This allows incoming HTTP/HTTPS traffic from any source.
75 of 100 questions · Page 1/2 · Pcne Implementing VPC topic · Answers revealed
This allows incoming HTTP/HTTPS traffic from any source.
A company wants to publish an internal service (e.g., a database) in their VPC so that consumers in other VPCs can connect to it privately via Private Service Connect (PSC). What must be created on the producer side?
The Service Attachment defines the service to be consumed via PSC.
Why this answer
Private Service Connect allows producers to publish services via a Service Attachment. The service attachment is created on a Network Endpoint Group (NEG) that points to the internal service (e.g., a backend service). Consumers then create PSC endpoints to connect.
An engineer needs to configure DNS resolution for a Compute Engine instance named "web-1" in zone us-central1-a of project my-project. What is the internal DNS name for this instance?
Correct format.
Why this answer
GCP internal DNS uses the format: [instance name].[zone].c.[project id].internal
Cloud NAT provides outbound internet access for VMs without external IPs. Using a static NAT IP preserves source IP and provides consistent IP for whitelisting.
A security team needs to block traffic from a specific geographic region (country) from reaching their HTTP Load Balancer. Additionally, they need to allow traffic from specific IP ranges that are known to be legitimate, even if they originate from that blocked region. Which THREE steps should they take? (Choose THREE.)
Cloud Armor policies are applied to backend services.
Why this answer
Cloud Armor allows you to create security policies with rules. Geo-blocking can be implemented by denying traffic based on geographic origin. To allow specific IP ranges from the blocked region, you need a rule with higher priority that allows those IPs before the deny rule.
Attach the policy to the backend service of the HTTPS Load Balancer.
An organization has two VPCs in the same project: VPC-A and VPC-B. They want instances in VPC-A to reach Cloud Storage buckets without external IPs. What is the simplest solution?
Private Google Access allows instances to reach Google APIs using internal IPs.
Why this answer
Private Google Access enables instances without external IPs to reach Google API endpoints (including Cloud Storage) via the private IP range. The feature is enabled per subnet, so enabling it on subnets in VPC-A allows those instances to access Cloud Storage.
A company wants to protect its HTTPS Load Balancer from DDoS attacks and common web application attacks like SQL injection and cross-site scripting (XSS). Which Google Cloud service should be used?
Correct. Cloud Armor provides WAF and DDoS protection for HTTPS Load Balancers.
Why this answer
Cloud Armor provides DDoS protection and WAF capabilities including preconfigured rules for OWASP, XSS, and SQLi. It attaches to HTTPS Load Balancers.
The allow rule has higher priority (lower number) than the deny rule, so it takes precedence for matching targets. This allows per-project exceptions within the same hierarchical policy.
Why this answer
Hierarchical firewall policies can be applied at the organization or folder level and have priority over VPC-level rules. By setting a low-priority allow rule at the project level, you can override a higher-priority deny rule if the policy allows overrides. However, hierarchical firewall policies have a higher precedence than network firewall rules; a deny at the org level cannot be overridden by a lower-precedence allow at the VPC level.
The correct approach is to use a hierarchical firewall policy with a deny rule at high priority (e.g., 100) and allow exceptions at lower priority (e.g., 1000) for specific projects via tags or service accounts. But careful: If you set a deny rule with priority 100 at org level, and an allow rule with priority 200 at project level, the deny takes precedence because it has higher priority (lower number). To allow exceptions, you need to set the allow rule at a priority level that is evaluated first (lower number) than the deny.
So you need to allow at lower number (e.g., 10) and deny at higher number (e.g., 1000). But that would allow all. The correct architecture is to use hierarchical firewall policies with both rules: allow SSH for specific targets at priority 1000, and deny SSH for all at priority 2000.
The allow rule with lower number takes precedence for matching targets. Actually, evaluation order: priority lower number = higher priority. So if you want to allow some and deny others, you need to set allow rules with higher priority (lower number) than deny rules.
So you can have a hierarchical firewall policy with an allow rule for specific tags (e.g., 'allowed-ssh') at priority 1000, and a deny rule for all at priority 2000. Then, in projects that need SSH, you apply the tag to instances. But the question says 'must allow certain projects to override this'.
The best way is to use a network firewall policy (VPC-level) that can be applied per VPC, allowing override at the project level. However, hierarchical firewall policies are evaluated before network firewall rules. To override, you would need to use a hierarchical policy with higher priority to allow.
The simplest answer is to use a network firewall policy at the VPC level and an organization policy that grants exception. But given options, the correct one likely involves using a network firewall policy with appropriate priority. Let's analyze: Option A: Create a hierarchical firewall policy at the organization level with a deny rule for SSH.
Then create a network firewall policy at the VPC level with an allow rule for SSH. However, hierarchical firewall policies are evaluated before network firewall policies, and the deny would block SSH even if network firewall allows. So that doesn't work.
Option B: Create a network firewall policy with a deny rule for SSH and use service accounts to allow exceptions. But that doesn't apply across projects. Option C: Use a hierarchical firewall policy with both allow and deny rules, setting allow at a higher priority (lower number) for specific projects.
This allows override. Option D: Use VPC Service Controls to block SSH. This is not relevant.
So the answer is likely C.
An engineer needs to provide outbound internet access to Compute Engine instances that do not have external IP addresses. The solution must allow instances to access a specific set of external IPs only. What should the engineer configure?
Cloud NAT provides outbound connectivity for instances without external IPs, and firewall rules can restrict traffic to specific destinations.
Why this answer
Cloud NAT with firewall rules can restrict outbound traffic to specific destinations. By default, Cloud NAT uses the instance's network tags and firewall egress rules to control traffic. The engineer can create an egress deny rule with higher priority for all destinations, then an egress allow rule for the specific IPs.
An engineer is troubleshooting connectivity from a Compute Engine instance (internal IP: 10.0.0.2) to an on-premises server (IP: 203.0.113.5) over a Cloud VPN tunnel. The traffic reaches the on-premises network, but the return traffic is dropped. What is the most likely cause?
Return traffic may take a different path, which GCP drops because it doesn't match the expected ingress interface.
Why this answer
For asymmetric routing, GCP may drop return traffic if it does not match the forwarding route. Cloud VPN supports dynamic routing (BGP) which advertises the on-premises prefix. However, if the on-premises router forwards return traffic through a different path (e.g., internet), GCP's firewall drops it because the return packet does not come via the VPN tunnel (asymmetric).
An engineer needs to configure Cloud NAT with logging enabled to monitor traffic from a specific subnet. The NAT gateway uses automatic NAT IP allocation. The engineer wants to ensure that if a single VM uses many connections, it does not exhaust the available ports for other VMs. Which THREE settings should be configured? (Choose THREE.)
This guarantees each VM gets a minimum number of ports.
Why this answer
To prevent port exhaustion, the engineer should enable manual port allocation to set limits, configure endpoint-independent mapping for UDP (not directly related to port exhaustion), and set a minimum ports per VM to guarantee each VM gets a baseline. Manual allocation allows setting a maximum number of ports per VM, which prevents a single VM from using all ports.
A Compute Engine instance is running a network appliance that requires multiple network interfaces. What is the primary purpose of attaching additional NICs (e.g., NIC1, NIC2) to the instance?
Multiple NICs allow an instance to be on different VPC networks or subnets for traffic isolation.
Why this answer
Multiple NICs are used to separate traffic planes such as management, data, and control, and to route traffic through different subnets without relying on internal routing.
A company wants to allow instances in a VPC without external IPs to access Google APIs like BigQuery and Cloud Storage. Which configuration is required?
Private Google Access is a subnet-level setting that allows instances without external IPs to reach Google APIs via internal IP addresses.
Why this answer
Private Google Access enables instances without external IPs to reach Google APIs via internal IP addresses using the private.googleapis.com (199.36.153.8/30) or restricted.googleapis.com (199.36.153.4/30) VIPs. It must be enabled per subnet.
Your VPC has instances with internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. You need to ensure that DNS resolution works for instances in the same zone using short names (e.g., 'instance1'). Which condition must be met?
Internal DNS resolves short names only for instances in the same zone and network.
Why this answer
Google Cloud internal DNS automatically resolves short names for instances within the same zone and network. The instance must be in the same zone and VPC network. No additional configuration is needed as long as instances are in the same zone.
A company wants to restrict which Google Cloud APIs can be accessed by its VMs in a specific project. They also want to prevent data exfiltration. Which service should they use?
VPC Service Controls enforce perimeters around APIs to prevent data exfiltration.
Why this answer
VPC Service Controls allow you to create service perimeters that restrict access to Google Cloud APIs and prevent data exfiltration.
Cloud NAT is per VPC and per region. It cannot be shared across VPCs, even with peering.
Which statement about Cloud Armor security policies is true?
Rules can allow or deny traffic based on conditions.
Why this answer
Cloud Armor security policies can be attached to HTTPS Load Balancers. They support rules with conditions like IP addresses, geographic regions, and preconfigured WAF rules. They also support rate limiting.
An organization needs to deploy a multi-tier web application on Compute Engine. The web tier must be accessible from the internet, while the database tier must only be accessible from the web tier. The security team requires a defense-in-depth approach. Which THREE measures should be implemented? (Choose three.)
This restricts database access to only the web tier.
What is the default MTU for Compute Engine virtual machines?
The default MTU is 1460 bytes to accommodate the GCP network virtualization overhead.
Why this answer
Compute Engine instances use an MTU of 1460 bytes by default (the Ethernet maximum 1500 minus the IP/GRE overhead for tunneling). Some instance types support jumbo frames (MTU 8896).
A company wants to publish a service running on Compute Engine instances in their VPC so that consumers in other VPCs can access it via private IPs without needing VPC peering. Which service should they use?
PSC enables publishing services accessible via private endpoints across VPCs.
Why this answer
Private Service Connect allows a producer to publish a service via a private endpoint that consumers can access from their own VPCs without peering.
A network engineer wants to restrict access to a Cloud Storage bucket from only a specific set of Compute Engine instances in a VPC. The instances have no external IPs. What is the most effective way to enforce this restriction?
VPC Service Controls provide a security perimeter around Google APIs, restricting access from unauthorized networks.
Why this answer
Using Private Google Access with Private Service Connect allows instances to reach Google APIs via internal IPs. By using VPC Service Controls, you can create a service perimeter that restricts access to the Cloud Storage bucket from the specific VPC and projects. This provides a defense-in-depth approach.
Correct. This applies the rule to instances with tag web-server, allowing TCP 80 from any source.
Why this answer
To target instances by tag, use --target-tags. For source, --source-ranges (any source: 0.0.0.0/0). For protocol/port, --allow tcp:80.
Network is specified with --network. Direction is implied by 'ingress'.
An engineer needs to configure a Compute Engine instance as a network appliance that routes traffic between two subnets within the same VPC. The instance must handle traffic for both subnets. Which TWO actions are required? (Choose TWO.)
IP forwarding allows the instance to forward packets between interfaces.
Why this answer
To act as a router between subnets, the instance needs two network interfaces, each attached to a different subnet, and IP forwarding must be enabled so the kernel can forward packets between interfaces.
Service accounts are also a valid target.
Why this answer
Firewall rules can target instances using tags or service accounts. The health checker IP ranges are well-known and can be used as source.
Why this answer
Cloud NAT uses NAT IP addresses and ports. To increase capacity for connections to a single destination IP, you can either allocate more NAT IP addresses (which increases the number of ports) or use dynamic port allocation. Static port allocation is used for endpoints that require predictable source ports.
For minimizing exhaustion, adding more NAT IPs is the direct solution.
An engineer is configuring a Google Compute Engine instance that needs to send traffic to the internet. The instance has no external IP address. Which service must be configured to allow this outbound connectivity?
Cloud NAT enables outbound internet access for private instances.
What is the internal DNS name format for a Compute Engine instance named 'web-server' in the 'us-central1-a' zone within the project 'my-project'?
This is the correct format: instance name, zone, 'c', project ID, 'internal'.
Why this answer
Compute Engine instances get an internal DNS name in the format: [instance_name].[zone].c.[project_id].internal. For example, web-server.us-central1-a.c.my-project.internal.
An engineer is troubleshooting a firewall rule issue. A VM with network tag 'web' is unable to receive HTTP traffic from the internet. The VPC has an ingress firewall rule allowing tcp:80 from 0.0.0.0/0 to targets with tag 'web' at priority 1000. Another ingress rule denies all ingress traffic at priority 65535. What is the likely cause?
Firewall rules with target tags apply only to instances with those tags. If the VM lacks the 'web' tag, the allow rule does not apply, and the implied deny blocks traffic.
Why this answer
Priority lower number = higher priority. The allow rule at priority 1000 should allow HTTP. However, if there is a default deny ingress rule (priority 65535) that denies all, the allow rule should override it.
But if there is a higher priority deny rule (lower number) that blocks HTTP, that would cause the issue. The scenario likely includes a hidden deny rule or misconfiguration. The most common cause is that the allow rule has a lower priority than a deny rule that matches.
But the given allow rule has priority 1000, which is higher than 65535. So it should work. Maybe the firewall rule is not applied because the target tag is not assigned? Or the rule is in the wrong VPC.
The question is tricky. Possibly the issue is that the default deny ingress rule has priority 65535 and is overridden, but the rule might be an implied deny? Actually, VPCs have an implied deny ingress rule at priority 65535. That should be overridden by the allow rule.
So if it's not working, the cause could be that the allow rule has a lower priority than the deny rule? No. Maybe there is a hierarchical firewall policy denying. But the scenario doesn't mention that.
The best answer: The target tag 'web' is not applied to the VM. But that's not a firewall rule issue per se. The possible correct answer: The firewall rule's source IP range is incorrect.
But it's 0.0.0.0/0. I'll go with: The VM does not have the network tag 'web' assigned. However, options might include that.
Let's construct options: A) The firewall rule is egress instead of ingress; B) The VM does not have the network tag 'web'; C) The priority is too low; D) There is a conflicting route. The correct one: B.
An engineer has configured a firewall rule with priority 1000 that allows ingress traffic on TCP port 443 from source IP range 10.0.0.0/8. Another rule with priority 500 denies ingress on TCP port 443 from source IP 10.0.1.0/24. What will happen to traffic from 10.0.1.5 destined to the instance on port 443?
Correct. The deny rule (priority 500) has higher priority than the allow rule (priority 1000).
Why this answer
Firewall rules are evaluated by priority (lower number = higher priority). Rule with priority 500 (deny) takes precedence over priority 1000 (allow). So traffic from 10.0.1.5 is denied.
Priority 100 is higher (lower number) than 200, so allow overrides deny.
Why this answer
Hierarchical firewall rules have priorities; higher priority (lower number) wins. To override a deny-all, the allow rule must have a lower priority number than the deny rule. The organization policy can have a lower priority than the folder policy, but the folder's deny-all would block.
The organization's allow rule must have higher priority (lower number) than the folder's deny rule.
A network engineer needs to ensure that Compute Engine instances without external IP addresses can access Google APIs such as BigQuery and Cloud Storage. Which feature should be enabled on the subnet where the instances reside?
Correct. Private Google Access enables instances without external IPs to reach Google APIs through internal IPs.
Why this answer
Private Google Access allows instances without external IPs to reach Google APIs using private IP addresses. It is enabled per subnet.
A company has deployed a Cloud Armor security policy with the following rules: Rule 1: allow from IP range 10.0.0.0/8 (priority 1000); Rule 2: deny from all (priority 2000). What will be the action for traffic from IP 10.1.1.1?
The allow rule with higher priority (1000) matches first, so traffic is allowed.
Why this answer
Cloud Armor evaluates rules in priority order (lower number = higher priority). Rule 1 matches and allows the traffic, so Rule 2 is not evaluated.
An organization needs to prevent exfiltration of data from a Cloud Storage bucket to external IPs. The bucket is accessed by Compute Engine instances in a VPC. The instances need to read and write data to the bucket but should not be able to copy data to external networks. Which combination of controls meets this requirement?
This prevents data from leaving the perimeter, including copying to external networks.
Why this answer
VPC Service Controls create a service perimeter that restricts data movement between Google services and external networks. Within the perimeter, data can flow between authorized services. IAM conditions can further restrict access based on context.
This is the primary method to prevent data exfiltration from Google Cloud-managed services.
A company wants to publish a custom internal service running in their VPC so that consumers in other VPCs can access it using private IP addresses. Which service should they use?
Correct. Private Service Connect enables publishing and consuming services privately.
Why this answer
Private Service Connect allows publishing internal services via private endpoints in your VPC and enabling consumption from other VPCs using private IPs.
A company wants to restrict access to Google Cloud APIs from a specific VPC network so that only the Google APIs listed in the VPC Service Controls perimeter can be accessed. Which configuration should be used?
VPC Service Controls perimeters can include VPC accessible services to restrict access to specific Google APIs from a VPC network.
Why this answer
VPC Service Controls allow you to define perimeters around Google Cloud resources, restricting access to Google APIs based on the perimeter's configuration. VPC accessible services is a feature within VPC Service Controls that limits access to only the APIs listed in the perimeter.
Correct. Allows traffic from any source (internet).
Why this answer
To target instances based on service account, use --target-service-accounts. To specify the source from internet, use --source-ranges with 0.0.0.0/0.
What is the default MTU for Compute Engine instances on Google Cloud?
GCP uses 1460 as default MTU.
Why this answer
The default MTU for Google Cloud VMs is 1460 bytes to accommodate encapsulation overhead.
A company has a VPC with a subnet in us-central1. They launched a Compute Engine instance named "app-server" in that subnet without an external IP. They need the instance to be able to download updates from the internet. Which two steps must be taken?
Cloud NAT requires a Cloud Router in the same region to provide outbound connectivity.
Why this answer
The instance needs outbound internet access via Cloud NAT, which requires a Cloud Router in the region.
This allows traffic to be forwarded to the appliance for inspection.
Why this answer
Each NIC in a multi-NIC VM is assigned to a different subnet. By default, the VM only sends traffic out of the NIC that matches the destination subnet's route. To route traffic through a specific NIC, custom routes with next hop set to the VM's IP on that NIC are required.
A company uses Cloud NAT with a static NAT IP address. They notice that connections from their instances are failing after a few minutes. What is the most likely cause?
With many connections, ports can be exhausted, causing failures.
Why this answer
Cloud NAT by default uses dynamic port allocation and releases ports after a timeout. With static NAT IP, if port exhaustion occurs or if the connection idle timeout is too low, connections may drop.
An organization has multiple VPCs in the same project. They want to apply consistent firewall rules to all VPCs at the project level. What is the most efficient way to achieve this?
Correct. Hierarchical policies can be applied at the project level and apply to all VPCs within the project.
Why this answer
Hierarchical firewall policies can be applied at the organization, folder, or project level and apply to all VPCs in the resource hierarchy. VPC-level firewall rules are per VPC and require duplication.
Multiple NICs allow separation of management and data traffic. The management NIC can be used for SSH/API access, while data NICs handle forwarded traffic.
Why this answer
Network appliances often use multiple NICs for traffic segregation: one for management, others for data traffic. Each NIC can be in a different subnet. NIC0 is the primary and must be connected.
Up to 8 NICs are supported.
A company uses Cloud NAT for outbound internet access. They want to ensure that all connections from their VMs use a predictable public IP address for whitelisting with third-party services. Which TWO configurations should be applied? (Choose two.)
Logging helps audit that traffic is using the intended IPs, but does not guarantee predictability; however, it is often required for compliance.
Why this answer
Cloud NAT supports static NAT IP addresses that can be reserved and assigned to the NAT gateway. Also, if you assign multiple static IPs, you can use NAT IP address ranges. To ensure all traffic uses a specific IP, you can use a single static IP or a range.
Additionally, you can configure logging to monitor usage.
A security team wants to block traffic from specific geographic regions (e.g., Country A) to their HTTP(S) load balancer. Which Google Cloud service should they use?
Cloud Armor provides geo-based access control using geographic location (GeoIP) matching.
Why this answer
Cloud Armor security policies can be attached to HTTP(S) load balancers. They support geo-based access control (allow/deny by country) using preconfigured or custom rules.
Which THREE of the following are benefits of using hierarchical firewall policies? (Select 3)
Hierarchical policies can be attached at any level in the hierarchy.
Why this answer
Hierarchical firewall policies provide centralized management, inherit down the resource hierarchy, and can apply at the organization level. They support both allow and deny rules, and can be used to enforce baseline security.
An organization wants to publish an internal web service running on Compute Engine to consumers in different VPCs. The service must be accessible via private IPs without VPC peering. Which THREE components are required to set this up using Private Service Connect?
The service attachment is the published service endpoint.
Why this answer
Private Service Connect requires a service producer to create a service attachment (which uses a load balancer as the backend), and consumers to create Private Service Connect endpoints. The producer must also enable Private Service Connect on the subnet where the load balancer resides.
An organization has multiple projects and wants to apply a consistent set of firewall rules across all VPC networks in the organization. Which approach should they use?
Hierarchical policies can be applied to the organization, folder, or project for consistent enforcement.
Why this answer
Hierarchical firewall policies can be applied at the organization level and are inherited by all folders and projects, ensuring consistent rules across the entire hierarchy.
A Compute Engine instance has multiple network interfaces. Which interface is considered the primary (NIC0)?
nic0 is the primary interface.
Why this answer
By default, the first interface attached (nic0) is the primary interface and used for default routes and internal DNS.
512 ports can handle 500 concurrent connections with margin.
Why this answer
Cloud NAT uses ports for source NAT. A single connection uses one port. To support 500 concurrent connections, you need at least 500 ports.
However, Cloud NAT allows port sharing for the same destination IP and port, but static port allocation per VM typically reserves ports exclusively. To be safe, allocate at least 500 ports.
An engineer is configuring a Compute Engine instance with multiple network interfaces for use as a network appliance. Which interface is considered the primary interface for default routes and instance metadata?
Correct. NIC0 is the primary interface.
Why this answer
NIC0 is the primary interface; default routes and instance metadata are tied to it. Adding extra interfaces (NIC1, NIC2, etc.) is for specific networking scenarios like network appliances.
An organization wants to restrict which Google APIs can be accessed by resources in a specific VPC. They also want to prevent data exfiltration to unauthorized projects. Which Google Cloud service should they use?
Correct. VPC Service Controls define service perimeters to control API access and data exfiltration.
Why this answer
VPC Service Controls create service perimeters that restrict API access and prevent data exfiltration based on projects and VPCs.
An organization wants to publish a private service using Private Service Connect (PSC) so that consumers in other VPCs can access it via private IPs. Which TWO resources are required on the producer side? (Choose TWO.)
The service attachment exposes the service to consumers.
Why this answer
To publish a service via PSC, the producer creates a service attachment on a regional internal load balancer (ILB) and also configures a private service connection (or simply the service attachment). The service attachment is associated with the ILB's forwarding rule.
A company uses VPC Service Controls with a service perimeter that includes Project A. They want to allow an external identity from Project B (outside the perimeter) to access a Cloud Storage bucket in Project A, but only during business hours. Which VPC Service Controls feature should they use?
Correct. Access levels can define time conditions, and ingress rules allow specified traffic from outside the perimeter.
Why this answer
VPC Service Controls use access levels (e.g., based on IP, time) and ingress rules to allow traffic from outside the perimeter. Ingress rules define which identities and resources can access perimeters.
An organization has multiple VPCs in different projects that need to consume a common internal service hosted in a central project. The service runs on a set of Compute Engine instances with internal IPs. Which architecture allows the consumers to access the service using private IPs without VPC peering?
Private Service Connect is designed for this use case, providing private IP access without peering.
Why this answer
Private Service Connect allows you to publish internal services via Private Service Connect endpoints in consumer VPCs. Consumers access the service using internal IPs without needing VPC peering or VPNs. This is the recommended architecture for publishing and consuming internal services across projects.
Which TWO of the following are valid ways to target firewall rules in Google Cloud? (Select 2)
Service accounts allow identity-based targeting.
Why this answer
Firewall rules can target instances by network tags or by service accounts. Tags are key-value pairs, and service accounts provide identity-based targeting.
An engineer needs to configure Cloud Armor to block requests from a specific IP address (10.1.2.3) while allowing all other traffic. They create a security policy with a deny rule for that IP and an allow rule for all traffic. What priority should the deny rule have relative to the allow rule?
Correct. Lower priority number means higher precedence, so the deny rule is evaluated first.
Why this answer
In Cloud Armor, rules are evaluated from lowest to highest priority (lower number = higher priority). The deny rule must have a lower priority number than the allow rule to be evaluated first and block the IP before the allow rule applies. Typically, the allow-all rule has highest priority (e.g., 2147483647).
An organization wants to prevent data exfiltration from a project that uses Google Cloud Storage and BigQuery. They need to restrict access to these services from only the authorized VPC networks. Which service should they use?
VPC Service Controls create perimeters to protect data.
Why this answer
VPC Service Controls allow creating a service perimeter around GCP services (like Cloud Storage and BigQuery) to restrict data access to only authorized VPCs and projects. This prevents data exfiltration.
A company has deployed a network appliance (e.g., firewall) as a Compute Engine instance with two NICs: NIC0 for management and NIC1 for data traffic. The appliance must forward traffic from instances in subnet A to subnet B. The engineer has enabled IP forwarding on the appliance. What additional configuration is required on the VPC for the appliance to route traffic between subnets?
This custom route directs traffic to the appliance for forwarding.
Why this answer
For a Compute Engine instance to forward traffic between subnets, it must act as a router. The VPC needs a custom route that sends traffic destined for subnet B to the appliance's IP (or NIC) as the next hop. Without this route, the VPC's default routing will deliver traffic directly between subnets, bypassing the appliance.
Also, the appliance's NIC1 must be in the same VPC and the firewall rules must allow the traffic.
A company wants to apply consistent firewall rules across all projects in an organization. They need to block all traffic to ports 22 and 3389 from the internet to any VMs in any project. Which approach is most scalable and maintainable?
Hierarchical policies apply to all projects under the org, ensuring consistency.
Why this answer
Hierarchical firewall policies allow you to define firewall rules at the organization or folder level that apply to all VPCs under that node. This ensures consistency and avoids duplication across projects. The policy is evaluated before VPC firewall rules.
A company has a VPC with subnets in us-central1 and europe-west1. They need to allow Compute Engine instances in us-central1 (without external IPs) to access Google Cloud Storage buckets in the US multi-region. They also need to ensure the traffic does not traverse the public internet. Which TWO configurations are required? (Choose TWO.)
IAM permissions are required to access Cloud Storage; Private Google Access only provides connectivity.
Why this answer
Private Google Access allows instances without external IPs to reach Google APIs. It must be enabled on the subnet. Additionally, the DNS name for Google APIs must resolve to the private IP ranges (199.36.153.4/30 for restricted.googleapis.com) or use the default private Google access IPs.
For Cloud Storage, the restricted.googleapis.com VIP is used for Private Google Access if the project is in a VPC Service Controls perimeter; otherwise, the default private Google access IPs work. However, to ensure traffic does not go over the public internet, Private Google Access is sufficient as Google's internal network is used. The second required configuration is to enable Private Google Access on the subnet.
No additional DNS changes are needed if using the default DNS (the private Google access IPs are returned automatically).
A company has an HTTP Load Balancer that distributes traffic to a backend service consisting of Compute Engine instance groups. They need to block traffic from specific geographic regions and also rate-limit requests from any IP. Which THREE Cloud Armor features should they configure?
Limits the number of requests from a source IP to prevent abuse.
Why this answer
Cloud Armor security policies allow you to create rules with conditions. To block regions, use geoblocking by specifying source regions. To rate-limit, use rate limiting rules.
Custom rules can also be used to combine conditions. Pre-configured WAF rules (like XSS, SQLi) are for web application attacks, not region blocking or rate limiting.
Correct. Dynamic allocation shares ports from a pool, minimizing the number of NAT IPs needed.
Why this answer
A network engineer needs to create a firewall rule that denies all inbound traffic to instances with the tag 'web-server' from source IP range 10.0.0.0/8. They also have an existing allow rule with priority 1000 that permits traffic from 10.0.0.0/8 to those instances. To ensure the deny rule takes precedence, what priority should the new rule have?
500 is lower than 1000, so the deny rule takes precedence.
Why this answer
In GCP firewall rules, lower priority numbers have higher precedence. To override an allow rule with priority 1000, the deny rule must have a priority lower than 1000.
Must allow ingress traffic to be forwarded.
An organization wants to consume a third-party SaaS service via a private endpoint in their VPC, using Private Service Connect. Which type of Private Service Connect endpoint should they create?
Consumers create a forwarding rule targeting the service attachment to access the service privately via an internal IP.
Why this answer
Private Service Connect allows consumers to create endpoints in their VPC to access managed services. For accessing a third-party service published via PSC, the consumer creates a PSC endpoint (also known as a PSC forwarding rule) that targets the service attachment of the publisher.
A company wants to protect its HTTP(S) Load Balancer from layer 7 attacks, including SQL injection and cross-site scripting (XSS). Which TWO Google Cloud services or features should be used together? (Choose TWO.)
Cloud Armor policies are attached to the backend service of an HTTPS Load Balancer.
Why this answer
Cloud Armor security policies provide WAF capabilities with preconfigured rules to block SQLi and XSS. These policies are attached to the backend service of the HTTPS Load Balancer.
A company runs a web application on Compute Engine instances without external IPs. They need to ensure the instances can access Google APIs (e.g., Cloud Storage) and also provide outbound internet access for software updates. Which two features should be configured? (Choose two.)
Provides outbound internet access.
A company wants to allow access to a Cloud Storage bucket only from Compute Engine instances that have a specific service account and are within a specific VPC. They also want to prevent access from other networks. Which TWO services or features should they use together?
Allows you to conditionally grant access based on the caller's service account.
Why this answer
VPC Service Controls can restrict access to Google APIs to only specified VPCs and projects, creating a service perimeter. IAM conditions can further restrict access based on the caller's service account. This combination ensures that only instances with the correct service account in the correct VPC can access the bucket.
A company wants to restrict access to Google Cloud Storage from a specific VPC only, using VPC Service Controls. Which TWO components are required to create a service perimeter? (Choose two.)
This configuration specifies which VPCs (and their subnets) are allowed to access the protected APIs. It is a key part of the perimeter.
Why this answer
A service perimeter is defined by a set of projects (the protected projects) and a set of VPCs (via VPC accessible services) that are allowed to access the protected APIs. Also, access levels can be used but are optional.
What is the internal DNS name format for a Compute Engine instance named 'web-server' in zone 'us-central1-a' within project 'my-project'?
This is the correct format.
A company wants to ensure that Compute Engine instances in a VPC can resolve internal DNS names like 'instance1.us-central1-a.c.myproject.internal'. What is required for this to work?
Google Cloud automatically provides internal DNS for instances in the same VPC.
Why this answer
Google Cloud provides internal DNS resolution for instances within the same VPC network. By default, instances can resolve DNS names for other instances in the same VPC if they are in the same network. There is no additional setup needed; it works out of the box.
The DNS name format is [vm-name].[zone].c.[project-id].internal.
An organization needs to protect a web application behind an HTTPS Load Balancer from SQL injection attacks. They want to use a managed WAF solution. Which Google Cloud service should they configure?
Cloud Armor includes WAF rules, including preconfigured SQLi protection.
Why this answer
Cloud Armor provides WAF capabilities including preconfigured rules for SQL injection (OWASP) and custom rules.
This single ingress rule allows HTTP from any source to instances tagged 'web-server'.
A network engineer configured a hierarchical firewall policy at the organization level with a priority 100 rule that denies all ingress traffic. At the folder level, a policy with priority 110 allows ingress from a specific IP range. At the VPC level, a network firewall policy with priority 90 allows ingress from a different IP range. Which traffic will be allowed?
The VPC-level policy has priority 90, which is lower than the org-level deny (100), so it overrides the deny and allows matching traffic.
Why this answer
Hierarchical firewall policies are evaluated in order of priority (lower number = higher priority) and then network firewall policies. The org-level rule with priority 100 denies all ingress. The folder-level rule with priority 110 allows specific IPs, but since the org rule has higher priority, it overrides the folder rule.
The VPC-level network firewall policy is evaluated after hierarchical policies and has priority 90, which is lower than 100, so it would override the org rule. However, hierarchical policies are evaluated before network firewall policies only if they have higher priority. Here, the VPC policy has priority 90, which is lower than 100, so it takes precedence over the org-level deny.
Thus, traffic matching the VPC policy's allowed IP range is allowed.
A company wants to protect its external HTTPS load balancer from SQL injection and cross-site scripting attacks. Which Google Cloud service should they use?
Cloud Armor provides WAF with preconfigured rules for SQLi and XSS.
Why this answer
Cloud Armor provides WAF capabilities including preconfigured rules for OWASP Top 10 threats like SQLi and XSS, and can be attached to HTTPS load balancers.
Ready to test yourself?
Try a timed practice session using only Pcne Implementing VPC questions.