded to the appliance for inspection.

Why this answer

Each NIC in a multi-NIC VM is assigned to a different subnet. By default, the VM only sends traffic out of the NIC that matches the destination subnet's route. To route traffic through a specific NIC, custom routes with next hop set to the VM's IP on that NIC are required.

40
MCQhard

A company uses Cloud NAT with a static NAT IP address. They notice that connections from their instances are failing after a few minutes. What is the most likely cause?

A.The instance's external IP is conflicting with the NAT IP
B.The NAT IP address is not whitelisted on the target
C.The Cloud NAT gateway is using dynamic port allocation and running out of ports
D.The VPC network has a firewall rule blocking egress
AnswerC

With many connections, ports can be exhausted, causing failures.

Why this answer

Cloud NAT by default uses dynamic port allocation and releases ports after a timeout. With static NAT IP, if port exhaustion occurs or if the connection idle timeout is too low, connections may drop.

41
MCQmedium

An organization has multiple VPCs in the same project. They want to apply consistent firewall rules to all VPCs at the project level. What is the most efficient way to achieve this?

A.Use hierarchical firewall policies at the project level
B.Create a network firewall policy and attach it to each VPC
C.Create a firewall rules template using Deployment Manager
D.Use VPC Service Controls to enforce rules
AnswerA

Correct. Hierarchical policies can be applied at the project level and apply to all VPCs within the project.

Why this answer

Hierarchical firewall policies can be applied at the organization, folder, or project level and apply to all VPCs in the resource hierarchy. VPC-level firewall rules are per VPC and require duplication.

42
MCQmedium

An engineer is deploying a network appliance (e.g., a firewall) in a VPC. The appliance needs to handle traffic between different subnets. How many network interfaces should the appliance VM have, and why?

A.Zero NICs: use an internal load balancer
B.One NIC, with IP forwarding enabled
C.Two NICs: one for management, one for data traffic
D.Three NICs: one for each subnet it routes between
AnswerC

Multiple NICs allow separation of management and data traffic. The management NIC can be used for SSH/API access, while data NICs handle forwarded traffic.

Why this answer

Network appliances often use multiple NICs for traffic segregation: one for management, others for data traffic. Each NIC can be in a different subnet. NIC0 is the primary and must be connected.

Up to 8 NICs are supported.

43
Multi-Selectmedium

A company uses Cloud NAT for outbound internet access. They want to ensure that all connections from their VMs use a predictable public IP address for whitelisting with third-party services. Which TWO configurations should be applied? (Choose two.)

Select 2 answers
A.Assign external IPs to each VM and disable Cloud NAT
B.Use dynamic NAT IP addresses assigned automatically by Cloud NAT
C.Enable Cloud NAT logging to monitor traffic
D.Reserve and assign static external IP addresses to the Cloud NAT gateway
E.Use Private Google Access instead of Cloud NAT
AnswersC, D

Logging helps audit that traffic is using the intended IPs, but does not guarantee predictability; however, it is often required for compliance.

Why this answer

Cloud NAT supports static NAT IP addresses that can be reserved and assigned to the NAT gateway. Also, if you assign multiple static IPs, you can use NAT IP address ranges. To ensure all traffic uses a specific IP, you can use a single static IP or a range.

Additionally, you can configure logging to monitor usage.

44
MCQmedium

A security team wants to block traffic from specific geographic regions (e.g., Country A) to their HTTP(S) load balancer. Which Google Cloud service should they use?

A.Firewall rules
B.VPC Service Controls
C.Cloud Armor
D.Cloud CDN
AnswerC

Cloud Armor provides geo-based access control using geographic location (GeoIP) matching.

Why this answer

Cloud Armor security policies can be attached to HTTP(S) load balancers. They support geo-based access control (allow/deny by country) using preconfigured or custom rules.

45
Multi-Selectmedium

Which THREE of the following are benefits of using hierarchical firewall policies? (Select 3)

Select 3 answers
A.They can be used to restrict access to specific Google APIs
B.They can be applied at the organization, folder, or project level
C.They are automatically inherited by all resources below the attachment point
D.They override network firewall rules with the same priority
E.They support both allow and deny rules
AnswersB, C, E

Hierarchical policies can be attached at any level in the hierarchy.

Why this answer

Hierarchical firewall policies provide centralized management, inherit down the resource hierarchy, and can apply at the organization level. They support both allow and deny rules, and can be used to enforce baseline security.

46
Multi-Selectmedium

An organization wants to publish an internal web service running on Compute Engine to consumers in different VPCs. The service must be accessible via private IPs without VPC peering. Which THREE components are required to set this up using Private Service Connect?

Select 3 answers
A.VPC peering between producer and consumer VPCs
B.A Cloud NAT gateway in the producer VPC
C.A service attachment in the producer VPC that points to a load balancer
D.An internal TCP/UDP load balancer in the producer VPC
E.A Private Service Connect endpoint in the consumer VPC
AnswersC, D, E

The service attachment is the published service endpoint.

Why this answer

Private Service Connect requires a service producer to create a service attachment (which uses a load balancer as the backend), and consumers to create Private Service Connect endpoints. The producer must also enable Private Service Connect on the subnet where the load balancer resides.

47
MCQmedium

An organization has multiple projects and wants to apply a consistent set of firewall rules across all VPC networks in the organization. Which approach should they use?

A.Create a network firewall policy and attach it to each VPC
B.Create a hierarchical firewall policy at the organization level
C.Use VPC peering to share rules
D.Apply firewall rules using tags in each project
AnswerB

Hierarchical policies can be applied to the organization, folder, or project for consistent enforcement.

Why this answer

Hierarchical firewall policies can be applied at the organization level and are inherited by all folders and projects, ensuring consistent rules across the entire hierarchy.

48
MCQeasy

A Compute Engine instance has multiple network interfaces. Which interface is considered the primary (NIC0)?

A.The interface with the lowest index number (nic0).
B.The interface configured first in the instance creation.
C.The interface with the highest index number.
D.All interfaces are primary.
AnswerA

nic0 is the primary interface.

Why this answer

By default, the first interface attached (nic0) is the primary interface and used for default routes and internal DNS.

49
MCQmedium

You have a Cloud NAT gateway configured in a region with 256 available ports. You allocate static NAT ports to a specific VM for outbound connections. What is the minimum number of ports you should allocate to ensure the VM can handle 500 concurrent connections?

A.128
B.256
C.512
D.64
AnswerC

512 ports can handle 500 concurrent connections with margin.

Why this answer

Cloud NAT uses ports for source NAT. A single connection uses one port. To support 500 concurrent connections, you need at least 500 ports.

However, Cloud NAT allows port sharing for the same destination IP and port, but static port allocation per VM typically reserves ports exclusively. To be safe, allocate at least 500 ports.

50
MCQeasy

An engineer is configuring a Compute Engine instance with multiple network interfaces for use as a network appliance. Which interface is considered the primary interface for default routes and instance metadata?

A.Any interface with an external IP
B.The interface with the lowest subnet CIDR
C.The interface attached to the default VPC
D.NIC0
AnswerD

Correct. NIC0 is the primary interface.

Why this answer

NIC0 is the primary interface; default routes and instance metadata are tied to it. Adding extra interfaces (NIC1, NIC2, etc.) is for specific networking scenarios like network appliances.

51
MCQmedium

An organization wants to restrict which Google APIs can be accessed by resources in a specific VPC. They also want to prevent data exfiltration to unauthorized projects. Which Google Cloud service should they use?

A.Cloud Armor
B.VPC Service Controls
C.Private Google Access
D.Firewall Rules
AnswerB

Correct. VPC Service Controls define service perimeters to control API access and data exfiltration.

Why this answer

VPC Service Controls create service perimeters that restrict API access and prevent data exfiltration based on projects and VPCs.

52
Multi-Selectmedium

An organization wants to publish a private service using Private Service Connect (PSC) so that consumers in other VPCs can access it via private IPs. Which TWO resources are required on the producer side? (Choose TWO.)

Select 2 answers
A.A Private Service Connect service attachment
B.A Cloud NAT gateway
C.A Private Service Connect endpoint
D.A Cloud Router
E.A regional internal load balancer
AnswersA, E

The service attachment exposes the service to consumers.

Why this answer

To publish a service via PSC, the producer creates a service attachment on a regional internal load balancer (ILB) and also configures a private service connection (or simply the service attachment). The service attachment is associated with the ILB's forwarding rule.

53
MCQhard

A company uses VPC Service Controls with a service perimeter that includes Project A. They want to allow an external identity from Project B (outside the perimeter) to access a Cloud Storage bucket in Project A, but only during business hours. Which VPC Service Controls feature should they use?

A.Access levels with time constraint and an ingress rule
B.Egress rules with IP whitelisting
C.Cloud Armor geoblocking
D.Private Google Access
AnswerA

Correct. Access levels can define time conditions, and ingress rules allow specified traffic from outside the perimeter.

Why this answer

VPC Service Controls use access levels (e.g., based on IP, time) and ingress rules to allow traffic from outside the perimeter. Ingress rules define which identities and resources can access perimeters.

54
MCQmedium

An organization has multiple VPCs in different projects that need to consume a common internal service hosted in a central project. The service runs on a set of Compute Engine instances with internal IPs. Which architecture allows the consumers to access the service using private IPs without VPC peering?

A.Create a Private Service Connect endpoint in each consumer VPC and publish the service as a Private Service Connect service from the central project.
B.Use Cloud VPN to connect each consumer VPC to the central VPC.
C.Expose the service through an external IP and use IAM to restrict access.
D.Set up VPC peering between each consumer VPC and the central VPC.
AnswerA

Private Service Connect is designed for this use case, providing private IP access without peering.

Why this answer

Private Service Connect allows you to publish internal services via Private Service Connect endpoints in consumer VPCs. Consumers access the service using internal IPs without needing VPC peering or VPNs. This is the recommended architecture for publishing and consuming internal services across projects.

55
Multi-Selectmedium

Which TWO of the following are valid ways to target firewall rules in Google Cloud? (Select 2)

Select 2 answers
A.Target by service account
B.Target by zone
C.Target by instance name
D.Target by machine type
E.Target by network tag
AnswersA, E

Service accounts allow identity-based targeting.

Why this answer

Firewall rules can target instances by network tags or by service accounts. Tags are key-value pairs, and service accounts provide identity-based targeting.

56
MCQhard

An engineer needs to configure Cloud Armor to block requests from a specific IP address (10.1.2.3) while allowing all other traffic. They create a security policy with a deny rule for that IP and an allow rule for all traffic. What priority should the deny rule have relative to the allow rule?

A.Both rules must have the same priority
B.The deny rule must have a lower priority number than the allow rule
C.Priority does not matter for deny rules
D.The deny rule must have a higher priority number than the allow rule
AnswerB

Correct. Lower priority number means higher precedence, so the deny rule is evaluated first.

Why this answer

In Cloud Armor, rules are evaluated from lowest to highest priority (lower number = higher priority). The deny rule must have a lower priority number than the allow rule to be evaluated first and block the IP before the allow rule applies. Typically, the allow-all rule has highest priority (e.g., 2147483647).

57
MCQeasy

An organization wants to prevent data exfiltration from a project that uses Google Cloud Storage and BigQuery. They need to restrict access to these services from only the authorized VPC networks. Which service should they use?

A.Cloud NAT
B.VPC Service Controls
C.Private Google Access
D.Cloud Armor
AnswerB

VPC Service Controls create perimeters to protect data.

Why this answer

VPC Service Controls allow creating a service perimeter around GCP services (like Cloud Storage and BigQuery) to restrict data access to only authorized VPCs and projects. This prevents data exfiltration.

58
MCQhard

A company has deployed a network appliance (e.g., firewall) as a Compute Engine instance with two NICs: NIC0 for management and NIC1 for data traffic. The appliance must forward traffic from instances in subnet A to subnet B. The engineer has enabled IP forwarding on the appliance. What additional configuration is required on the VPC for the appliance to route traffic between subnets?

A.Configure the appliance's guest OS to enable packet forwarding by setting net.ipv4.ip_forward=1.
B.Create a firewall rule allowing egress from the appliance to both subnets.
C.Attach the appliance to a Cloud Router and configure BGP sessions.
D.Create a route in the VPC with destination subnet B and next hop set to the appliance's internal IP address.
AnswerD

This custom route directs traffic to the appliance for forwarding.

Why this answer

For a Compute Engine instance to forward traffic between subnets, it must act as a router. The VPC needs a custom route that sends traffic destined for subnet B to the appliance's IP (or NIC) as the next hop. Without this route, the VPC's default routing will deliver traffic directly between subnets, bypassing the appliance.

Also, the appliance's NIC1 must be in the same VPC and the firewall rules must allow the traffic.

59
MCQmedium

A company wants to apply consistent firewall rules across all projects in an organization. They need to block all traffic to ports 22 and 3389 from the internet to any VMs in any project. Which approach is most scalable and maintainable?

A.Use a hierarchical firewall policy at the organization level with deny rules for ports 22 and 3389 from 0.0.0.0/0.
B.Configure OS-level firewall on each VM using startup scripts.
C.Use Cloud Armor security policies attached to load balancers.
D.Create a VPC firewall rule in each project's VPC.
AnswerA

Hierarchical policies apply to all projects under the org, ensuring consistency.

Why this answer

Hierarchical firewall policies allow you to define firewall rules at the organization or folder level that apply to all VPCs under that node. This ensures consistency and avoids duplication across projects. The policy is evaluated before VPC firewall rules.

60
Multi-Selectmedium

A company has a VPC with subnets in us-central1 and europe-west1. They need to allow Compute Engine instances in us-central1 (without external IPs) to access Google Cloud Storage buckets in the US multi-region. They also need to ensure the traffic does not traverse the public internet. Which TWO configurations are required? (Choose TWO.)

Select 2 answers
A.Use the private DNS zone for googleapis.com with the restricted.googleapis.com IP addresses
B.Configure a firewall rule allowing egress to 0.0.0.0/0
C.Ensure the instances have a service account with permissions to access Cloud Storage
D.Create a Cloud NAT gateway in us-central1
E.Enable Private Google Access on the subnet in us-central1
AnswersC, E

IAM permissions are required to access Cloud Storage; Private Google Access only provides connectivity.

Why this answer

Private Google Access allows instances without external IPs to reach Google APIs. It must be enabled on the subnet. Additionally, the DNS name for Google APIs must resolve to the private IP ranges (199.36.153.4/30 for restricted.googleapis.com) or use the default private Google access IPs.

For Cloud Storage, the restricted.googleapis.com VIP is used for Private Google Access if the project is in a VPC Service Controls perimeter; otherwise, the default private Google access IPs work. However, to ensure traffic does not go over the public internet, Private Google Access is sufficient as Google's internal network is used. The second required configuration is to enable Private Google Access on the subnet.

No additional DNS changes are needed if using the default DNS (the private Google access IPs are returned automatically).

61
Multi-Selecthard

A company has an HTTP Load Balancer that distributes traffic to a backend service consisting of Compute Engine instance groups. They need to block traffic from specific geographic regions and also rate-limit requests from any IP. Which THREE Cloud Armor features should they configure?

Select 3 answers
A.Cloud Armor logging
B.Rate limiting rules
C.Pre-configured WAF rules (e.g., OWASP Top 10)
D.Geo-based access control (geoblocking)
E.Custom rules with IP allow/deny
AnswersB, D, E

Limits the number of requests from a source IP to prevent abuse.

Why this answer

Cloud Armor security policies allow you to create rules with conditions. To block regions, use geoblocking by specifying source regions. To rate-limit, use rate limiting rules.

Custom rules can also be used to combine conditions. Pre-configured WAF rules (like XSS, SQLi) are for web application attacks, not region blocking or rate limiting.

62
MCQmedium

A company wants to provide outbound internet access to Compute Engine instances without external IPs, while minimizing IP address consumption. Which Cloud NAT feature should be used to achieve minimal static IP usage?

A.Dynamic port allocation
B.Using a single NAT IP for all VMs
C.Enabling Cloud NAT logging
D.Static port allocation
AnswerA

Correct. Dynamic allocation shares ports from a pool, minimizing the number of NAT IPs needed.

Why this answer

Cloud NAT supports dynamic port allocation, which uses ephemeral IP addresses from the NAT IP pool. Static port allocation reserves ports per VM and may require more IPs. The question asks to minimize IP consumption, so using dynamic allocation with a small number of NAT IPs is optimal.

63
MCQmedium

A network engineer needs to create a firewall rule that denies all inbound traffic to instances with the tag 'web-server' from source IP range 10.0.0.0/8. They also have an existing allow rule with priority 1000 that permits traffic from 10.0.0.0/8 to those instances. To ensure the deny rule takes precedence, what priority should the new rule have?

A.1000
B.0
C.500
D.2000
AnswerC

500 is lower than 1000, so the deny rule takes precedence.

Why this answer

In GCP firewall rules, lower priority numbers have higher precedence. To override an allow rule with priority 1000, the deny rule must have a priority lower than 1000.

64
Multi-Selecteasy

An engineer needs to deploy a VM that acts as a internet gateway for other instances in the same VPC. The VM must have IP forwarding enabled and must be able to accept traffic on multiple NICs. Which TWO actions are required? (Choose 2)

Select 2 answers
A.Disable the VM's source/destination check.
B.Create firewall rules to allow traffic to the VM's NICs.
C.Enable IP forwarding on the VM instance.
D.Create a Cloud NAT gateway.
E.Assign an external IP to each NIC.
AnswersB, C

Must allow ingress traffic to be forwarded.

Why this answer

To use a VM as a gateway, IP forwarding must be enabled on the VM. Additionally, firewall rules must allow ingress traffic to the VM's NICs that will forward traffic. The VM itself must have routes pointing to it as next hop.

65
MCQmedium

An organization wants to consume a third-party SaaS service via a private endpoint in their VPC, using Private Service Connect. Which type of Private Service Connect endpoint should they create?

A.PSC producer endpoint
B.PSC consumer endpoint (forwarding rule)
C.Cloud VPN tunnel
D.VPC peering connection
AnswerB

Consumers create a forwarding rule targeting the service attachment to access the service privately via an internal IP.

Why this answer

Private Service Connect allows consumers to create endpoints in their VPC to access managed services. For accessing a third-party service published via PSC, the consumer creates a PSC endpoint (also known as a PSC forwarding rule) that targets the service attachment of the publisher.

66
Multi-Selecteasy

A company wants to protect its HTTP(S) Load Balancer from layer 7 attacks, including SQL injection and cross-site scripting (XSS). Which TWO Google Cloud services or features should be used together? (Choose TWO.)

Select 2 answers
B.Cloud CDN
C.VPC Service Controls
D.Cloud Armor
E.Identity-Aware Proxy (IAP)
AnswersA, D

Cloud Armor policies are attached to the backend service of an HTTPS Load Balancer.

Why this answer

Cloud Armor security policies provide WAF capabilities with preconfigured rules to block SQLi and XSS. These policies are attached to the backend service of the HTTPS Load Balancer.

67
Multi-Selectmedium

A company runs a web application on Compute Engine instances without external IPs. They need to ensure the instances can access Google APIs (e.g., Cloud Storage) and also provide outbound internet access for software updates. Which two features should be configured? (Choose two.)

Select 2 answers
A.VPC Service Controls
B.Private Service Connect
C.Cloud NAT
D.Cloud VPN
E.Private Google Access
AnswersC, E

Provides outbound internet access.

Why this answer

Private Google Access enables access to Google APIs without external IPs. Cloud NAT provides outbound internet access for instances without external IPs.

68
Multi-Selectmedium

A company wants to allow access to a Cloud Storage bucket only from Compute Engine instances that have a specific service account and are within a specific VPC. They also want to prevent access from other networks. Which TWO services or features should they use together?

Select 2 answers
A.Hierarchical firewall policy
B.Cloud Armor
C.IAM conditions on the bucket
D.VPC Service Controls
E.Cloud NAT
AnswersC, D

Allows you to conditionally grant access based on the caller's service account.

Why this answer

VPC Service Controls can restrict access to Google APIs to only specified VPCs and projects, creating a service perimeter. IAM conditions can further restrict access based on the caller's service account. This combination ensures that only instances with the correct service account in the correct VPC can access the bucket.

69
Multi-Selectmedium

A company wants to restrict access to Google Cloud Storage from a specific VPC only, using VPC Service Controls. Which TWO components are required to create a service perimeter? (Choose two.)

Select 2 answers
A.A VPC accessible service configuration
B.A VPC network with Private Google Access enabled
C.An access level
D.A list of allowed APIs (restricted services)
E.A set of projects to protect
AnswersA, E

This configuration specifies which VPCs (and their subnets) are allowed to access the protected APIs. It is a key part of the perimeter.

Why this answer

A service perimeter is defined by a set of projects (the protected projects) and a set of VPCs (via VPC accessible services) that are allowed to access the protected APIs. Also, access levels can be used but are optional.

70
MCQeasy

What is the internal DNS name format for a Compute Engine instance named 'web-server' in zone 'us-central1-a' within project 'my-project'?

A.web-server.us-central1-a.my-project.internal
B.web-server.my-project.c.us-central1-a.internal
C.web-server.internal
D.web-server.us-central1-a.c.my-project.internal
AnswerD

This is the correct format.

Why this answer

GCP internal DNS uses the format vm-name.zone.c.project-id.internal. For the given example, it is web-server.us-central1-a.c.my-project.internal.

71
MCQeasy

A company wants to ensure that Compute Engine instances in a VPC can resolve internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. What is required for this to work?

A.Assign a custom DNS server to the VPC using Cloud DNS inbound server policy.
B.Configure a DNS managed zone in Cloud DNS.
C.No additional configuration is required; internal DNS resolution works by default.
D.Enable Private Google Access on the subnet.
AnswerC

Google Cloud automatically provides internal DNS for instances in the same VPC.

Why this answer

Google Cloud provides internal DNS resolution for instances within the same VPC network. By default, instances can resolve DNS names for other instances in the same VPC if they are in the same network. There is no additional setup needed; it works out of the box.

The DNS name format is [vm-name].[zone].c.[project-id].internal.

72
MCQhard

An organization needs to protect a web application behind an HTTPS Load Balancer from SQL injection attacks. They want to use a managed WAF solution. Which Google Cloud service should they configure?

A.Cloud Armor
B.VPC Service Controls
C.Cloud Firewall Rules
D.Cloud CDN
AnswerA

Cloud Armor includes WAF rules, including preconfigured SQLi protection.

Why this answer

Cloud Armor provides WAF capabilities including preconfigured rules for SQL injection (OWASP) and custom rules.

73
MCQmedium

You need to configure firewall rules to allow HTTP (TCP 80) traffic from the internet to instances in a VPC. The instances are in different subnets and have a network tag 'web-server'. You want to minimize the number of rules. Which rule configuration is correct?

A.Create an ingress rule with source 0.0.0.0/0, protocol tcp:0-65535, and target tags 'web-server'.
B.Create an egress rule with source 0.0.0.0/0, tcp:80, and target tags 'web-server'.
C.Create an ingress rule with source 0.0.0.0/0, tcp:80, and target tags 'web-server'.
D.Create an ingress rule for each subnet with source 0.0.0.0/0, tcp:80, and target tags 'web-server'.
AnswerC

This single ingress rule allows HTTP from any source to instances tagged 'web-server'.

Why this answer

Firewall rules are global, so one ingress rule can apply to all instances with the tag 'web-server' regardless of subnet. The direction must be ingress, source 0.0.0.0/0, protocol tcp:80, and target tags 'web-server'.

74
MCQhard

A network engineer configured a hierarchical firewall policy at the organization level with a priority 100 rule that denies all ingress traffic. At the folder level, a policy with priority 110 allows ingress from a specific IP range. At the VPC level, a network firewall policy with priority 90 allows ingress from a different IP range. Which traffic will be allowed?

A.Traffic matching either the folder-level or VPC-level allow rules
B.Only traffic matching the folder-level allow rule
C.Only traffic matching the VPC-level allow rule
D.No traffic is allowed because the org-level deny is evaluated last
AnswerC

The VPC-level policy has priority 90, which is lower than the org-level deny (100), so it overrides the deny and allows matching traffic.

Why this answer

Hierarchical firewall policies are evaluated in order of priority (lower number = higher priority) and then network firewall policies. The org-level rule with priority 100 denies all ingress. The folder-level rule with priority 110 allows specific IPs, but since the org rule has higher priority, it overrides the folder rule.

The VPC-level network firewall policy is evaluated after hierarchical policies and has priority 90, which is lower than 100, so it would override the org rule. However, hierarchical policies are evaluated before network firewall policies only if they have higher priority. Here, the VPC policy has priority 90, which is lower than 100, so it takes precedence over the org-level deny.

Thus, traffic matching the VPC policy's allowed IP range is allowed.

75
MCQmedium

A company wants to protect its external HTTPS load balancer from SQL injection and cross-site scripting attacks. Which Google Cloud service should they use?

A.VPC Service Controls
B.Cloud Firewall
C.Cloud IDS
D.Cloud Armor
AnswerD

Cloud Armor provides WAF with preconfigured rules for SQLi and XSS.

Why this answer

Cloud Armor provides WAF capabilities including preconfigured rules for OWASP Top 10 threats like SQLi and XSS, and can be attached to HTTPS load balancers.

Page 1 of 2 · 100 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcne Implementing VPC questions.

CCNA Pcne Implementing VPC Questions — Page 1 of 2 | Courseiva