CCNA Gcp Network Security Config Questions

75 of 86 questions · Page 1/2 · Gcp Network Security Config topic · Answers revealed

1
MCQhard

A financial services company needs to inspect all inbound and outbound packets from a subnet containing highly sensitive data for compliance. They have enabled VPC Flow Logs on that subnet, which record metadata such as source and destination IP, ports, and protocol. However, the security team requires the actual packet payload to perform deep packet inspection (DPI) for malicious patterns. They want to capture the packets without disrupting network traffic. Which additional configuration should be implemented to meet this requirement?

A.Configure Cloud Armor to log all HTTP requests with full request body.
B.Enable VPC Flow Logs with metadata capture set to 'include payload'.
C.Enable Packet Mirroring on a Compute Engine instance in the subnet to mirror all packets to a collector instance.
D.Enable Cloud NAT logging to capture all outbound traffic payloads.
AnswerC

Packet Mirroring captures full packet payloads without affecting live traffic.

Why this answer

Option C is correct because Packet Mirroring clones all packets (including payload) from a source instance in the subnet and forwards them to a collector instance for deep packet inspection, without disrupting the original traffic flow. VPC Flow Logs only capture metadata (headers, timestamps) and cannot include payload content, making Packet Mirroring the only solution that meets the requirement for actual packet payload capture.

Exam trap

Google Cloud often tests the distinction between metadata logging (VPC Flow Logs) and full packet capture (Packet Mirroring), and the trap here is assuming VPC Flow Logs can be configured to include payloads, which is technically impossible in GCP.

How to eliminate wrong answers

Option A is wrong because Cloud Armor only inspects and logs HTTP/HTTPS traffic at the edge, not all inbound/outbound packets from the subnet, and it cannot capture payloads for non-HTTP protocols or for traffic that does not pass through the Cloud Armor proxy. Option B is wrong because VPC Flow Logs do not support a 'include payload' setting; they are limited to metadata such as IP addresses, ports, and protocol numbers, and never capture packet payloads. Option D is wrong because Cloud NAT logging only records metadata about outbound connections (source/destination IPs, ports) and does not capture packet payloads; it is designed for connection tracking, not deep packet inspection.

2
MCQhard

A company has a VPC network named 'production' with subnets in us-central1 and europe-west1. They have on-premises data centers in New York and London connected via two HA VPN gateways to the respective regions. The on-premises networks use BGP with Cloud Routers in each region. The company also has a Shared VPC with service projects. Recently, they migrated a critical application to Google Cloud, which runs on Compute Engine instances in the europe-west1 subnet. The application needs to communicate with an on-premises database in London reachable via the London VPN. After the migration, the application fails to connect to the database. The Cloud Router in europe-west1 shows that it is receiving the on-premises routes. The instance has a default route to the internet via Cloud NAT. The firewall rules allow all traffic from the instance to the on-premises IP range. What is the most likely cause of the connectivity issue?

A.The on-premises firewall is blocking traffic from the Google Cloud IP ranges.
B.The Cloud NAT is incorrectly configured and blocking traffic to on-premises IP ranges.
C.The Shared VPC configuration prevents service project instances from using VPC routes.
D.The Cloud Router in europe-west1 has dynamic route import from BGP disabled.
AnswerD

Correct: without dynamic route import, learned BGP routes are not added to the VPC route table.

Why this answer

The Cloud Router in europe-west1 is receiving the on-premises routes via BGP, but if dynamic route import from BGP is disabled, those routes are not installed into the VPC route table. Without the specific route for the London on-premises database subnet, traffic from the Compute Engine instance will not be forwarded to the VPN tunnel, causing the connection failure. The default route via Cloud NAT only handles internet-bound traffic, not traffic destined for on-premises IP ranges.

Exam trap

Google Cloud often tests the distinction between BGP session establishment (routes received) and route installation (routes imported into the VPC route table), leading candidates to assume that receiving BGP routes automatically means they are usable for forwarding.

How to eliminate wrong answers

Option A is wrong because the on-premises firewall blocking Google Cloud IP ranges would cause a symmetric issue, but the problem is that traffic never reaches the on-premises network due to missing routes in the VPC. Option B is wrong because Cloud NAT is used for outbound internet access and does not affect traffic destined for on-premises IP ranges; it only translates private IPs to public IPs for internet-bound packets. Option C is wrong because Shared VPC does not prevent service project instances from using VPC routes; service project instances can use routes from the host project as long as they are in the same VPC network, and the route import issue is independent of Shared VPC.

3
MCQmedium

Refer to the exhibit. An engineer wants to allow inbound SSH (tcp:22) to a VM with network tag 'ssh-access' in the 'default' VPC. Which firewall rule should they create?

A.Remove the 'default-allow-ssh' rule and create a new rule with no target tags.
B.Create a new ingress rule allowing tcp:22 from 0.0.0.0/0 to instances with tag 'ssh-access' with priority 1000.
C.Create a new egress rule allowing tcp:22 from instances with tag 'ssh-access' to 0.0.0.0/0.
D.Modify the existing 'default-allow-ssh' rule to add a target tag 'ssh-access'.
AnswerB

Correct: higher priority rule overrides the lower-priority default allow, ensuring only tagged instances receive SSH.

Why this answer

Option B is correct because it creates a new ingress firewall rule that explicitly allows inbound TCP port 22 traffic from any source (0.0.0.0/0) only to VM instances that have the network tag 'ssh-access'. In Google Cloud VPC, firewall rules are stateful and apply at the instance level based on target tags; a priority of 1000 ensures this rule is evaluated appropriately relative to higher-priority (lower number) deny rules. This approach preserves the default-allow-ssh rule for other instances while granting SSH access specifically to tagged VMs.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates may mistakenly choose an egress rule (Option C) thinking it controls incoming SSH traffic, or they may incorrectly assume that modifying the default rule (Option D) is the simplest approach without considering the impact on untagged instances.

How to eliminate wrong answers

Option A is wrong because removing the default-allow-ssh rule and creating a new rule with no target tags would apply the rule to all instances in the VPC, which is overly permissive and does not restrict SSH access to only the VM with tag 'ssh-access'. Option C is wrong because an egress rule controls outbound traffic from instances, not inbound SSH connections; the requirement is to allow inbound SSH (tcp:22) to the VM, which requires an ingress rule. Option D is wrong because modifying the existing 'default-allow-ssh' rule to add a target tag 'ssh-access' would change the rule's scope to only apply to tagged instances, but it would also remove the rule's effect on untagged instances (since the rule originally had no target tags, meaning it applied to all instances); this could inadvertently block SSH access to other VMs that previously relied on the default rule.

4
Multi-Selecthard

Which THREE of the following are valid requirements for using VPC Network Peering? (Choose three.)

Select 3 answers
A.Cloud NAT must be configured in at least one VPC.
B.Subnet routes are automatically exchanged between the peered VPCs.
C.An IAM role with compute.networkAdmin must be granted to all users.
D.Each VPC must have firewall rules to allow traffic from the peered VPC.
E.The VPC networks must not have overlapping IP ranges.
AnswersB, D, E

Correct: peering exchanges subnet routes.

Why this answer

Option B is correct because VPC Network Peering automatically exchanges subnet routes between the peered VPCs, enabling private IP connectivity without requiring additional route tables or VPN gateways. This route exchange is implicit once the peering connection is established, provided the networks do not have overlapping CIDR blocks.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for VPC Peering, but the trap here is that peering is purely for private IP communication and does not involve NAT or internet gateway functionality.

5
MCQeasy

A developer needs to allow a specific Compute Engine instance to communicate with a Cloud SQL database instance. Both are in the same project but different VPC networks. What is the simplest secure method?

A.Create a firewall rule allowing traffic between networks
B.Use VPC peering between the two networks
C.Use Cloud SQL Proxy on the instance
D.Grant the instance's service account access to Cloud SQL
AnswerB

VPC peering provides a direct private connection between the two VPCs.

Why this answer

VPC peering is the simplest secure method to allow communication between two VPC networks in the same project. It establishes a private RFC 1918 connection using internal IPs, avoiding the public internet. Firewall rules alone cannot bridge separate VPCs, and Cloud SQL Proxy is unnecessary overhead for internal connectivity.

Exam trap

Google Cloud often tests the misconception that firewall rules can span VPCs, but in Google Cloud, firewall rules are scoped to a single VPC network and cannot enable cross-network traffic without peering or VPN.

How to eliminate wrong answers

Option A is wrong because firewall rules only control traffic within a single VPC network; they cannot route traffic between different VPC networks. Option C is wrong because Cloud SQL Proxy is an extra component that adds complexity and is typically used for public IP access or from external clients, not for private VPC-to-VPC communication. Option D is wrong because granting a service account access to Cloud SQL controls authentication and authorization, not network-level connectivity between separate VPCs.

6
MCQhard

A company uses hierarchical firewall policies to enforce security across all VPC networks in an organization. They have an organization policy that denies egress traffic to the internet. However, a team needs to allow outbound HTTPS traffic to a specific external API (api.example.com) for a project. What is the best way to achieve this?

A.Create a new hierarchical firewall policy rule that allows egress to the IP range of api.example.com with a higher priority than the deny rule.
B.Configure Cloud NAT with a static IP and allow that IP in the org policy.
C.Remove the organization policy and rely on VPC firewall rules.
D.Use VPC Service Controls to allow access to the API.
AnswerA

Hierarchical rules follow priority order; a higher priority allow rule overrides a lower priority deny.

Why this answer

Hierarchical firewall policies allow you to enforce organization-wide rules while still permitting exceptions via higher-priority rules. By creating a new rule that allows egress to the IP range of api.example.com with a priority higher than the deny rule, you override the deny for that specific traffic. This approach maintains the organization's security posture while enabling the required outbound HTTPS access.

Exam trap

Google Cloud often tests the misconception that Cloud NAT or VPC Service Controls can bypass organization-level firewall policies, but only hierarchical firewall rules with appropriate priority can create exceptions to such policies.

How to eliminate wrong answers

Option B is wrong because Cloud NAT is used for outbound internet access from private instances, but it does not override an organization policy that denies egress traffic; the policy still blocks all egress regardless of NAT. Option C is wrong because removing the organization policy eliminates the baseline security control, which is unnecessary and insecure when a targeted exception can be made. Option D is wrong because VPC Service Controls are designed to restrict data exfiltration from Google Cloud services, not to control egress traffic to external APIs like api.example.com.

7
MCQeasy

A company is using Cloud SQL with a private IP address in the same VPC as their Compute Engine web application server. The server can reach the Cloud SQL instance's IP address via ping, but the application is failing to connect with a permission error. The VPC firewall rules include the default allow internal rule. What is the most likely cause?

A.The Cloud SQL instance's private IP address is not assigned to the correct subnetwork.
B.The firewall rules need an explicit allow rule for TCP port 3306 for the server's IP range.
C.The Compute Engine server's service account does not have the Cloud SQL Client IAM role.
D.The Cloud SQL instance requires the public IP address to be enabled for the application to connect.
AnswerC

The Cloud SQL Client role is required to connect to Cloud SQL instances. The permission error aligns with missing IAM permissions.

Why this answer

The default allow internal rule permits all protocols and ports, so network connectivity is fine. The permission error indicates insufficient IAM permissions. The Cloud SQL Client role is required for connecting to Cloud SQL instances via private IP.

8
MCQhard

A company is using VPC Service Controls to protect their Google Cloud Storage buckets. They want to allow a specific instance to access a bucket from within a VPC. What networking configuration is required?

A.The instance must have a public IP
B.A VPC peering connection to Google services
C.A Cloud NAT gateway
D.Private Google Access must be enabled on the subnet
AnswerD

Private Google Access allows instances with internal IPs to reach Google APIs through Google's private network.

Why this answer

VPC Service Controls require Private Google Access to be enabled on the subnet so that the instance can access Google APIs using its internal IP address.

9
MCQeasy

Your company is deploying a multi-tier application in a single VPC with two subnets: web (10.0.1.0/24) and db (10.0.2.0/24). The web instances need to connect to a private Cloud SQL instance (MySQL) that is provisioned in a service project. The Cloud SQL instance has a private IP address 10.0.3.5 assigned using private services access. You have established VPC peering between your VPC and the service producer VPC (the Google-managed VPC hosting Cloud SQL). You verified that the peering connection is in 'ACTIVE' state. The web instances can reach internet sites, but connections to the Cloud SQL instance (using the MySQL client) are timing out. The db instances do not need to connect to Cloud SQL. What is the most likely cause and recommended solution?

A.Configure the VPC peering connection to export custom routes from your VPC to the service producer VPC.
B.Re-create the VPC peering connection because it might be misconfigured.
C.Change the Cloud SQL instance to use a public IP and allowlist your web subnet.
D.Set up Cloud NAT for the web subnet to enable outbound connections.
AnswerA

Exporting custom routes ensures the service VPC knows how to reach your subnets for return traffic.

Why this answer

The web instances are timing out when connecting to the Cloud SQL private IP (10.0.3.5) because the VPC peering connection is not exporting custom routes from your VPC to the service producer VPC. By default, VPC peering does not export custom routes (including the subnet routes for 10.0.1.0/24 and 10.0.2.0/24) unless explicitly configured. Without these routes, the Cloud SQL instance cannot send response traffic back to the web instances, causing the TCP handshake to fail (SYN sent, SYN-ACK never received).

Enabling 'Export custom routes' on the peering connection from your VPC to the service producer VPC resolves this by advertising your subnet routes to the Cloud SQL host VPC.

Exam trap

Google Cloud often tests the misconception that an 'ACTIVE' peering status guarantees full connectivity, but the trap here is that route exchange is not automatic for custom routes — candidates overlook the need to explicitly export custom routes for return traffic.

How to eliminate wrong answers

Option B is wrong because the peering connection is already in 'ACTIVE' state, which indicates it is correctly configured at the peering level; re-creating it would not solve the missing route export issue. Option C is wrong because using a public IP for Cloud SQL would expose the database to the internet, violating the requirement for a private connection, and it would not address the underlying routing problem caused by missing custom route exports. Option D is wrong because Cloud NAT is used for outbound internet access from private instances, but the issue here is bidirectional routing between the web subnet and the Cloud SQL private IP; Cloud NAT does not help with VPC peering route advertisement.

10
MCQeasy

Your organization requires that all egress traffic from a VPC network be inspected by a third-party security appliance before leaving the network. The appliance is deployed in a separate VPC. What is the most scalable and maintainable way to route traffic through the appliance?

A.Use Cloud Interconnect to connect the two VPCs and configure BGP to advertise a default route from the appliance VPC.
B.Use Private Google Access to route traffic through the appliance.
C.Deploy the appliance in a separate VPC and create a route with next hop as the appliance's internal IP, and tag the VMs that need inspection.
D.Deploy the appliance in a separate VPC and use VPC Network Peering with route export/import to redirect traffic.
AnswerC

This is the recommended pattern: use instance-level routes with next hop to the appliance.

Why this answer

Option C is correct because it uses a route with a next hop of the appliance's internal IP, combined with VM tags to selectively route egress traffic through the appliance. This approach is scalable and maintainable as it avoids complex peering or interconnect setups, and tags allow granular control without modifying routes for every VM.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering with route export/import is the simplest way to route traffic between VPCs, but the trap here is that peering creates a full mesh of routes, which can cause asymmetric routing and does not allow selective egress-only inspection without additional complex filtering.

How to eliminate wrong answers

Option A is wrong because Cloud Interconnect is a dedicated connection to on-premises networks, not between VPCs, and BGP advertising a default route from the appliance VPC would require complex routing policies and does not inherently inspect egress traffic. Option B is wrong because Private Google Access allows VMs without external IPs to access Google APIs and services, not to route traffic through a third-party security appliance in another VPC. Option D is wrong because VPC Network Peering with route export/import would redirect all traffic between the VPCs, but it does not provide a mechanism to selectively route only egress traffic through the appliance; it would also route ingress traffic, causing asymmetric routing and potential inspection bypass.

11
Multi-Selectmedium

Which TWO options are valid methods to secure data in transit between an on-premises data center and a Google Cloud VPC?

Select 2 answers
A.Private Google Access
B.Dedicated Interconnect with MACsec
C.Cloud VPN with IPsec
D.VPC Network Peering
AnswersB, C

Provides encryption at Layer 2 for dedicated connections.

Why this answer

Dedicated Interconnect with MACsec (Media Access Control Security) provides encryption at Layer 2, securing data in transit over the dedicated connection between your on-premises data center and Google Cloud VPC. MACsec uses GCM-AES-128 or GCM-AES-256 encryption to protect all traffic on the link, ensuring confidentiality and integrity without the overhead of IPsec.

Exam trap

Google Cloud often tests the distinction between connectivity methods (like Private Google Access or VPC Peering) and actual encryption mechanisms, leading candidates to confuse access control or internal routing with data-in-transit security.

12
Multi-Selecthard

A company is setting up Cloud NAT for a subnet that hosts compute instances. They want to ensure high availability and efficient use of IPs. Which TWO configurations should they apply? (Choose TWO.)

Select 2 answers
A.Create a separate Cloud NAT gateway for each zone in the region.
B.Disable IP masquerading to preserve source IPs.
C.Specify at least two NAT IPs, each from different zones for redundancy.
D.Reserve static external IP addresses and assign them to the Cloud NAT.
E.Use dynamic NAT IPs so that Google-managed allocation is used.
AnswersC, D

Multiple IPs across zones provide HA if a zone fails.

Why this answer

Options B and D are correct. Using multiple NAT IPs in different zones provides HA, and manual NAT IP with static reservations ensures IPs are not lost. Option A is wrong because dynamic NAT IPs may change.

Option C is wrong because one NAT gateway is sufficient per region; zone-level is not needed. Option E is wrong because Cloud NAT already handles port exhaustion.

13
MCQmedium

A company has a VPC with subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They enabled Private Google Access on subnet-a. Instances in subnet-a can access Google APIs and services using private IPs. However, instances in subnet-b cannot reach Google APIs even though subnet-b has a default route to the internet through a NAT gateway. What is the likely cause?

A.Subnet-b does not have a default route to the internet.
B.Cloud NAT is not configured for subnet-b.
C.Firewall rules are blocking traffic to googleapis.com.
D.Private Google Access is not enabled on subnet-b.
AnswerD

Correct: must enable per subnet.

Why this answer

Private Google Access is a per-subnet setting that allows instances with only private IPs to reach Google APIs and services through the VPC's default internet gateway, without needing public IPs or NAT. Since subnet-b does not have Private Google Access enabled, its instances cannot use this feature even though they have a default route to the internet via a NAT gateway; the NAT gateway only provides outbound internet access for public IP destinations, not the private IP ranges used by Google APIs.

Exam trap

Google Cloud often tests the misconception that a NAT gateway or internet gateway alone is sufficient for accessing Google APIs, when in fact Private Google Access must be explicitly enabled on each subnet that requires it.

How to eliminate wrong answers

Option A is wrong because subnet-b has a default route to the internet through a NAT gateway, as stated in the question. Option B is wrong because Cloud NAT is not required for Private Google Access; Private Google Access uses the VPC's default internet gateway, not a NAT gateway, and the question already states subnet-b has a NAT gateway. Option C is wrong because there is no indication of firewall rules blocking traffic to googleapis.com; the issue is specifically about the subnet-level Private Google Access setting, not firewall rules.

14
MCQhard

A company is implementing VPC Service Controls to protect sensitive data in Google Cloud Storage. They want to allow a private on-premises subnet (10.1.0.0/16) to access the storage buckets via a Cloud VPN tunnel, but deny all other on-premises traffic. Which configuration approach meets this requirement with least privilege?

A.Create a service perimeter that allows all traffic from on-premises, then an explicit deny rule for other IP ranges.
B.Create a bridged access level that includes the private IP range 10.1.0.0/16 and a VPC network condition.
C.Configure Cloud NAT in the on-premises network and allow the NAT IP in an access level.
D.Create an access level with the IP range 10.1.0.0/16 and apply it to a service perimeter.
AnswerB

Correct: bridged access level ensures traffic goes through VPN and originates from correct subnet.

Why this answer

Option B is correct because VPC Service Controls use access levels to define which client identities or network sources can access protected services. By creating a bridged access level that includes both the private IP range 10.1.0.0/16 and a VPC network condition (the VPC connected via Cloud VPN), you ensure that only traffic originating from that specific on-premises subnet and arriving through the authorized VPC is allowed, denying all other on-premises traffic by default. This follows the least-privilege principle by not allowing broader IP ranges or relying on implicit denies.

Exam trap

Google Cloud often tests the misconception that an IP-based access level alone is sufficient for VPN-connected traffic, but the trap here is that without a VPC network condition, the access level would allow any traffic with that IP range, including from other networks or spoofed sources, failing the least-privilege and VPN-specific requirement.

How to eliminate wrong answers

Option A is wrong because creating a service perimeter that allows all on-premises traffic and then adding an explicit deny for other IP ranges violates least privilege by initially granting overly broad access, and VPC Service Controls do not support explicit deny rules within a perimeter—they rely on default deny for sources not in the access level. Option C is wrong because Cloud NAT is a Google Cloud service used for outbound traffic from private GCP instances to the internet, not for on-premises networks; configuring NAT in the on-premises network would require a public IP, which defeats the purpose of using a private IP range and does not integrate with VPC Service Controls access levels. Option D is wrong because an access level with only the IP range 10.1.0.0/16 does not include a VPC network condition, so it would allow traffic from any network claiming that IP range (including spoofed or overlapping ranges), not just traffic arriving via the specific Cloud VPN tunnel, thus violating the requirement to restrict access to the VPN-connected subnet only.

15
MCQeasy

A company has a VPC with several subnets. They want to allow HTTP traffic from the internet to a web server in subnet-a, but block all other inbound traffic. What is the simplest firewall rule configuration?

A.Create an ingress rule allowing all tcp and udp traffic from 0.0.0.0/0.
B.Create an egress rule allowing tcp:80 from the internet to the web server.
C.Create an ingress rule allowing tcp:80 from 0.0.0.0/0 to instances with the 'web-server' tag. The implied deny all ingress rule blocks other traffic.
D.Create an ingress rule allowing tcp:80 from the web server's internal IP range. The implied deny all ingress rule blocks other traffic.
AnswerC

Correct: single rule with tag and source range, plus implied deny.

Why this answer

Option C is correct because it creates an ingress rule that explicitly allows TCP port 80 traffic from any source (0.0.0.0/0) to instances tagged as 'web-server'. In cloud VPC firewalls (e.g., AWS Security Groups or GCP Firewall Rules), the default behavior is an implied deny all ingress traffic; only explicitly allowed traffic is permitted. This configuration satisfies the requirement to allow HTTP from the internet while blocking all other inbound traffic without needing additional rules.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules, and the trap here is that candidates mistakenly think an egress rule (Option B) can control inbound traffic, or that restricting to internal IPs (Option D) is sufficient for internet access.

How to eliminate wrong answers

Option A is wrong because allowing all TCP and UDP traffic from 0.0.0.0/0 would permit all inbound traffic, not just HTTP, violating the requirement to block other traffic. Option B is wrong because an egress rule controls outbound traffic from the web server, not inbound traffic from the internet; the requirement is to allow inbound HTTP, which requires an ingress rule. Option D is wrong because it restricts HTTP traffic to the web server's internal IP range, which would block legitimate internet traffic (since internet clients do not originate from that internal range), failing to allow HTTP from the internet.

16
MCQeasy

You are configuring a new VPC network with a private subnet for Compute Engine instances that need to access the internet for updates. Which configuration is the simplest and most secure?

A.Create a default VPC firewall rule that allows all egress traffic and assign only internal IPs to instances.
B.Configure Cloud NAT to provide outbound internet access for the instances and create a firewall rule that blocks inbound traffic from the internet.
C.Use a managed instance group with a proxy instance that has an external IP, and route traffic through the proxy.
D.Assign static external IP addresses to each instance and configure firewall rules to allow egress.
AnswerB

Cloud NAT provides secure outbound-only internet access without exposing instance IPs.

Why this answer

Cloud NAT allows instances without external IPs to access the internet for outbound connections, while preventing inbound traffic. Option B is correct. Option A is incorrect because assigning external IPs to each instance increases attack surface and is less secure.

Option C is incorrect because firewall rules allowing all egress are less secure than NAT. Option D is incorrect because redirecting through a proxy instance adds complexity and single point of failure.

17
MCQhard

A company is using a Shared VPC in Google Cloud with multiple service projects. The security team wants to restrict egress traffic from a specific service project to only allowed external IP addresses. The network project hosts the VPC. What is the best approach?

A.Use Private Google Access to restrict egress.
B.Use VPC Service Controls to restrict egress.
C.Create a firewall rule in the service project's VPC that denies egress.
D.Create a firewall rule in the host project that denies egress to all destinations except the allowed IPs, and apply it to the service project's VMs via service accounts.
AnswerD

Firewall rules in host project can target service projects VMs by service account.

Why this answer

In a Shared VPC, firewall rules are defined in the host project and apply to VM instances in service projects. Option D correctly creates a deny-all egress rule in the host project, then uses a higher-priority allow rule for specific external IPs, scoped to service accounts of the target VMs. This ensures egress traffic from the specific service project is restricted at the VPC firewall level, which is the only effective way to control outbound traffic in a Shared VPC architecture.

Exam trap

Google Cloud often tests the misconception that firewall rules can be created in service projects within a Shared VPC, but the correct understanding is that all firewall rules must be managed in the host project, and service accounts are the mechanism to scope rules to specific VMs.

How to eliminate wrong answers

Option A is wrong because Private Google Access only allows on-premises or VM instances to reach Google APIs and services using internal IPs, not restrict egress to external IPs. Option B is wrong because VPC Service Controls protect Google-managed services (like Cloud Storage) by creating perimeters, not by controlling egress traffic from VMs to arbitrary external IP addresses. Option C is wrong because in a Shared VPC, firewall rules cannot be created in the service project's VPC; the service project does not own the VPC, and all firewall rules must be defined in the host project.

18
MCQmedium

A company uses Shared VPC with host project and service projects. They want to ensure that only specific service projects can create firewall rules in the host project's network. What is the correct IAM configuration?

A.Grant the Compute Security Admin role to the service project's compute service account in the service project.
B.Grant the Compute Network Admin role to the service project's service accounts in the host project.
C.Grant the Compute Security Admin role to the service project's service accounts in the host project.
D.Create a custom role with compute.firewalls.create and grant it to the host project's compute service account.
AnswerC

Correct: allows managing firewall rules in the shared VPC.

Why this answer

In a Shared VPC setup, the host project owns the network, and service projects connect to it. To allow a service project to create firewall rules in the host project's network, you must grant the Compute Security Admin role (which includes compute.firewalls.create) to the service project's service accounts at the host project level. This grants the necessary permissions on the host project's resources without giving broader network administration rights.

Exam trap

Google Cloud often tests the distinction between granting roles in the host project versus the service project, and the trap here is that candidates mistakenly think the Compute Network Admin role is required for firewall rule creation, when in fact Compute Security Admin is the correct, more restrictive role.

How to eliminate wrong answers

Option A is wrong because granting the Compute Security Admin role to the service project's compute service account in the service project only affects resources within that service project, not the host project's network. Option B is wrong because the Compute Network Admin role includes permissions to modify network configurations (e.g., create/modify VPCs, subnets) beyond just firewall rules, which violates the principle of least privilege and is not the specific role for firewall rule creation. Option D is wrong because creating a custom role with compute.firewalls.create and granting it to the host project's compute service account would allow the host project's own service account to create firewall rules, not the service project's service accounts; the requirement is to enable specific service projects, not the host project itself.

19
Multi-Selectmedium

Which TWO of the following are valid methods for sending traffic between VPC networks in Google Cloud? (Choose two.)

Select 2 answers
A.Firewall rules in each VPC
B.Subnet routes
C.Cloud VPN (HA VPN gateway)
D.Cloud NAT
E.VPC Network Peering
AnswersC, E

Correct: creates encrypted tunnels between VPCs.

Why this answer

Cloud VPN (HA VPN gateway) is a valid method for sending traffic between VPC networks because it creates an encrypted tunnel over the public internet using IPsec (IKEv2) to connect two VPCs or an on-premises network to a VPC. It supports dynamic routing via BGP, allowing traffic to flow between VPCs when each VPC has a VPN gateway and the appropriate tunnel configurations.

Exam trap

The trap here is that candidates confuse Cloud NAT or firewall rules as a method for inter-VPC connectivity, when in fact they serve entirely different purposes (outbound NAT and access control, respectively) and cannot route traffic between separate VPC networks.

20
MCQhard

You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest): Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?

A.Denied, because Rule 2 has a lower priority number and explicitly denies traffic from 10.0.0.0/8
B.Denied, because Rule 3 has a higher priority number and denies traffic from 192.168.0.0/16
C.Allowed, because Rule 1 has a lower priority number and allows all traffic
D.Allowed, because Rule 3 has a higher priority number and allows traffic from 192.168.0.0/16
AnswerA

Correct: Rule 2 has priority 500, which is evaluated before Rule 1 (1000) and Rule 3 (2000). Since it matches, the deny action is applied.

Why this answer

Rule 2 has a priority of 500, which is lower (higher priority) than Rule 1 (priority 1000) and Rule 3 (priority 2000). Since the source IP 10.0.0.5 falls within the 10.0.0.0/8 range, Rule 2 matches first and explicitly denies the traffic. In Google Cloud VPC firewall rules, lower priority numbers are evaluated first, and the first matching rule determines the action.

Exam trap

Google Cloud often tests the misconception that higher priority numbers mean higher precedence, but in Google Cloud VPC firewall rules, lower numeric priority values are evaluated first, so candidates must remember that priority 500 is evaluated before priority 1000.

How to eliminate wrong answers

Option B is wrong because Rule 3 has a higher priority number (2000) and allows traffic from 192.168.0.0/16, but the source IP is 10.0.0.5, which does not match that range; also, Rule 2 with lower priority already denies the traffic. Option C is wrong because Rule 1 has a higher priority number (1000) than Rule 2 (500), so Rule 2 is evaluated first and denies the traffic before Rule 1 is considered. Option D is wrong because Rule 3 has the highest priority number (2000) and applies to a different source range (192.168.0.0/16), so it does not affect traffic from 10.0.0.5.

21
MCQmedium

A company has configured a HA VPN between Google Cloud and an on-premises data center using two tunnels with separate Cloud Routers and BGP sessions in active/active mode. Each Cloud Router is configured to learn routes from the on-premises side and advertise VPC subnets. Recently, one of the tunnels experienced a physical link failure and went down. The security team notices that the remaining tunnel is still up and passing traffic, but some routes that were learned via the failed tunnel are no longer present in the routing table of that Cloud Router. The on-premises administrator confirms that the routes are still being advertised from the local router. What is the impact on traffic to the on-premises network?

A.The failed tunnel will automatically be restored by BGP when the link comes back.
B.The Cloud Router will initiate a failover to a secondary BGP session.
C.Traffic destined to subnets only reachable via the failed tunnel will be dropped.
D.All traffic will continue to flow through the remaining tunnel without any disruption.
AnswerC

The missing routes mean those destinations are unreachable until the tunnel recovers or routes are learned via the other tunnel.

Why this answer

In an active/active HA VPN with separate Cloud Routers and BGP sessions, each Cloud Router maintains its own independent routing table. When a tunnel fails, the BGP session associated with that Cloud Router goes down, causing all routes learned via that session to be withdrawn. Even though the on-premises router continues to advertise the routes, the Cloud Router that lost its BGP session will no longer have those routes in its routing table.

Traffic destined to subnets that were only reachable through the failed tunnel will be dropped because the remaining Cloud Router does not have a route for those subnets.

Exam trap

Google Cloud often tests the misconception that active/active HA VPN provides full redundancy for all routes, but in reality, each Cloud Router independently learns routes, and a tunnel failure only drops traffic to subnets unique to that tunnel's BGP session.

How to eliminate wrong answers

Option A is wrong because BGP does not automatically restore a failed tunnel; the tunnel is a separate VPN construct that must be re-established by the underlying IPsec/IKE mechanisms, and BGP only re-establishes the session after the tunnel is up. Option B is wrong because there is no secondary BGP session to failover to; each Cloud Router runs its own independent BGP session, and the failure of one tunnel does not trigger a failover to another session on the same router. Option D is wrong because not all traffic will continue to flow; only traffic to subnets that are reachable via both tunnels will continue, while traffic to subnets unique to the failed tunnel will be dropped.

22
MCQhard

A company connects their on-premises data center to Google Cloud via Dedicated Interconnect. They have two VLAN attachments (VLAN-A and VLAN-B) to a single VPC. They use BGP over the VLAN attachments with Cloud Router. Both VLAN attachments are in the same region. They want to use both links for active-active traffic and have redundancy. Which BGP configuration is correct?

A.Use a different BGP ASN for each VLAN attachment.
B.Use a single VLAN attachment and rely on link redundancy.
C.Set different MED values for each BGP session to load-balance.
D.Use the same BGP ASN and same MED for both VLAN attachments, and enable ECMP on Cloud Router.
AnswerD

Correct: this allows equal-cost multipath, active-active.

Why this answer

For active-active traffic with two VLAN attachments to the same VPC in the same region, you must use the same BGP ASN on both sessions and enable ECMP (Equal Cost Multi-Path) on Cloud Router. This allows Cloud Router to install multiple equal-cost routes from both BGP sessions, enabling load balancing across both links. Using the same MED value ensures the routes are considered equal, which is required for ECMP to function correctly.

Exam trap

Google Cloud often tests the misconception that different BGP ASNs or MED values are needed for load balancing, but in Google Cloud's Dedicated Interconnect with Cloud Router, active-active requires identical ASN and MED plus explicit ECMP enablement.

How to eliminate wrong answers

Option A is wrong because using a different BGP ASN for each VLAN attachment would cause Cloud Router to treat the routes as coming from different autonomous systems, preventing ECMP from load-balancing across them; Cloud Router requires the same ASN to consider routes as equal-cost candidates. Option B is wrong because a single VLAN attachment does not provide link-level redundancy; you need two separate attachments to protect against failure of one attachment or its underlying circuit. Option C is wrong because setting different MED values would make one route preferred over the other, breaking active-active load balancing; ECMP requires equal MED values to treat routes as equal-cost.

23
MCQeasy

A company has two VPC networks in the same project: VPC-A (10.0.0.0/16) and VPC-B (172.16.0.0/16). They have established VPC peering between them. An instance in VPC-A needs to communicate with an instance in VPC-B on TCP port 443. What is the minimal firewall configuration needed?

A.Add an ingress firewall rule in VPC-B allowing traffic from 10.0.0.0/16 on port 443.
B.Add an ingress firewall rule in VPC-A allowing traffic from 172.16.0.0/16 on port 443.
C.Add a single firewall rule in the project with source 10.0.0.0/16 and destination 172.16.0.0/16 on port 443.
D.Add an egress firewall rule in VPC-A allowing traffic to 172.16.0.0/16 on port 443.
AnswerA

Ingress rule on the target network is required; default egress allows outbound from source.

Why this answer

Option A is correct because VPC peering does not automatically allow traffic; firewall rules must explicitly permit the desired communication. Since the instance in VPC-A initiates the connection to VPC-B, VPC-B's firewall must have an ingress rule allowing traffic from VPC-A's CIDR (10.0.0.0/16) on TCP port 443. This is the minimal configuration because egress rules in VPC-A are implicitly permissive by default in Google Cloud, and only the destination VPC's ingress needs to be opened.

Exam trap

Google Cloud often tests the misconception that VPC peering automatically opens all traffic between the peered networks, leading candidates to think no firewall rules are needed, or that egress rules must be added on the source side.

How to eliminate wrong answers

Option B is wrong because it adds an ingress rule in VPC-A for traffic from VPC-B, but the traffic flows from VPC-A to VPC-B, so VPC-A does not need to allow incoming traffic from VPC-B for this communication. Option C is wrong because Google Cloud firewall rules are applied per VPC network, not as a single project-level rule with both source and destination; they operate on ingress or egress direction, not as a bidirectional filter. Option D is wrong because egress rules in VPC-A are not needed; Google Cloud's default egress allow rule permits all outbound traffic unless explicitly overridden, and the minimal configuration only requires the ingress rule in VPC-B.

24
Multi-Selectmedium

You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?

Select 2 answers
A.OS-level host-based firewalls on each VM
B.VPC firewall rules to restrict traffic between subnets
C.IAM roles to control who can create Compute Engine instances
D.Workload Identity Federation to allow workloads to authenticate to Google APIs
E.Cloud Armor to protect against DDoS and web application attacks
AnswersB, E

VPC firewall rules are a fundamental network security control to filter traffic.

Why this answer

VPC firewall rules (B) are a fundamental network security control that allow you to restrict traffic between subnets based on source/destination IP ranges, protocols, and ports. This implements network segmentation and micro-segmentation, which is a core principle of defense in depth. Cloud Armor (E) provides Web Application Firewall (WAF) capabilities and DDoS protection at the edge of Google's network, filtering malicious traffic before it reaches your VMs or load balancers.

Exam trap

Google Cloud often tests the distinction between network security controls (which filter traffic at the network layer) and host/identity/authentication controls, so candidates mistakenly select IAM or Workload Identity Federation because they think 'access control' equals network security.

25
MCQmedium

A company notices that some Compute Engine instances are making unexpected outbound connections to suspicious IP addresses. They want to investigate the traffic patterns and identify the source of these connections. Which tool should they use?

A.Cloud Armor
B.Cloud IAM
C.VPC Flow Logs
D.Firewall Rules Insights
AnswerC

VPC Flow Logs record metadata about IP traffic to and from VMs.

Why this answer

VPC Flow Logs capture metadata about network traffic to and from Compute Engine instances, including source/destination IPs, ports, and protocols. By analyzing these logs, the company can identify the specific instances making unexpected outbound connections to suspicious IP addresses, enabling investigation of traffic patterns.

Exam trap

Google Cloud often tests the distinction between tools that log actual traffic (VPC Flow Logs) versus tools that enforce security policies (Cloud Armor) or manage rules (Firewall Rules Insights), leading candidates to confuse 'investigating traffic patterns' with 'blocking traffic' or 'optimizing rules'.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against layer 7 attacks like SQL injection and XSS, not a tool for capturing or analyzing outbound traffic logs. Option B is wrong because Cloud IAM manages access control and permissions for Google Cloud resources, not network traffic monitoring or logging. Option D is wrong because Firewall Rules Insights provides recommendations for optimizing firewall rules (e.g., identifying unused or overly permissive rules), but does not log or report actual traffic flows or connections to specific IP addresses.

26
MCQeasy

A security engineer needs to provide secure SSH access to a Compute Engine instance that has no external IP address. What is the recommended method?

A.Set up VPC peering with the instance's VPC.
B.Create a Cloud NAT to allow inbound SSH.
C.Add a firewall rule allowing SSH from any IP.
D.Use Identity-Aware Proxy (IAP) TCP forwarding.
AnswerD

IAP TCP forwarding establishes an encrypted tunnel to the instance via the IAP service.

Why this answer

Option B is correct because IAP TCP forwarding allows SSH without external IP. Option A is wrong because Cloud NAT is for outbound internet, not inbound SSH. Option C is wrong because VPC peering is for VPC-to-VPC, not for a single instance.

Option D is wrong because firewall rules alone cannot provide access if there is no external IP.

27
MCQmedium

A company has multiple VPC networks that need to communicate privately. They are evaluating VPC peering and Shared VPC. Which statement correctly describes a limitation of VPC peering compared to Shared VPC?

A.VPC peering cannot route traffic to an on-premises network via VPN
B.VPC peering does not support firewall rules
C.VPC peering does not support transitive peering
D.VPC peering requires all networks to be in the same project
AnswerC

This is a key limitation. Shared VPC allows all projects in the same host project to communicate directly.

Why this answer

VPC peering does not support transitive peering, meaning if networks A and B are peered, and A and C are peered, B cannot communicate with C through A. Shared VPC does not have this limitation.

28
MCQhard

A company has a VPC with a subnet (10.1.0.0/24) in us-central1. They have a Cloud NAT configured for outbound traffic to the internet. They want instances in this subnet to access a third-party API that is only accessible over the internet and requires a specific static source IP for whitelisting. What is the recommended approach?

A.Assign external IPs to the instances and use network-level access controls.
B.Use Private Google Access to route traffic through Google's network.
C.Reserve a static NAT IP in Cloud NAT and whitelist that IP with the third party.
D.Configure a VPC Service Controls perimeter to restrict egress.
AnswerC

Cloud NAT can use a static external IP that is consistent and can be whitelisted.

Why this answer

Cloud NAT allows instances without external IPs to initiate outbound connections to the internet. By reserving a static NAT IP address in Cloud NAT, you ensure all outbound traffic from the subnet uses a consistent source IP, which can be whitelisted by the third-party API. This meets the requirement for a static source IP without assigning external IPs to individual instances.

Exam trap

The trap here is that candidates may confuse Private Google Access (which only works for Google APIs) with general internet egress, or assume that assigning ephemeral external IPs is sufficient for static whitelisting, ignoring that ephemeral IPs can change on instance restart or stop/start.

How to eliminate wrong answers

Option A is wrong because assigning external IPs to instances would expose them directly to the internet, increasing the attack surface, and does not guarantee a static source IP unless static external IPs are used and managed per instance, which is less scalable and secure than Cloud NAT. Option B is wrong because Private Google Access is designed for accessing Google APIs and services through Google's internal network, not for routing traffic to third-party internet APIs; it does not provide a static source IP for external destinations. Option D is wrong because VPC Service Controls perimeters are used to restrict data exfiltration from Google Cloud services (e.g., Cloud Storage, BigQuery) and do not control outbound internet traffic from compute instances to third-party APIs.

29
MCQhard

Refer to the exhibit. A developer created the firewall rule to allow HTTPS traffic from the API service account to instances tagged 'api-instances'. However, HTTPS requests from the API server (which runs on an instance with tag 'api-instances' and uses the default compute engine service account) are failing. What is the most likely cause?

A.The rule should have a higher priority to override the default implicit deny.
B.The source instance is using the default compute engine service account, not the specified api-sa.
C.The direction should be EGRESS because the traffic originates from the API server.
D.The rule should use sourceTags instead of sourceServiceAccounts to match the source instance.
AnswerB

This service account mismatch means the source does not match the rule's sourceServiceAccounts, so the traffic is not allowed.

Why this answer

Option B is correct because the firewall rule explicitly specifies the source as the API service account (api-sa), but the API server is using the default compute engine service account. In Google Cloud, firewall rules that use sourceServiceAccounts match traffic based on the service account attached to the source instance, not the instance's tags or the service account used by the application. Since the source instance's service account does not match the rule's specified service account, the HTTPS traffic is implicitly denied.

Exam trap

Google Cloud often tests the distinction between service account identity and instance tags, tricking candidates into thinking that tagging the source instance or using the default service account will satisfy a rule that explicitly specifies a different service account.

How to eliminate wrong answers

Option A is wrong because the default implicit deny rule has the lowest priority (65535) and any explicit rule with a higher priority (lower number) will override it; the issue is not about priority but about a mismatch in the source service account. Option C is wrong because the direction should be INGRESS, not EGRESS, as the traffic originates from the API server (source) and is destined for instances tagged 'api-instances' (destination); EGRESS rules control traffic leaving the destination, not incoming requests. Option D is wrong because the rule already uses sourceTags to match the destination instances (via targetTags), but the source is specified via sourceServiceAccounts; using sourceTags instead would not solve the service account mismatch and would not match the source instance's identity.

30
MCQmedium

A company has deployed an internal HTTP Load Balancer (ILB) in us-west1 within a Shared VPC. The host project contains the ILB's forwarding rule and the backend service. The backend instances are Compute Engine VMs running in a service project in us-east1. The health checks for the ILB are consistently failing with 'unhealthy' status. The firewall rules in the host project allow ingress from the Google Cloud health checker ranges (130.211.0.0/22 and 35.191.0.0/16) on TCP port 80 to all VMs in the VPC. The backend VMs are running a web server listening on port 80. What is the most likely cause of the health check failures?

A.The ILB's forwarding rule and backends are in different regions.
B.The health checker firewall rule is not applied to the service project.
C.The backend VMs are not in the same project as the ILB.
D.The backend VMs do not have the correct IAM permissions for the ILB.
AnswerA

ILB requires backends to be in the same region as the forwarding rule; otherwise health checks fail.

Why this answer

The internal HTTP Load Balancer (ILB) in Google Cloud requires that the forwarding rule, backend service, and backend instances all reside in the same region. In this scenario, the ILB is deployed in us-west1, but the backend VMs are in us-east1. Cross-region backends are not supported for ILBs, causing health checks to fail because the load balancer cannot route traffic or verify health across regions.

Exam trap

Google Cloud often tests the misconception that health check failures are always due to firewall rules or IAM, when the real issue is the regional constraint of internal load balancers.

How to eliminate wrong answers

Option B is wrong because firewall rules in a Shared VPC are applied at the VPC level (host project) and propagate to all service projects; the health checker ranges are already allowed, so the service project does not need separate rules. Option C is wrong because ILBs in a Shared VPC can have backends in a service project; the backend VMs being in a different project is not inherently a problem. Option D is wrong because IAM permissions are not required for backend VMs to respond to health checks; health checks are network-layer probes that only require the VM to be reachable and listening on the specified port.

31
MCQhard

Your organization has a security requirement that all traffic to and from Compute Engine instances must be logged and analyzed. You have enabled VPC Flow Logs for all subnets. However, you notice that flow logs are not capturing all traffic between instances in the same subnet. What is the most likely reason?

A.VPC Flow Logs must be enabled on each individual instance, not on subnets.
B.VPC Flow Logs only capture traffic that crosses subnet boundaries.
C.Traffic to the metadata server (169.254.169.254) is not captured by VPC Flow Logs.
D.VPC Flow Logs sample only 1 out of 10 packets by default.
AnswerC

Metadata server traffic is not captured to reduce noise.

Why this answer

VPC Flow Logs do not capture traffic to the metadata server (169.254.169.254) because that traffic is considered internal infrastructure communication and is excluded from flow log collection by design. This is a documented limitation in Google Cloud, and it explains why some traffic between instances in the same subnet—such as metadata queries—is missing from the logs.

Exam trap

Google Cloud often tests the misconception that VPC Flow Logs capture all traffic, including metadata server communication, when in fact metadata traffic is explicitly excluded from flow log collection.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs are enabled at the subnet level, not per instance; once enabled on a subnet, all VM instances in that subnet are automatically covered. Option B is wrong because VPC Flow Logs capture traffic within a subnet (east-west) as well as traffic crossing subnet boundaries; they are not limited to cross-subnet traffic. Option D is wrong because VPC Flow Logs sample 1 out of 10 packets only for the 'sampled' metadata field, but all connections are still logged; the sampling does not cause entire flows to be missing.

32
MCQhard

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They have a firewall appliance (internal IP 10.0.1.100) that inspects all traffic between subnets. They configure a policy-based route to redirect traffic from subnet-a to subnet-b to the appliance. However, traffic from subnet-a to subnet-b still goes directly. What is missing?

A.Compute Engine instances must have a custom route table to use policy-based routes.
B.A VPC route with priority 1000 (direct routing between subnets) is overriding the policy-based route with a lower priority.
C.A firewall rule is required to allow traffic to be redirected to the appliance.
D.The policy-based route must have the next hop IP set to the appliance's external IP.
AnswerB

The default VPC routes have priority 1000; if the policy-based route has a higher priority number, it is overridden.

Why this answer

B is correct because VPCs have an implicit default route for subnet-to-subnet traffic with a priority of 1000, which is higher than the priority of a policy-based route (typically 2000). Since the policy-based route has a lower priority (higher numerical value), the default route takes precedence, causing traffic to bypass the firewall appliance. To override this, the policy-based route must have a priority lower than 1000 (e.g., 500) to be preferred.

Exam trap

Google Cloud often tests the misconception that policy-based routes automatically override default VPC routes, but the trap is that the default subnet-to-subnet route has a higher priority (1000) than the policy-based route (2000), so candidates must remember to set a lower priority on the policy-based route to make it effective.

How to eliminate wrong answers

Option A is wrong because Compute Engine instances do not require custom route tables; policy-based routes are applied at the VPC level and affect all instances in the source subnet without needing per-instance configuration. Option C is wrong because firewall rules control whether traffic is allowed or denied, not the routing path; the issue is about route selection, not firewall permissions. Option D is wrong because the next hop for a policy-based route redirecting traffic to an internal appliance must be the appliance's internal IP (10.0.1.100), not its external IP, as traffic between subnets stays within the VPC and does not traverse the internet.

33
Multi-Selecteasy

Which TWO of the following are benefits of using Cloud NAT? (Choose TWO.)

Select 2 answers
A.Cloud NAT provides inbound port forwarding to instances.
B.Cloud NAT can be used to enable connectivity between VPC networks via VPN.
C.Instances without external IP addresses can connect to the internet.
D.Inbound connections from the internet are blocked unless explicitly allowed.
E.Cloud NAT automatically provides high availability across zones.
AnswersC, D

Cloud NAT enables outbound-only internet access for private instances.

Why this answer

Cloud NAT allows instances without external IP addresses to initiate outbound connections to the internet, translating their private IPs to a single public IP or a range. This is a core benefit because it enables secure outbound internet access without exposing instances to inbound traffic.

Exam trap

Google Cloud often tests the misconception that Cloud NAT provides inbound port forwarding or automatic high availability, but in reality it is strictly an outbound SNAT service that requires manual configuration for redundancy.

34
Multi-Selectmedium

You are designing VPC firewall rules for a multi-tier application. Which TWO considerations are important when creating firewall rules in terms of security and manageability? (Choose TWO.)

Select 2 answers
A.Network tags are not recommended for large deployments because they require managing many tags.
B.Use hierarchical firewall policies to enforce baseline rules across all VPCs in the organization.
C.Use service accounts or network tags to target rules, rather than source CIDR, where possible for dynamic environments.
D.Enable firewall rules logging for all rules to ensure full auditability.
E.Always specify the target region for firewall rules to limit the scope.
AnswersB, C

Hierarchical policies provide centralized management and consistent enforcement.

Why this answer

Options A and C are correct. Using service accounts and tags allows dynamic rule targeting, and hierarchical rules centralize management. Option B is wrong because network tags are effective for large deployments.

Option D is wrong because global rules apply across regions, which is often desired. Option E is wrong because logging all rules may create excessive logs; only log important rules.

35
MCQeasy

A security engineer wants to block all SSH access from the internet to a VPC network, except for a specific bastion host. What is the most efficient way to configure this?

A.Create a firewall rule allowing SSH only from the bastion host's IP and rely on the implicit deny
B.Create a firewall rule with deny SSH from 0.0.0.0/0 and a higher priority rule allowing SSH from the bastion host's IP
C.Use a service perimeter
D.Create a firewall rule denying SSH from all IPs except the bastion host using the 'except' sources
AnswerA

Since the implicit deny blocks all other traffic, this single rule is sufficient.

Why this answer

Option A is correct because VPC firewall rules are implicitly deny-all at the end of the evaluation order. By creating a single allow rule for SSH from the bastion host's IP, all other SSH traffic is implicitly denied by the default deny rule, without needing an explicit deny rule. This is the most efficient approach as it minimizes rule count and avoids potential priority conflicts.

Exam trap

Google Cloud often tests the misconception that you need an explicit deny rule to block traffic, when in fact the implicit deny at the end of the firewall rule evaluation order already blocks all traffic not explicitly allowed.

How to eliminate wrong answers

Option B is wrong because it introduces an unnecessary explicit deny rule for SSH from 0.0.0.0/0; the implicit deny already blocks all traffic not explicitly allowed, so the explicit deny adds no value and increases rule complexity. Option C is wrong because a service perimeter (VPC Service Controls) is designed to restrict data exfiltration from Google Cloud services, not to control network-level access like SSH to compute instances. Option D is wrong because VPC firewall rules do not support an 'except' syntax for sources; you cannot specify a deny rule with an exclusion list—you must use allow rules with specific source IPs.

36
Multi-Selectmedium

Which TWO of the following are valid reasons to enable VPC Flow Logs? (Choose two.)

Select 2 answers
A.To log Cloud NAT translations for audit purposes
B.To detect and block DDoS attacks at the network layer
C.To enforce firewall rules automatically based on traffic patterns
D.To perform network forensics after a security incident
E.To troubleshoot connectivity issues between VMs
AnswersD, E

Correct: logs provide source/dest information.

Why this answer

Option D is correct because VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in a VPC, including source/destination IPs, ports, protocols, and packet/byte counts. This historical data is essential for post-incident network forensics, allowing you to trace the path of malicious traffic, identify compromised hosts, and reconstruct the timeline of an attack. Without flow logs, you would lack the granular traffic records needed for such analysis.

Exam trap

Google Cloud often tests the distinction between passive logging (VPC Flow Logs) and active security controls (e.g., Cloud Armor, firewall rules), leading candidates to mistakenly think flow logs can block traffic or enforce policies.

37
Matchingmedium

Match each encryption scope to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data protected while traveling over networks

Data protected when stored on disk

Customer-supplied encryption keys for Google Cloud resources

Customer-managed encryption keys via Cloud KMS

Google-managed encryption keys for all data at rest

Why these pairings

These are encryption scopes and key management options.

38
MCQeasy

A company has configured a VPC firewall rule to allow HTTP traffic from a specific source IP range 203.0.113.0/24. However, HTTP requests from that range are being denied. Which initial verification should the security engineer perform?

A.Check if the source range overlaps with a deny rule
B.Check if the target instances have the correct network tag
C.Check the rule priority
D.Check the rule direction (ingress vs egress)
AnswerD

A firewall rule must be ingress to allow incoming traffic. If it is egress, it won't allow inbound connections.

Why this answer

Option D is correct because the rule is configured to allow HTTP traffic, but if the rule direction is set to egress instead of ingress, it will not apply to incoming HTTP requests from the source IP range. In Google Cloud VPC firewall rules, direction determines whether the rule applies to inbound (ingress) or outbound (egress) traffic; an egress rule only controls traffic leaving the VPC network, so HTTP requests arriving from the internet would be denied by the implied deny ingress rule.

Exam trap

Google Cloud often tests the misconception that firewall rules are automatically bidirectional or that source IP range alone guarantees traffic flow, when in fact the direction attribute must match the traffic path (ingress for incoming requests).

How to eliminate wrong answers

Option A is wrong because overlapping deny rules would cause denial, but the question asks for the initial verification; checking for overlaps is secondary to confirming the rule is actually applied to the correct traffic direction. Option B is wrong because target tags are used to apply rules to specific VM instances, but the rule already specifies a source IP range; if the rule direction is wrong, even correctly tagged instances will not receive the traffic. Option C is wrong because rule priority determines which rule applies when multiple rules match, but if the rule is egress, it will never match ingress traffic regardless of priority.

39
MCQeasy

A company wants to use Cloud CDN to cache content from an HTTP Load Balancer. They have a custom domain and want to serve traffic over HTTPS. What must they configure on the load balancer?

A.Create an SSL certificate resource and attach it to the HTTPS target proxy.
B.Set up a backend bucket with a public certificate.
C.Upload a custom SSL certificate directly to the Cloud CDN configuration.
D.Enable HTTP to HTTPS redirect on the load balancer.
AnswerA

Correct: HTTPS load balancer requires SSL certificate on target proxy.

Why this answer

To serve HTTPS traffic with Cloud CDN and a custom domain, the load balancer must have an SSL certificate attached to its HTTPS target proxy. This is because Cloud CDN relies on the load balancer's target proxy to terminate TLS and present the certificate to clients. Creating an SSL certificate resource (either Google-managed or self-managed) and attaching it to the HTTPS target proxy is the required step.

Exam trap

Google Cloud often tests the misconception that Cloud CDN handles SSL certificates independently, when in fact the certificate must be attached to the load balancer's HTTPS target proxy, not configured within the CDN itself.

How to eliminate wrong answers

Option B is wrong because a backend bucket stores content but does not handle SSL termination; certificates must be attached to the HTTPS target proxy, not to the bucket. Option C is wrong because Cloud CDN does not accept SSL certificates directly; certificates are managed at the load balancer level via the target proxy. Option D is wrong because HTTP-to-HTTPS redirect is a separate feature that does not provide the SSL certificate needed for HTTPS termination; it only redirects HTTP traffic to HTTPS.

40
Multi-Selectmedium

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. The perimeter is defined with the project as a protected project. Which TWO actions are valid to restrict data exfiltration while maintaining necessary access?

Select 2 answers
A.Use VPC Service Controls to block access to the Compute Engine metadata server to prevent credential extraction.
B.Configure the service perimeter to allow access from the VPC network where the Compute Engine instances reside using private Google access.
C.Create an access level that restricts access to only the IP ranges of the corporate network. Apply the access level to the service perimeter.
D.Create a service perimeter that includes all Google Cloud projects in the organization to simplify management.
E.Use VPC Service Controls to restrict access based on network tags on Compute Engine instances.
AnswersB, C

Private Google access allows on-premises or VM instances to access Google APIs within the perimeter.

Why this answer

Option B is correct because VPC Service Controls can allow traffic from a specific VPC network via private Google access, which uses RFC 1918 addresses and does not traverse the public internet. This restricts data exfiltration by ensuring that only resources within the defined VPC can access the protected services, while still allowing legitimate Compute Engine instances to reach Cloud Storage and BigQuery within the perimeter.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls can block the metadata server or use instance-level tags, when in reality they operate at the project and VPC network level and do not interact with instance metadata or tags.

41
MCQhard

A company uses Shared VPC in a host project with multiple service projects. The security team wants to ensure that all traffic between service projects is inspected by a third-party firewall appliance deployed in the host project. Which configuration should be implemented?

A.Enable Cloud NAT on each service project and configure a default route to the firewall appliance.
B.Set up VPC network peering between service projects and route traffic through the host project via a VPN tunnel.
C.Create a policy-based route in the host project that matches traffic between service project subnets and has a next hop to the firewall appliance's internal IP.
D.Create a firewall rule in the host project that allows traffic between service projects only if the source is the firewall appliance.
AnswerC

Policy-based routes can direct specific inter-subnet traffic to a next-hop instance for inspection.

Why this answer

Option C is correct because a policy-based route in the host project can match traffic based on source and destination subnets from different service projects and force that traffic to be forwarded to the next-hop IP of the third-party firewall appliance. This ensures all inter-service-project traffic is inspected by the firewall, as the route overrides the default VPC routing behavior within the Shared VPC environment.

Exam trap

Google Cloud often tests the distinction between firewall rules (which filter traffic) and routes (which direct traffic); the trap here is that candidates mistakenly think a firewall rule can force traffic through an appliance, when in fact only a route can change the path traffic takes.

How to eliminate wrong answers

Option A is wrong because Cloud NAT is used for outbound internet access from private instances, not for directing inter-service-project traffic through a firewall; it does not provide a mechanism to route traffic between service projects via a third-party appliance. Option B is wrong because VPC network peering does not support transitive routing; traffic between peered VPCs cannot be routed through a third VPC (the host project) without additional complex configurations like VPN tunnels, and even then, it would not inherently force inspection by a firewall in the host project. Option D is wrong because a firewall rule only controls which traffic is allowed or denied based on source/destination/port, but it does not route traffic; it cannot force traffic to go through the firewall appliance—it only permits or blocks traffic that is already routed.

42
Multi-Selecteasy

A company is migrating workloads to Google Cloud and wants to ensure that their VPC network is secure by default. Which two best practices should they follow? (Choose two.)

Select 2 answers
A.Remove the default firewall rules that allow all egress
B.Use Shared VPC for all projects
C.Create a firewall rule to deny all ingress except specific ports
D.Enable VPC Flow Logs
E.Use private IP addresses for instances
AnswersA, E

Default egress allow can be risky; removing it enforces least privilege.

Why this answer

Option A is correct because the default VPC firewall rules include an egress rule that allows all outbound traffic (target: all instances, action: allow, protocol: all, destination: 0.0.0.0/0). Removing this default egress rule and replacing it with more restrictive outbound rules is a security best practice to prevent unauthorized data exfiltration and limit outbound connections to only necessary destinations. This aligns with the principle of least privilege for network traffic.

Exam trap

Google Cloud often tests the misconception that the default VPC firewall rules are secure by default, but the trap here is that the default egress rule is permissive (allow all), not restrictive, so candidates may overlook the need to remove or override it.

43
MCQhard

A company is deploying a firewall appliance in a VPC to inspect traffic. They create custom routes to direct traffic to the appliance. Which step is necessary to ensure the appliance can forward traffic back?

A.Enable IP forwarding on the appliance instance
C.Configure the appliance as a next hop in a route
D.Assign a public IP to the appliance
AnswerA

This allows the instance to forward packets it receives.

Why this answer

Option A is correct because the firewall appliance instance must have IP forwarding enabled at the OS level (e.g., net.ipv4.ip_forward=1 on Linux) to forward packets between its network interfaces. Without this, the instance will drop any traffic not destined for its own IP address, even if VPC routes direct packets to it. This is a prerequisite for the appliance to act as a transparent or routed next-hop in the VPC routing table.

Exam trap

Google Cloud often tests the distinction between routing configuration (next-hop routes) and the OS-level requirement to actually forward packets, trapping candidates who assume that adding a route alone is sufficient for the appliance to process traffic.

How to eliminate wrong answers

Option B is wrong because a load balancer distributes traffic across multiple targets but does not enable an individual instance to forward packets; it is not a substitute for IP forwarding on the appliance. Option C is wrong because configuring the appliance as a next hop in a route is the step that directs traffic to the appliance, but it does not enable the appliance to forward that traffic back out; IP forwarding must be enabled separately. Option D is wrong because assigning a public IP allows internet-bound traffic to reach the instance but does not affect the kernel’s ability to forward packets between interfaces; IP forwarding is a distinct OS-level setting.

44
MCQhard

A security team wants to mirror all traffic from a critical VM to a network intrusion detection system (NIDS) appliance running in the same VPC. They need to ensure that the NIDS receives both ingress and egress traffic, and that the original traffic is not impacted. Which solution should they implement?

A.Apply a network tag to the VM and create a firewall rule to copy traffic to the NIDS.
B.Configure the VM to use the NIDS as a proxy for all traffic.
C.Enable VPC Flow Logs on the VM's subnet and forward logs to the NIDS.
D.Create a packet mirroring policy that mirrors traffic from the VM to the NIDS instance.
AnswerD

Correct: Packet Mirroring copies packets for inspection without affecting live traffic.

Why this answer

Packet mirroring (also known as VPC Traffic Mirroring) is the correct solution because it copies all ingress and egress traffic from the VM's elastic network interface (ENI) to the NIDS instance without affecting the original traffic flow. This is achieved by creating a mirror filter and session that forwards a copy of the packets to the NIDS, ensuring the VM's performance and connectivity remain unchanged.

Exam trap

Google Cloud often tests the distinction between traffic mirroring (which copies packets) and flow logs (which only log metadata), leading candidates to mistakenly choose VPC Flow Logs because they assume 'logs' provide full traffic visibility.

How to eliminate wrong answers

Option A is wrong because network tags and firewall rules in a VPC can only filter or forward traffic based on IP addresses and ports, but they cannot copy or mirror traffic; they either allow or deny traffic, not duplicate it. Option B is wrong because configuring the VM to use the NIDS as a proxy would require all traffic to be routed through the NIDS, which introduces a single point of failure, adds latency, and alters the original traffic path, violating the requirement to not impact the original traffic. Option C is wrong because VPC Flow Logs capture metadata (e.g., source/destination IP, ports, protocol) but not the actual packet payloads, so the NIDS cannot inspect the full traffic content for intrusion detection.

45
MCQmedium

A security engineer is troubleshooting connectivity issues between two Compute Engine instances in the same VPC but in different subnets. Both instances have internal IPs and are in the same region. The firewall rules allow ingress from 10.0.0.0/8. However, traffic is failing. What is the most likely cause?

A.The instances are using external IPs and the source IP is being NATed.
B.The VPC has dynamic routing mode set to global, causing routing conflicts.
C.The ingress firewall rule is applied to a network tag that is not assigned to the destination instances.
D.There is a firewall rule with a lower priority that denies egress traffic between subnets.
AnswerC

Firewall rules are applied to instances via tags or service accounts; missing tag would block traffic.

Why this answer

Option C is correct because firewall rules in Google Cloud VPC are applied to the destination instance based on network tags, not just the subnet or IP range. If the ingress rule allowing traffic from 10.0.0.0/8 is configured with a target tag that is not assigned to the destination Compute Engine instances, the rule will not apply, and traffic will be dropped. This is a common misconfiguration when using tags to selectively apply firewall rules.

Exam trap

Google Cloud often tests the misconception that firewall rules applied to a subnet or IP range automatically apply to all instances in that subnet, when in reality, network tags are required to target specific instances unless the rule is applied to all instances (target = 'all instances').

How to eliminate wrong answers

Option A is wrong because the question states both instances have internal IPs, and traffic between internal IPs in the same VPC does not go through NAT; NAT only applies when using external IPs or Cloud NAT. Option B is wrong because dynamic routing mode (regional vs. global) affects route advertisement for hybrid connectivity, not internal VPC routing between subnets in the same region; VPC internal routing is always automatic and does not cause conflicts. Option D is wrong because egress traffic between subnets in the same VPC is implicitly allowed by default; a deny egress rule would need to be explicitly configured, and the question does not mention any such rule, making this unlikely.

46
MCQmedium

A company needs to securely connect two VPC networks from different projects in the same organization. Each VPC has overlapping IP ranges (10.0.0.0/16). They require high throughput and low latency. What is the recommended approach?

A.Re-IP one of the VPC networks to a non-conflicting range and then use VPC Network Peering.
B.Use Dedicated Interconnect to directly connect the two VPCs.
C.Use VPC Network Peering.
D.Use HA VPN with dynamic routing.
AnswerA

Re-IPing resolves the overlap and allows peering, which provides high throughput and low latency.

Why this answer

Option A is correct because VPC Network Peering requires non-overlapping IP ranges to establish direct connectivity. By re-IPing one VPC to a non-conflicting range (e.g., 10.1.0.0/16), you eliminate the routing conflict, allowing peering to provide high throughput and low latency via Google's internal backbone, with no bandwidth limits or single points of failure.

Exam trap

Google Cloud often tests the misconception that VPC Network Peering can handle overlapping IP ranges if you use custom route tables or subnets, but in reality, peering requires non-overlapping CIDRs at the VPC level, and no workaround exists within the peering construct itself.

How to eliminate wrong answers

Option B is wrong because Dedicated Interconnect is a hybrid connectivity solution for on-premises to VPC, not for VPC-to-VPC connections within the same organization; it also does not resolve overlapping IP ranges. Option C is wrong because VPC Network Peering directly fails when VPCs have overlapping IP ranges, as routes conflict and traffic cannot be properly forwarded. Option D is wrong because HA VPN with dynamic routing can technically route between overlapping subnets using BGP and prefix-based filtering, but it introduces encryption overhead, higher latency, and throughput limitations compared to peering, making it suboptimal for high-throughput, low-latency requirements.

47
MCQeasy

A company uses Cloud Armor to protect their HTTP Load Balancer from DDoS attacks. They want to block requests from a specific malicious IP address range, 203.0.113.0/24. Which Cloud Armor policy configuration should they use?

A.Create an allow rule with source IP condition for their own IP ranges and rely on default deny.
B.Create a rule with a 'source-ip' tag set to 'malicious' and assign to the load balancer.
C.Create a deny rule with priority 1000000 for the IP range.
D.Create a deny rule with a source IP condition for 203.0.113.0/24 and set priority to 1000.
AnswerD

Correct: deny rule blocks; priority 1000 is higher than default rules.

Why this answer

Option D is correct because Cloud Armor security policies use priority-based rules, where lower numbers indicate higher priority. A deny rule with priority 1000 for the specific IP range 203.0.113.0/24 ensures that traffic from that range is blocked before any lower-priority allow rules are evaluated. This is the standard method to block specific IP ranges while allowing other traffic.

Exam trap

Google Cloud often tests the misconception that higher priority numbers mean higher precedence, or that a default deny rule is automatically in place, leading candidates to choose a low-priority deny rule that would be ineffective.

How to eliminate wrong answers

Option A is wrong because relying on a default deny with only allow rules for your own IP ranges would block all traffic not explicitly allowed, which is overly restrictive and not the intended approach for blocking a specific malicious range. Option B is wrong because Cloud Armor does not support a 'source-ip' tag; tags are used for labeling resources, not for IP-based filtering rules. Option C is wrong because priority 1000000 is the lowest possible priority, meaning the rule would be evaluated last and could be overridden by any higher-priority allow rule, making it ineffective for blocking traffic.

48
MCQeasy

An engineer has enabled Private Google Access on the subnet. However, instances in the subnet cannot access Google APIs (e.g., storage.googleapis.com) using their internal IPs. What is the most likely issue?

A.The instances need a public IP
B.The domain needs to be added to a DNS zone
C.Private Google Access requires a VPC connector
D.The instances have no route to the default internet gateway
AnswerB

If using custom DNS, you must create a private zone for googleapis.com to resolve to the private IPs.

Why this answer

Private Google Access allows instances without public IPs to reach Google APIs and services using their internal IPs, but it requires that the DNS resolution for the API domain (e.g., storage.googleapis.com) resolves to the private IP range used by Google's Private Access (199.36.153.8/30). If the domain is not added to a private DNS zone (e.g., googleapis.com) in the VPC, DNS will resolve to public IPs, causing connectivity failure. Option B correctly identifies this missing DNS configuration as the most likely issue.

Exam trap

Google Cloud often tests the misconception that Private Google Access requires a public IP or a VPC connector, when in fact the critical missing piece is the DNS configuration to resolve Google API domains to private IPs.

How to eliminate wrong answers

Option A is wrong because Private Google Access is specifically designed to allow instances without public IPs to access Google APIs; requiring a public IP would defeat its purpose. Option C is wrong because Private Google Access does not require a VPC connector; it uses a special route and DNS configuration within the VPC, not a connector. Option D is wrong because Private Google Access does not rely on a route to the default internet gateway; it uses a default route (0.0.0.0/0) with a next hop of 'default internet gateway' only for public IP access, but for Private Google Access, the route must point to the 'default internet gateway' with the destination being the private IP range 199.36.153.8/30, not the entire internet.

49
MCQeasy

Your organization wants to ensure that no Compute Engine instance can have a public IP address. What is the best way to enforce this policy?

A.Use Cloud Audit Logs to monitor and alert on instances with public IPs
B.Use an Organization Policy with the constraint `compute.vmExternalIpAccess`
C.Use a firewall rule that blocks traffic from 0.0.0.0/0
D.Use a Service Perimeter from VPC Service Controls
AnswerB

Prevents creation of VMs with external IPs.

Why this answer

Option B is correct because the Organization Policy constraint `compute.vmExternalIpAccess` is a native Google Cloud policy that can be applied at the project, folder, or organization level to explicitly deny the assignment of external IP addresses to Compute Engine instances. This policy is enforced at the resource creation time, preventing any instance from being launched with a public IP, and it cannot be overridden by project-level IAM permissions, making it the most direct and effective enforcement mechanism.

Exam trap

The trap here is that candidates often confuse reactive monitoring (Cloud Audit Logs) or network-layer controls (firewall rules) with proactive policy enforcement, or they misapply VPC Service Controls, which are for data exfiltration prevention, not for controlling instance-level network interface configurations.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide monitoring and alerting after the fact; they do not prevent instances from being created with public IPs, so they cannot enforce a policy proactively. Option C is wrong because a firewall rule blocking traffic from 0.0.0.0/0 would prevent all inbound traffic from the internet, but it does not prevent the instance from having a public IP address assigned, and it would also block legitimate traffic that might be needed for other purposes; the instance would still have a public IP, violating the policy. Option D is wrong because a Service Perimeter from VPC Service Controls is designed to restrict data exfiltration from Google Cloud services like Cloud Storage or BigQuery, not to control whether Compute Engine instances have public IP addresses; it operates at the service perimeter level, not at the instance network interface level.

50
Multi-Selectmedium

Your VPC has a default firewall rule that allows SSH (TCP port 22) from all sources. You need to allow HTTP traffic (TCP port 80) only from instances tagged 'web-servers' to the target instances, and block all other inbound traffic including SSH. Which TWO steps should you take?

Select 2 answers
A.Modify the default-allow-ssh rule to set its source filter to an empty range.
B.Create a firewall rule with priority 65535 allowing all traffic from 0.0.0.0/0.
C.Delete the default-allow-ssh rule.
D.Create a firewall rule with priority 1000 allowing ingress from instances with tag 'web-servers' on TCP port 80.
E.Create a firewall rule with priority 1000 allowing ingress from instances with tag 'web-servers' on TCP port 443.
AnswersC, D

This removes the default allow for SSH, which is necessary to block SSH traffic.

Why this answer

Option C is correct because deleting the default-allow-ssh rule removes the rule that permits SSH from all sources (0.0.0.0/0), which is necessary to block all inbound SSH traffic as required. Option D is correct because creating a firewall rule with priority 1000 that allows ingress on TCP port 80 from instances tagged 'web-servers' explicitly permits HTTP traffic only from the desired source, and since lower priority numbers are evaluated first, this rule will be applied before any higher-numbered (lower priority) default rules.

Exam trap

Google Cloud often tests the misconception that you can simply modify or override a default rule by adding a higher-priority deny rule, but in Google Cloud VPC, firewall rules are allow-only (no explicit deny rules), so the only way to block traffic allowed by a default rule is to delete that rule or change its source filter to a non-matching range.

51
MCQmedium

An organization uses Shared VPC to centrally manage network resources. They want to allow a service project to use its own firewall rules for certain instances. How should they configure the firewall rules?

A.Firewall rules can only be created in the host project
B.Create firewall rules in the service project with target tags
C.Create firewall rules in the host project with target tags for service project instances
D.Use hierarchical firewall policies
AnswerA

In Shared VPC, the host project owns the VPC network and all firewall rules must be defined there.

Why this answer

In Shared VPC, all firewall rules are created in the host project. Service projects cannot create firewall rules for the shared VPC network. Therefore, the only way is to create rules in the host project.

52
Multi-Selectmedium

A company is designing a network architecture for a multi-region application. They want to minimize latency and maximize availability. Which two features should they consider? (Choose two.)

Select 2 answers
A.Cloud NAT
B.Cloud CDN
C.Cloud Interconnect
D.Global Cloud Load Balancer
E.VPC Network Peering
AnswersB, D

Caches content at edge locations for faster delivery.

Why this answer

Cloud CDN (Option B) caches content at Google's globally distributed edge points of presence (PoPs), reducing latency by serving users from the nearest cache instead of the origin. The Global Cloud Load Balancer (Option D) provides a single anycast IP address that routes traffic to the closest healthy backend across multiple regions, maximizing availability through automatic failover and global traffic distribution.

Exam trap

Google Cloud often tests the misconception that Cloud Interconnect or VPC Peering are needed for multi-region performance, when in fact the Global Cloud Load Balancer and Cloud CDN are the correct services for minimizing latency and maximizing availability across regions.

53
MCQmedium

A company has deployed a web application on Compute Engine instances in a managed instance group behind an internal HTTP(S) load balancer. The application needs to be accessible only from the corporate office, which has a static public IP range of 203.0.113.0/24. The load balancer is in us-central1. What is the most secure way to restrict access?

A.Create a VPC firewall rule that allows traffic from 203.0.113.0/24 to the load balancer's forwarding rule IP.
B.Assign a public IP to the internal load balancer and restrict access using Google Cloud Armor.
C.Configure a Cloud VPN tunnel between on-premises and VPC, then create a firewall rule allowing the corporate IP range to the internal load balancer's backend instances.
D.Use Google Cloud Armor with IP allowlisting on the internal load balancer.
AnswerC

This provides secure connectivity and allows fine-grained access control.

Why this answer

Option C is correct because an internal HTTP(S) load balancer has a private IP address that is only reachable from within the same VPC or via Cloud VPN / Cloud Interconnect. To allow access from a corporate office with a static public IP range, you must establish a Cloud VPN tunnel to extend the VPC network to the on-premises network, then create a firewall rule that permits traffic from the corporate IP range to the internal load balancer's backend instances. This ensures traffic traverses an encrypted tunnel and is subject to VPC firewall controls, providing the most secure and architecturally correct solution.

Exam trap

Google Cloud often tests the misconception that internal load balancers can be secured with Cloud Armor or that VPC firewall rules can filter traffic based on source public IPs when the destination is a private IP, but in reality, internal load balancers are only reachable from within the VPC or via hybrid connectivity like Cloud VPN.

How to eliminate wrong answers

Option A is wrong because an internal load balancer's forwarding rule IP is a private RFC 1918 address, not a public IP; VPC firewall rules cannot filter traffic destined to a private IP based on source public IPs because the traffic never reaches the load balancer from the internet. Option B is wrong because assigning a public IP to an internal load balancer is not supported; internal load balancers are designed to only have private IPs, and exposing them with a public IP would defeat the purpose of an internal load balancer. Option D is wrong because Google Cloud Armor cannot be directly attached to an internal HTTP(S) load balancer; Cloud Armor is only supported for external HTTP(S) load balancers, not internal ones.

54
MCQeasy

Your organization has a VPC with several subnets and wants to enable Private Google Access for Compute Engine instances in a specific subnet to access Google APIs and services without external IP addresses. What must be configured?

A.Assign external IPs to the instances and create a firewall rule allowing egress to Google APIs.
B.Create a Cloud NAT gateway and enable Private Google Access on the subnet.
C.Enable Private Google Access on the subnet and ensure that instances have a default route (0.0.0.0/0) with next hop to the default internet gateway.
D.Enable Private Google Access on the subnet only.
AnswerC

Private Google Access works with the default route to the internet gateway; no NAT needed.

Why this answer

Option C is correct because Private Google Access requires two components: enabling it on the subnet and having a default route (0.0.0.0/0) pointing to the internet gateway. This route allows instances without external IPs to use the VPC's default internet gateway to reach Google APIs via the 199.36.153.4/30 address range, which is advertised by Google's private IP space. Without the default route, traffic from the subnet cannot reach the internet gateway, even with Private Google Access enabled.

Exam trap

Google Cloud often tests the misconception that Cloud NAT is required for Private Google Access, but the correct configuration relies solely on the default internet gateway and a default route, not NAT.

How to eliminate wrong answers

Option A is wrong because assigning external IPs defeats the purpose of Private Google Access, which is designed for instances without public IPs, and a firewall rule alone does not enable the necessary routing. Option B is wrong because Cloud NAT is used for outbound internet access to non-Google services, not for Private Google Access, which uses the default internet gateway and Google's private IP range. Option D is wrong because enabling Private Google Access on the subnet alone is insufficient; a default route (0.0.0.0/0) with next hop to the default internet gateway is required to direct traffic to Google APIs.

55
Matchingmedium

Match each Google Cloud security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DDoS protection and WAF

Centralized security and risk management

Intrusion detection for network traffic

Logs of Google staff access to customer data

Data exfiltration prevention via service perimeters

Why these pairings

These are key Google Cloud security tools and their primary functions.

56
MCQeasy

A small company has a single VPC with subnets in us-central1 (10.0.1.0/24) and us-west1 (10.0.2.0/24). They have a Compute Engine VM (web-server) in us-central1 that needs to connect to a Cloud SQL MySQL instance also in us-central1 using its private IP address 10.0.1.3. The Cloud SQL instance is configured with private IP only and is deployed in the same VPC. The web-server can successfully ping the Cloud SQL private IP (10.0.1.3). However, the application on the web-server fails to connect to the MySQL database with an authentication error. There are no custom firewall rules; only the default VPC firewall rules are in place. What is the most likely cause of the connection failure?

A.The default-allow-internal firewall rule does not allow TCP port 3306.
B.The web-server's service account lacks the Cloud SQL Client IAM role.
C.The Cloud SQL instance does not have the public IP address enabled.
D.The Cloud SQL instance is in a different region than the web-server.
AnswerB

This role is necessary to authenticate to Cloud SQL; without it, the application fails with a permission error.

Why this answer

The web-server can ping the Cloud SQL private IP (10.0.1.3), confirming network connectivity at Layer 3. The authentication error indicates the application is reaching the database but being denied access. Cloud SQL uses IAM for authentication when connecting via private IP; the web-server's service account must have the Cloud SQL Client IAM role to authenticate successfully.

Without this role, the connection is rejected even though the network path is open.

Exam trap

Google Cloud often tests the distinction between network connectivity (Layer 3 reachability) and application-layer authentication, leading candidates to incorrectly blame firewall rules or IP configuration when the real issue is missing IAM permissions for Cloud SQL private IP access.

How to eliminate wrong answers

Option A is wrong because the default-allow-internal firewall rule in GCP allows all TCP traffic (including port 3306) between instances in the same VPC, so it does not block MySQL connections. Option C is wrong because the Cloud SQL instance is configured with private IP only, which is sufficient for connectivity; enabling a public IP is not required for private access and would not cause an authentication error. Option D is wrong because both the web-server and the Cloud SQL instance are in us-central1, as stated in the scenario, so region mismatch is not the issue.

57
Multi-Selectmedium

Which TWO of the following are valid Google Cloud firewall rule components? (Choose TWO.)

Select 2 answers
A.Priority
B.Protocol signature
C.Target service accounts
D.Next hop
E.Network tier
AnswersA, C

Priority determines the order in which rules are evaluated.

Why this answer

A is correct because firewall rules in Google Cloud require a priority value (0–65535) to determine evaluation order. Lower numbers are evaluated first, and the first matching rule is applied. This is a mandatory component of every firewall rule.

Exam trap

Google Cloud often tests the distinction between firewall rule components and routing/network tier components, so candidates mistakenly select 'Next hop' or 'Network tier' because they are familiar networking terms, but they are not part of a firewall rule definition.

58
MCQmedium

Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?

A.Create a firewall rule in the host project that denies all egress traffic except to the Cloud NAT IP
B.Set the instances to use a custom route with next-hop as the Cloud NAT IP address
C.Configure a Cloud NAT on the Cloud Router in the host project for the subnet that is shared with the service project
D.Configure a Cloud NAT in each service project and associate it with the subnet that the instances use
AnswerC

Correct: In Shared VPC, the host project owns the subnets. Cloud NAT on the host project's router for those subnets will handle egress for all instances in those subnets, including those from service projects.

Why this answer

Option C is correct because a Cloud NAT configured on the Cloud Router in the host project for the shared subnet allows all Compute Engine instances in service projects attached to that subnet to use the host project's NAT IP for outbound traffic. This is the only way to centralize egress traffic through the host project's Cloud NAT while respecting Shared VPC architecture, as the NAT is tied to the subnet and Cloud Router in the host project.

Exam trap

Google Cloud often tests the misconception that a Cloud NAT must be configured in the same project as the instances, but in Shared VPC, the NAT is configured in the host project for the shared subnet, and service project instances automatically use it without any additional configuration.

How to eliminate wrong answers

Option A is wrong because firewall rules in the host project cannot selectively deny egress traffic for instances in a service project; firewall rules are applied per VPC network, not per project, and a deny-all-egress rule would block all outbound traffic, including legitimate responses, and does not route traffic through Cloud NAT. Option B is wrong because a custom route with next-hop as the Cloud NAT IP address is invalid; Cloud NAT is not a routable next-hop IP — it is a translation function on the Cloud Router, and instances must use the default route (0.0.0.0/0) to reach the internet via the NAT gateway. Option D is wrong because configuring a Cloud NAT in each service project would create separate NAT gateways, defeating the requirement for centralized egress through the host project's Cloud NAT.

59
MCQeasy

A company wants to protect its HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they use?

A.Identity-Aware Proxy (IAP)
B.Cloud Armor
C.VPC Service Controls
D.Cloud CDN
AnswerB

Cloud Armor offers WAF rules to block common web attacks.

Why this answer

Cloud Armor is the correct service because it provides web application firewall (WAF) capabilities that can inspect HTTP(S) traffic and filter out common web attacks such as SQL injection and cross-site scripting (XSS). It integrates directly with HTTP(S) Load Balancers to enforce security policies at the edge, blocking malicious requests before they reach backend instances.

Exam trap

The trap here is that candidates may confuse Cloud Armor with IAP because both involve security at the load balancer, but IAP handles authentication and authorization, not web application attack filtering.

How to eliminate wrong answers

Option A is wrong because Identity-Aware Proxy (IAP) is used for identity-based access control and authentication, not for inspecting HTTP payloads or blocking web application attacks like SQL injection or XSS. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration by controlling access to Google Cloud APIs and services using perimeters, not for filtering application-layer traffic at the load balancer. Option D is wrong because Cloud CDN is a content delivery network that caches static and dynamic content to improve latency and reduce load, and it does not include a WAF or any capability to inspect or block malicious HTTP requests.

60
Multi-Selecthard

Which THREE of the following are required to enable VPC Flow Logs for a subnet? (Choose THREE.)

Select 3 answers
A.A subnet in the VPC
B.Setting the subnet's flow logs configuration to ON
C.A VPC network
D.A sample rate
E.An aggregation interval
AnswersA, B, C

Flow logs are per-subnet.

Why this answer

A subnet in the VPC is required because VPC Flow Logs capture IP traffic metadata at the subnet level. Without a subnet, there is no network segment to monitor, as flow logs are associated with a specific subnet within a VPC.

Exam trap

Google Cloud often tests the distinction between required components (subnet, VPC, flow logs ON) and optional tuning parameters (sample rate, aggregation interval), leading candidates to mistakenly select the latter as mandatory.

61
MCQmedium

A company uses Cloud Armor to protect an external HTTPS load balancer. They want to block requests from a specific IP address range 198.51.100.0/24, but allow all other traffic. After creating a deny rule with the source IP condition, they notice that requests from that range are still reaching the backend. What is the most likely cause?

A.Another rule with a lower priority number that allows all traffic is overriding the deny rule.
B.The rule action is set to 'allow' instead of 'deny'.
C.Cloud Armor cannot block traffic based on source IP; it only supports geographic and header-based conditions.
D.The rule uses the wrong match syntax, such as 'sourceIpRange' instead of 'inIpRange'.
AnswerA

Rules are evaluated in priority order; lower number wins. A default allow rule with priority 1000 might override a deny rule with higher priority.

Why this answer

In Cloud Armor, rules are evaluated in order of priority, where lower priority numbers indicate higher precedence. If a rule with a lower priority number (e.g., 1000) allows all traffic, it will be evaluated before a deny rule with a higher priority number (e.g., 2000), causing the deny rule to be overridden. This is the most likely reason the specific IP range is still reaching the backend despite the deny rule being created.

Exam trap

Google Cloud often tests the concept that priority numbers in Cloud Armor are evaluated from lowest to highest, and candidates mistakenly think a deny rule with a higher priority number will take precedence over an allow rule with a lower priority number.

How to eliminate wrong answers

Option B is wrong because if the rule action were set to 'allow' instead of 'deny', it would explicitly permit the traffic, not block it, but the question states the rule was created to deny, so this is a misconfiguration that would be obvious and not the most likely subtle cause. Option C is wrong because Cloud Armor fully supports source IP-based blocking using conditions like 'inIpRange' or source IP ranges in security policies, not just geographic or header-based conditions. Option D is wrong because Cloud Armor uses the 'sourceIpRange' syntax correctly for IP-based conditions; 'inIpRange' is not a valid match syntax in Cloud Armor rules, so this would cause a syntax error rather than silently allowing traffic.

62
MCQmedium

Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?

A.Configure a VPC firewall rule to deny all ingress traffic to the ILB's forwarding rule IP address, and then create a higher-priority allow rule for the VPC and on-premises ranges
B.Configure the backend service's firewall rules to only allow traffic from the ILB's health check ranges and from the VPC and on-premises source ranges
C.Use GKE Network Policy to restrict ingress traffic to the application pods from the VPC and on-premises ranges
D.Use Cloud Armor to create a security policy that allows traffic only from the VPC and on-premises ranges, and attach it to the ILB
AnswerB

Correct: Firewall rules on the backend instances allow traffic from the ILB's health check probes and from permitted source ranges, ensuring only desired traffic reaches the application.

Why this answer

Option B is correct because the most secure way to restrict access to an Internal Load Balancer (ILB) is to apply firewall rules directly on the backend service (the instance group or NEG). This ensures that only traffic from the ILB's health check probe ranges (130.211.0.0/22 and 35.191.0.0/16 for GKE) and the allowed source ranges (VPC and on-premises) can reach the backend instances. This approach prevents any traffic from reaching the backend except through the ILB, which is the intended secure design for an internal-only application.

Exam trap

Google Cloud often tests the misconception that VPC firewall rules can be applied to a load balancer's forwarding rule IP address, but in reality, firewall rules only apply to VM instances or GKE nodes, not to forwarding rules or load balancer IPs.

How to eliminate wrong answers

Option A is wrong because VPC firewall rules cannot be applied to the ILB's forwarding rule IP address; forwarding rules are not network interfaces and are not subject to VPC firewall rules. Option C is wrong because GKE Network Policy operates at the pod level and cannot restrict traffic to the ILB itself; it only controls traffic between pods, not traffic arriving via the ILB. Option D is wrong because Cloud Armor security policies cannot be attached to an Internal Load Balancer; Cloud Armor only supports external load balancers (HTTP(S), SSL Proxy, TCP Proxy) and not ILBs.

63
MCQmedium

A company is using Cloud NAT to allow instances in a private subnet to access the internet. They notice that some instances are unable to reach external services. The NAT gateway is configured with a single IP address. Which action would most likely resolve the issue?

A.Change the NAT type to static
B.Change the VPC firewall rules to allow egress from the NAT IP
C.Increase the number of NAT IPs
D.Enable TCP established connections only
AnswerC

More NAT IPs increase available ports, reducing the chance of port exhaustion.

Why this answer

The issue is that a single NAT IP address can run out of available ports (each TCP/UDP session consumes a unique source port), causing new connections to fail. Increasing the number of NAT IPs expands the port pool, allowing more concurrent outbound connections. This directly addresses the port exhaustion problem without changing firewall rules or NAT type.

Exam trap

Google Cloud often tests the misconception that firewall rules or NAT type changes fix connectivity issues, when the real problem is port exhaustion from a single NAT IP under heavy connection load.

How to eliminate wrong answers

Option A is wrong because Cloud NAT does not have a 'static' type; the NAT type is either public (with ephemeral or static IPs) or private, and changing the type does not resolve port exhaustion. Option B is wrong because VPC firewall rules control traffic based on source/destination IPs and ports, but the NAT IP is the source IP for outbound traffic; egress rules must allow traffic from the instances' private IPs (or the NAT IP), but the issue is port capacity, not firewall blocking. Option D is wrong because 'TCP established connections only' is a firewall rule concept (e.g., connection tracking) and does not apply to NAT gateway configuration; Cloud NAT handles all protocols and does not have a setting to limit to established connections.

64
MCQhard

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

A.Ingress rule on frontend: allow tcp:8080 from backend's service account; Egress rule on backend: allow all to internet
B.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on backend: allow all to internet
C.Ingress rule on frontend: allow tcp:8080 from subnet B; Egress rule on backend: allow all to internet
D.Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on frontend: deny all to internet
AnswerB

Correct: Ingress on backend allows frontend-initiated traffic only. Egress on backend allows backend to reach internet for patches. No rule allows backend to initiate to frontend.

Why this answer

Option B is correct because the frontend in subnet A initiates connections to the backend on TCP port 8080, so an ingress rule on the backend allowing traffic from subnet A permits this. An egress rule on the backend allowing all traffic to the internet enables patch downloads. This setup prevents the backend from initiating connections to the frontend, as no egress rule on the backend targets the frontend, and no ingress rule on the frontend allows unsolicited traffic from the backend.

Exam trap

Google Cloud often tests the distinction between ingress and egress rules and the direction of traffic flow; the trap here is that candidates mistakenly place the ingress rule on the frontend (thinking it needs to 'receive' the connection) instead of on the backend, which actually receives the connection from the frontend.

How to eliminate wrong answers

Option A is wrong because it places the ingress rule on the frontend, which would allow the backend to initiate connections to the frontend, violating the requirement that the backend must not initiate connections to the frontend; also, service accounts are not typically used in VPC firewall rules for subnet-level traffic. Option C is wrong because it places the ingress rule on the frontend allowing traffic from subnet B, which would permit the backend to initiate connections to the frontend, again violating the requirement. Option D is wrong because it denies all egress traffic from the frontend, which would block the frontend from sending requests to the backend (since egress is denied), and the backend still needs an egress rule to reach the internet for patches, which is missing.

65
MCQhard

A company has a hybrid cloud setup with a Cloud VPN tunnel to an on-premises network. They want to ensure that traffic from on-premises to a specific VPC subnet is routed through a specific next hop appliance for inspection. How can they achieve this?

A.Use Policy-based routing
B.Create a route with a next hop to the appliance's internal IP and a high priority
C.Create a route with a next hop of the internal load balancer
D.Create a static route with a next hop of the VPN gateway
AnswerB

This directs traffic to the appliance for inspection before it reaches the destination subnet.

Why this answer

Option B is correct because creating a static route with a next hop set to the appliance's internal IP and a high priority ensures that traffic from on-premises to the specific VPC subnet is forwarded to the inspection appliance before reaching its destination. In a hybrid cloud setup with Cloud VPN, the VPN gateway is the default next hop for on-premises traffic, but a higher-priority route overrides this, directing traffic to the appliance for security inspection. This leverages route priority (lower numerical value = higher priority) to enforce traffic steering without modifying the VPN tunnel itself.

Exam trap

Google Cloud often tests the misconception that policy-based routing (PBR) is the only way to steer traffic to a specific next hop, but in cloud VPC environments, static routes with priority are the correct and supported method, and PBR is not available as a VPC route option.

How to eliminate wrong answers

Option A is wrong because policy-based routing (PBR) is typically used for source/destination-based traffic steering at the router level, but in a cloud VPC environment like Google Cloud or AWS, PBR is not natively supported for VPC routes; instead, static routes with priorities are the standard mechanism. Option C is wrong because an internal load balancer distributes traffic across multiple instances and does not act as a transparent next hop for inspection; using it would bypass the intended single appliance and could cause asymmetric routing or inspection failure. Option D is wrong because creating a static route with a next hop of the VPN gateway would simply send traffic back through the VPN tunnel, defeating the purpose of routing it through the inspection appliance; the VPN gateway is the default path for on-premises traffic, not a way to insert an inspection hop.

66
MCQhard

Your organization has a hybrid network with an on-premises data center connected to Google Cloud via a Dedicated Interconnect. The on-premises network uses RFC 1918 addresses (10.0.0.0/8) and Google Cloud VPC has a subnet in 10.1.0.0/16. You've configured a Cloud Router with BGP to exchange routes. Recently, you set up a new VPC with a subnet in 10.2.0.0/16 and peered it with the first VPC using VPC Network Peering. You notice that on-premises traffic destined to 10.2.0.0/16 is being dropped. You verify that the firewall rules allow the traffic and that BGP routes for 10.2.0.0/16 are not advertised on-premises. What should you do to enable connectivity from on-premises to the new VPC?

A.Set up a Cloud VPN tunnel between the new VPC and on-premises.
B.Configure the Cloud Router to advertise the 10.2.0.0/16 range via custom route advertisement.
C.Add a firewall rule in the new VPC allowing all traffic from 10.0.0.0/8.
D.Create a Shared VPC and attach the new VPC as a service project.
AnswerB

Custom route advertisements on Cloud Router propagate the peering range to on-premises.

Why this answer

Option B is correct because the Cloud Router uses BGP to advertise routes to the on-premises network via the Dedicated Interconnect. By default, only VPC subnet routes are advertised; custom route advertisements must be explicitly configured to propagate the peered VPC's subnet (10.2.0.0/16) to on-premises. This ensures the on-premises routers learn the route and can forward traffic to the new VPC.

Exam trap

The trap here is that candidates assume VPC Network Peering automatically shares routes with on-premises networks via Interconnect, but in reality, peered VPC routes are not propagated to on-premises unless explicitly advertised through Cloud Router custom route advertisements.

How to eliminate wrong answers

Option A is wrong because a Cloud VPN tunnel is unnecessary when a Dedicated Interconnect already exists; the issue is route advertisement, not connectivity method. Option C is wrong because firewall rules are not the problem (they already allow traffic); the root cause is missing route propagation, not a missing allow rule. Option D is wrong because Shared VPC is used for centralized administration of multiple projects, not for enabling route exchange between a peered VPC and an on-premises network via Interconnect.

67
MCQmedium

A company runs a GKE cluster with multiple node pools, including one pool of confidential VMs. The security team wants to ensure that only traffic from the internal VPC (10.0.0.0/8) can reach the nodes' metadata server. Which configuration should be applied?

A.Configure Private Google Access on the subnets.
B.Create a firewall rule that allows outbound traffic from nodes to 169.254.169.254 only from the internal VPC range, and deny all other outbound to that IP.
C.Enable IAP TCP forwarding on the cluster.
D.Apply a VPC Service Controls perimeter to the GKE cluster.
AnswerB

The metadata server IP is 169.254.169.254; firewall rules can restrict outbound access to this IP.

Why this answer

The metadata server for GKE nodes is accessible at the link-local IP 169.254.169.254. To restrict access to this server to traffic originating only from the internal VPC range (10.0.0.0/8), you must create a firewall rule that allows outbound traffic from the nodes to 169.254.169.254 only from that range, and then deny all other outbound traffic to that IP. This ensures that only workloads within the internal VPC can query instance metadata, preventing external or unauthorized pods from accessing sensitive metadata.

Exam trap

Google Cloud often tests the misconception that Private Google Access or VPC Service Controls can restrict metadata server access, but the metadata server is a link-local service that must be controlled via egress firewall rules targeting the specific IP 169.254.169.254.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables on-premises or VM instances without external IPs to reach Google APIs and services, but it does not restrict access to the metadata server (169.254.169.254), which is a link-local address and not subject to Private Google Access. Option C is wrong because IAP TCP forwarding allows authorized users to establish TCP connections to VM instances without public IPs, but it does not control traffic to the metadata server from within the VPC. Option D is wrong because VPC Service Controls perimeters restrict data exfiltration from Google Cloud services like BigQuery or Cloud Storage, but they do not apply to the instance metadata server, which is a link-local service outside the VPC perimeter.

68
MCQhard

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

A.Cloud VPN with dynamic routing
B.Private Service Connect
C.VPC Flow Logs
D.Cloud Interconnect
AnswerD

Provides dedicated, low-latency, private connectivity between VPC networks across regions.

Why this answer

Cloud Interconnect provides a dedicated, high-bandwidth, low-latency connection between your on-premises network and Google Cloud, or between Google Cloud regions, bypassing the public internet. For multi-region GKE clusters using VPC-native mode, Cloud Interconnect enables secure, private inter-region Pod-to-Pod communication by routing traffic through Google's internal backbone, ensuring minimal latency and no exposure to the public internet.

Exam trap

Google Cloud often tests the misconception that Cloud VPN is sufficient for inter-region communication, but the key differentiator here is the requirement for 'low-latency' and 'private network' without traversing the public internet, which only Cloud Interconnect (or Direct Peering) can guarantee.

How to eliminate wrong answers

Option A is wrong because Cloud VPN with dynamic routing encrypts traffic over the public internet, which introduces latency and is not designed for low-latency inter-region Pod-to-Pod communication within the same Google Cloud environment. Option B is wrong because Private Service Connect is used to privately access managed services (e.g., Google APIs or third-party services) from a VPC, not for inter-region Pod-to-Pod communication within GKE clusters. Option C is wrong because VPC Flow Logs is a logging feature that captures network flow metadata for monitoring and troubleshooting, not a connectivity solution for routing traffic between regions.

69
MCQhard

A company has a Shared VPC environment with multiple service projects. The security team wants to ensure that all Compute Engine VMs in service projects are only accessible via IAP TCP forwarding for SSH management, and direct external access is completely blocked. They have already applied an organization policy constraint that denies the attachment of external IP addresses to new VMs. However, there are several existing VMs that still have public IP addresses assigned. The team wants to remove the public IPs from these existing VMs without causing downtime for any ongoing SSH sessions or disrupting the applications running on them, but they must ensure the VMs can still reach the internet if needed (for example, to download updates). What should the team do?

A.Delete each VM and recreate it without a public IP address.
B.First, deploy a Cloud NAT gateway for the VPC and subnet, then remove the public IP from each VM; the VMs will use Cloud NAT for outbound internet access.
C.Detach the public IP from each VM in the console, and then create a new private IP for the VM.
D.For each VM, use the gcloud command to delete the public IP and assign a new private IP from the same subnet.
AnswerB

Cloud NAT provides outbound internet without public IPs and can be set up without VM downtime. Then public IPs can be safely removed.

Why this answer

Option B is correct because Cloud NAT provides outbound internet access for private VMs without requiring public IPs, and removing the public IP from an existing VM does not interrupt running SSH sessions or applications—the VM continues running with its internal IP. After deploying Cloud NAT for the VPC and subnet, you can safely remove the public IP from each VM, and the VM will use Cloud NAT for outbound connections (e.g., downloading updates). This approach satisfies the security requirement of blocking direct external access while maintaining outbound connectivity and avoiding downtime.

Exam trap

Google Cloud often tests the misconception that simply removing a public IP and assigning a new private IP (options C and D) will somehow preserve internet access, but without Cloud NAT or a similar outbound gateway, private VMs cannot reach the internet.

How to eliminate wrong answers

Option A is wrong because deleting and recreating VMs would cause downtime for applications and terminate any ongoing SSH sessions, which violates the no-downtime requirement. Option C is wrong because simply detaching the public IP in the console without first setting up Cloud NAT would leave the VM without any outbound internet access, breaking the requirement that VMs can still reach the internet for updates. Option D is wrong because using gcloud to delete the public IP and assign a new private IP does not provide outbound internet access; the VM would lose connectivity to the internet unless Cloud NAT or another outbound mechanism is configured first.

70
MCQmedium

A user is unable to SSH into an instance that has the tag 'ssh-access' and an internal IP 10.0.0.2. The user's IP is 198.51.100.1. What is the most likely reason?

A.The instance is not using the correct service account
B.The instance does not have an external IP
C.The user's IP is not in the allowed source range
D.The firewall rule is disabled
AnswerC

The rule's sourceRanges only includes 203.0.113.0/24, not the user's IP.

Why this answer

The firewall rule only allows SSH from the source range 203.0.113.0/24. The user's IP (198.51.100.1) is not in that range, so the connection is denied.

71
MCQmedium

You are designing a network for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier. The database tier should only be accessible from the application tier. All tiers are in the same VPC. Which combination of firewall rules meets these requirements?

A.Create an ingress rule allowing traffic from the web tier subnet to the application tier subnet, and an ingress rule allowing traffic from the application tier subnet to database tier subnet.
B.Assign each tier a unique service account and create ingress rules allowing traffic from the appropriate service accounts.
C.Create an ingress rule allowing traffic from 0.0.0.0/0 to instances with tag 'web', an ingress rule allowing traffic from instances with tag 'web' to instances with tag 'app', and an ingress rule allowing traffic from instances with tag 'app' to instances with tag 'db'.
D.Create a single ingress rule that allows all traffic within the VPC network and a separate rule to allow internet traffic to web tier.
AnswerC

Tags provide simple group-based access control.

Why this answer

Option C is correct because it uses VPC firewall tags to enforce least-privilege network segmentation: the web tier is exposed to the internet (0.0.0.0/0), the app tier only accepts traffic from web-tagged instances, and the database tier only accepts traffic from app-tagged instances. This matches the multi-tier access requirements without exposing internal tiers to the internet or to each other unnecessarily.

Exam trap

Google Cloud often tests the distinction between network-layer controls (firewall rules with tags/IPs) and identity-layer controls (IAM/service accounts), leading candidates to incorrectly choose service accounts for network segmentation.

How to eliminate wrong answers

Option A is wrong because it specifies subnet-to-subnet ingress rules, which would allow any instance in the web subnet to reach any instance in the app subnet, and any instance in the app subnet to reach any instance in the db subnet, but it does not include a rule to allow internet traffic (0.0.0.0/0) to the web tier, leaving the web tier inaccessible from the internet. Option B is wrong because service accounts control identity and permissions for API calls, not network traffic; firewall rules in a VPC operate on IP addresses, tags, or CIDR ranges, not on service accounts, so this approach cannot restrict network-layer access between tiers. Option D is wrong because a single ingress rule allowing all traffic within the VPC would permit the database tier to be reachable from the web tier and from any other instance in the VPC, violating the requirement that the database tier only be accessible from the application tier.

72
Multi-Selecthard

A company uses Shared VPC with a host project and multiple service projects. The security team wants to enforce that only specific VMs in service project A (using IP range 10.0.1.0/24) can communicate with specific VMs in service project B (tagged as 'app-b') on TCP port 443, and all other inter-service-project traffic should be blocked. Additionally, VMs should still be accessible via IAP TCP forwarding (SSH) on TCP port 22. Which three firewall rules should be created in the host project? (Choose three.)

Select 3 answers
A.Priority 1000: Allow ingress from 10.0.1.0/24 to VMs with tag 'app-b' on TCP 443.
B.Priority 2000: Deny ingress from 0.0.0.0/0 to all VMs on all protocols.
C.Priority 1000: Allow ingress from IAP forwarding ranges to all VMs on all protocols.
D.Priority 1000: Allow egress from VMs in service project A to service project B's VMs on TCP 443.
E.Priority 900: Allow ingress from IAP forwarding ranges (35.235.240.0/20) to all VMs on TCP 22.
AnswersA, B, E

This allows the desired inter-service-project traffic on TCP 443.

Why this answer

Option A is correct because it creates an ingress firewall rule in the host project that allows traffic from the specific IP range 10.0.1.0/24 (VMs in service project A) to VMs tagged 'app-b' in service project B on TCP port 443. In Shared VPC, all firewall rules are defined in the host project and apply to all service projects, so this rule enforces the required communication while the deny rule (Option B) blocks all other inter-service-project traffic. The IAP rule (Option E) is needed to allow SSH access via IAP TCP forwarding, which uses the source range 35.235.240.0/20 on TCP port 22.

Exam trap

Google Cloud often tests the misconception that egress rules are needed for inter-service-project communication, when in fact ingress rules on the destination VMs are sufficient, and that IAP rules must be scoped to only TCP 22, not all protocols.

73
Drag & Dropmedium

Drag and drop the steps to respond to a data breach involving a Cloud Storage bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response steps are: contain, investigate, notify, remediate, and review.

74
MCQmedium

An organization uses Shared VPC with a host project and several service projects. A network administrator in a service project wants to create a firewall rule that allows traffic from a specific source CIDR to a Compute Engine instance in the service project. What is the correct way to achieve this?

A.Create the firewall rule in the service project targeting the instance's tags.
B.Create a firewall rule in the service project using the instance's service account.
C.Use VPC Flow Logs to generate a recommendation and apply it in the service project.
D.Request the host project administrator to create the firewall rule in the host project.
AnswerD

In Shared VPC, the host project owns the firewall rules for the shared VPC network.

Why this answer

In a Shared VPC architecture, firewall rules are a host-project-level resource. Service project administrators cannot create or manage firewall rules that apply to resources in the shared VPC network; only the host project administrator has the necessary permissions. Therefore, to allow traffic from a specific source CIDR to a Compute Engine instance in a service project, the host project administrator must create the firewall rule in the host project, targeting the instance's tags or service account.

Exam trap

Google Cloud often tests the misconception that service project administrators have full control over networking resources in a Shared VPC, when in fact firewall rules and other network-level configurations are exclusively managed in the host project.

How to eliminate wrong answers

Option A is wrong because firewall rules in a Shared VPC must be created in the host project, not the service project; the service project lacks the authority to create rules that apply to the shared VPC network. Option B is wrong because, while service accounts can be used in firewall rules, the rule itself must still be created in the host project, not the service project. Option C is wrong because VPC Flow Logs are used for monitoring and troubleshooting network traffic, not for generating or applying firewall rules; they cannot create or recommend firewall rules automatically.

75
Drag & Dropmedium

Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPC Service Controls perimeters are configured by first setting up an access policy, defining access levels, creating the perimeter, adding ingress/egress rules, and finally enforcing and testing.

Page 1 of 2 · 86 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Gcp Network Security Config questions.