CCNA Pcse Network Security Questions

75 of 110 questions · Page 1/2 · Pcse Network Security topic · Answers revealed

1
MCQeasy

An organization wants to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can reach it, without using public IP addresses. Which solution should they implement?

A.VPC Service Controls
B.Cloud NAT
C.Cloud VPN
D.Private Google Access
AnswerD

Private Google Access enables VMs with internal IPs to reach Google APIs and services without internet, using the VPC network.

Why this answer

Private Google Access allows on-premises hosts or VM instances using internal IPs to reach Google APIs and services (like Cloud Storage) by routing traffic through the VPC network, without requiring public IPs.

2
Multi-Selectmedium

A company is deploying a web application behind an external HTTPS load balancer. They want to protect against common web attacks such as XSS, SQLi, and LFI using preconfigured rules. They also need to allowlist specific IP addresses that belong to partners. Which three Cloud Armor features should they use? (Choose three.)

Select 3 answers
A.Attach the Cloud Armor security policy to the backend service or load balancer.
B.Enable the OWASP ModSecurity CRS preconfigured rule set.
C.Configure IAP to restrict access to the application.
D.Use Cloud CDN to cache static content.
E.Create custom rules with IP allowlists for partner IPs.
AnswersA, B, E

Required for the policy to take effect.

Why this answer

Cloud Armor provides preconfigured WAF rules (OWASP ModSecurity CRS) for XSS, SQLi, LFI, etc. It also supports custom rules for allowlisting IPs. The correct features are: using preconfigured rule sets for OWASP CRS, creating custom rules with IP allowlisting, and then applying the policy to the load balancer.

The question asks for three, so the answers are the OWASP CRS rule set, custom rules, and security policy attachment.

3
MCQhard

A company's security policy requires that all traffic to a Google Cloud load balancer use TLS 1.2 or higher and only accept strong ciphers. They want to enforce this using a Google Cloud resource. Which resource should they configure?

A.Cloud Armor security policy
B.Network firewall rule
C.SSL certificate
D.SSL policy
AnswerD

SSL policies define allowed TLS versions and cipher suites for load balancers.

Why this answer

SSL policies on HTTPS load balancers allow you to specify the minimum TLS version and cipher profile (e.g., RESTRICTED for strong ciphers). This enforces encryption requirements at the load balancer level.

4
MCQmedium

A company wants to enforce that all VPC firewall rules in an organization must be centrally managed and cannot be overridden by lower-level projects. Which approach should they use?

A.Create network firewall rules at the organization level
B.Configure VPC Service Controls with a perimeter
C.Enable Organizational Policy constraints
D.Use a hierarchical firewall policy at the organization node
AnswerD

Hierarchical firewall policies can be applied at the org level and are inherited by all folders and projects; they can be set to not be overridden.

Why this answer

Hierarchical firewall policies are applied at the organization, folder, or project level and are inherited downward. They can be set to have higher priority than network firewall rules, and lower-level rules cannot override them if the policy is set accordingly.

5
MCQhard

A company uses Cloud Armor security policies to protect their HTTP load balancer. They need to block requests from a specific geographic region (country X) and also limit requests from any IP to 1000 requests per second. They also want to use preconfigured rules for SQL injection prevention. What is the correct way to combine these requirements in a single security policy?

A.Create a single custom rule with both geo-blocking and rate limiting conditions using CEL expressions, and enable preconfigured SQLi rules.
B.Create separate rules: one for geo-blocking with priority 500, one for rate limiting with priority 600, and enable preconfigured SQLi rules at priority 1000. Order them appropriately.
C.Use Cloud Armor Managed Protection Plus, which automatically includes geo-blocking and rate limiting.
D.Enable SQLi preconfigured rules only; geo-blocking and rate limiting are not supported in Cloud Armor.
AnswerB

This is the correct approach: separate rules for different actions, with priorities ensuring evaluation order.

Why this answer

Cloud Armor rules are evaluated in order of priority (lowest number first). Preconfigured rules (like SQLi) have a priority of 1000 by default. Geographic and rate limiting rules can be added with custom priorities.

The rule order matters: typically, you want to block/rate-limit before applying WAF rules to reduce processing. However, the question is about combining them correctly: all rule types can coexist in a single policy. The key is that each rule type has its own configuration; you can't set rate limiting in the same rule as geo-blocking; they must be separate rules.

6
MCQmedium

An organization wants to enforce a security policy that denies all egress traffic to the internet from all projects in the organization, except for traffic from a specific set of VMs tagged with 'allow-egress'. Which approach should be used?

A.Create a VPC firewall rule at the organization level to deny all egress, then allow egress for the specific tag.
B.Use a hierarchical firewall policy at the organization level with a deny-all egress rule and a higher priority allow rule for the tag.
C.Use VPC Service Controls to block egress traffic.
D.Configure Cloud Armor with a deny-all egress rule and an exception for the tag.
AnswerB

Hierarchical firewall policies apply across projects and cannot be overridden, ensuring baseline enforcement.

Why this answer

Hierarchical firewall policies are inherited down the resource hierarchy and can be enforced at the organization or folder level. They cannot be overridden at lower levels, making them suitable for organization-wide baseline rules.

7
Multi-Selectmedium

A security engineer needs to restrict access to a Cloud Storage bucket so that only a specific set of Compute Engine instances can read objects. The instances are in the same project and VPC network. The engineer wants to use VPC firewall rules for this purpose. Which two configurations are REQUIRED? (Choose two.)

Select 2 answers
A.Create an egress allow rule for the IP ranges of Cloud Storage (Google API IPs) and apply it to the target instances.
B.Enable Private Google Access on the subnet where the instances reside.
C.Assign a Cloud IAM role to the instances' service account to allow read access to the bucket.
D.Create a deny all egress rule with a lower priority (higher number) than the allow rule.
E.Create an ingress allow rule from Cloud Storage IP ranges to the instances.
AnswersA, D

Allows the instances to reach Cloud Storage.

Why this answer

VPC firewall rules control network traffic to/from instances, but they cannot directly restrict access to Cloud Storage APIs. However, they can restrict which instances can reach the external IP of Cloud Storage. To achieve the goal, the engineer must allow egress traffic from the instances to the Cloud Storage IP ranges and deny all other egress.

But more importantly, access to Cloud Storage is controlled by IAM, not firewall rules. However, the question specifically asks about VPC firewall rules. The typical approach is to use Private Google Access and firewall rules to restrict egress to Google API IPs.

The correct answers are: allow egress to the Google API IP ranges (which include Cloud Storage) and deny all other egress. But the question might also consider using service accounts and firewall rule targets. Firewall rules can target service accounts, but that does not restrict access to Cloud Storage itself.

The most direct answer is that to limit which instances can access Cloud Storage, you can create an egress rule that allows traffic to the Cloud Storage IP ranges only from instances with a specific service account or tag, and then deny all other egress. But the question asks for two configurations. The most reasonable answers: (1) Create an egress allow rule for the Cloud Storage IP ranges with a target tag or service account that matches the instances. (2) Create a deny all egress rule with lower priority.

However, since Cloud Storage uses Google APIs, the IP ranges are from the published list. The correct choices are likely: A and D.

8
MCQmedium

A security engineer needs to detect and alert on network-based threats such as malware and command-and-control traffic within their Google Cloud VPC. They want a managed service that provides deep packet inspection and integrates with their existing security operations. Which service should they use?

A.Cloud Armor
B.VPC Service Controls
C.Cloud NGFW
D.Cloud IDS
AnswerD

Cloud IDS provides managed threat detection using deep packet inspection.

Why this answer

Cloud IDS (Intrusion Detection System) is a managed service that uses Palo Alto Networks threat detection to inspect network traffic for threats. It integrates with VPC packet mirroring and provides threat severity levels. Cloud Armor protects web applications at the edge.

VPC Service Controls restrict data access. Cloud NGFW (next-generation firewall) is not a Google Cloud managed service; Google offers Cloud Firewall (which is not NGFW).

9
MCQmedium

A company uses VPC Service Controls in dry-run mode to test a new service perimeter that includes BigQuery. They want to monitor any violations without actually blocking access. Where can they view the logs of these dry-run violations?

A.Cloud Monitoring dashboards
B.VPC Flow Logs
C.Access Transparency logs
D.Cloud Logging with the filter `policy_violations`
AnswerD

Correct: VPC Service Controls violations in dry-run mode are logged to Cloud Logging and can be viewed using the appropriate filter.

Why this answer

When VPC Service Controls is in dry-run mode, violations are logged to Cloud Logging but access is not blocked. The logs can be viewed in the Logs Explorer using the filter for VPC Service Controls policy violations.

10
Multi-Selectmedium

A company is deploying a new internal application on Google Cloud. They want to ensure that VM instances in a specific subnet can only communicate with each other and with a load balancer that fronts the application. They also want to allow SSH access from a bastion host. Which TWO firewall rules should they create? (Choose two.)

Select 2 answers
A.An ingress rule that allows all traffic from the subnet to the instances (target tags or service account)
B.An egress rule that blocks all traffic except to the load balancer and subnet
C.An ingress rule that allows SSH (tcp:22) from the bastion host (using its service account or tags)
D.An egress rule that allows all traffic to the load balancer's frontend IP
E.An ingress rule that allows HTTP traffic from the load balancer to the instances
AnswersA, C

This allows internal communication within the subnet.

Why this answer

To restrict communication to only internal subnet traffic and the load balancer, you need an ingress rule that allows traffic from the subnet (source) to all instances (target). To allow SSH from the bastion, you need an ingress rule allowing TCP port 22 from the bastion host (using its service account or tags). Egress rules are not needed because the default allow egress is not restrictive; but if you want to block other egress, you would need a deny egress rule, but the question asks for rules to allow, not block.

11
Multi-Selecteasy

A company wants to use Private Service Connect to publish a managed service (e.g., a custom application) so that consumers can access it privately within Google Cloud. Which THREE resources are involved in this setup?

Select 3 answers
A.PSC endpoint (forwarding rule)
B.Cloud NAT gateway
C.Service attachment
D.VPC peering
E.DNS configuration (e.g., private DNS zone)
AnswersA, C, E

The consumer creates a PSC endpoint to connect to the service.

Why this answer

Private Service Connect involves creating a service attachment on the producer side (the managed service), which is then accessible via a PSC endpoint in the consumer's VPC. DNS configuration is needed to resolve the endpoint's IP address. IAM roles control who can create endpoints.

12
MCQmedium

An engineer needs to allow HTTP traffic from instances tagged 'web-server' to instances tagged 'app-server' on port 8080 within the same VPC. Which firewall rule should be created?

A.Egress rule from 'web-server' to 'app-server' allowing tcp:8080
B.Ingress rule for 'web-server' with source tag 'app-server' allowing tcp:8080
C.Egress rule for 'app-server' with destination tag 'web-server' allowing tcp:8080
D.Ingress rule for 'app-server' with source tag 'web-server' allowing tcp:8080
AnswerD

This rule allows inbound traffic to 'app-server' instances from 'web-server' instances on port 8080.

Why this answer

Create an ingress rule targeting 'app-server' that allows tcp:8080 from source tag 'web-server'. Tags are used for both source and target to control traffic between instance groups.

13
MCQhard

An organization has a hierarchical firewall policy at the organization level that denies all ingress traffic from the internet. A project team needs to allow HTTP traffic from the internet to a specific VM. How should they achieve this?

A.Add a VPC firewall rule allowing HTTP from 0.0.0.0/0
B.Remove the VM from the organization hierarchy
C.Create a project-level hierarchical firewall policy with a rule allowing HTTP from 0.0.0.0/0 and a lower priority number than the org-level deny
D.Use Cloud Armor to allow the traffic
AnswerC

A lower-level hierarchical policy with higher priority (lower number) can override a higher-level policy rule.

Why this answer

Hierarchical firewall policies cannot be overridden at lower levels; they are always evaluated first. Since the org-level policy denies all internet ingress, the only way to allow HTTP is to create a hierarchical policy at a lower level (folder or project) that allows it, but those are also part of the hierarchy and are evaluated after org-level. Actually, hierarchical policies can be overridden by a lower-level policy with a higher priority, but the org-level policy has no higher priority? In GCP, hierarchical firewall policies are evaluated in order of precedence: organization > folder > project.

A policy at a lower level can override a higher-level policy if it has a higher priority (lower number) and is an allow rule. So the project team can create a project-level hierarchical policy with a higher priority (e.g., 100) allowing HTTP from 0.0.0.0/0, which will override the org-level deny (priority 1000).

14
Multi-Selectmedium

A company wants to detect and block SQL injection attacks targeting their web application hosted on Compute Engine behind a Cloud Load Balancer. Which TWO steps should they take? (Choose TWO.)

Select 2 answers
A.Enable Cloud Armor adaptive protection to detect and block suspicious patterns.
B.Deploy Cloud IDS in the VPC to inspect packets for SQLi patterns.
C.Enable Cloud Armor on the load balancer with the OWASP ModSecurity CRS rule set.
D.Configure VPC firewall rules to deny traffic on port 443.
E.Use VPC Service Controls to restrict access to the backend instances.
AnswersA, C

Adaptive Protection uses ML to detect attacks including SQLi.

Why this answer

Cloud Armor preconfigured rules (like OWASP ModSecurity CRS) can detect SQLi, and enabling adaptive protection provides ML-based anomaly detection. Cloud IDS is for network-level threats, not WAF; VPC firewall rules don't inspect application payloads.

15
Multi-Selecthard

An organization wants to enforce that all egress traffic from a VPC to the internet must go through a Cloud NAT gateway for logging and IP management. They also need to block all other direct outbound traffic. Which THREE steps should they take? (Choose THREE.)

Select 3 answers
A.Enable Private Google Access on the subnet
B.Delete the default route (0.0.0.0/0) from the VPC
C.Add a firewall rule to allow egress to 0.0.0.0/0
D.Add a firewall rule to deny egress to 0.0.0.0/0 (except NAT's IP range)
E.Create a Cloud NAT gateway and assign it to the subnet
AnswersB, D, E

Removing the default route prevents direct internet egress.

Why this answer

To force traffic through Cloud NAT, you need to remove the default route (0.0.0.0/0), create a route that only allows traffic to the NAT gateway's IP range (or use a more specific route), and then add a deny egress rule for all other internet traffic.

16
MCQeasy

A web application behind an HTTPS load balancer is experiencing a high volume of malicious requests with SQL injection patterns. The security team wants to block these requests with minimal latency impact. Which Cloud Armor feature should they use?

A.Rate limiting per IP
B.Custom rules with CEL expressions
C.Preconfigured WAF rules (OWASP ModSecurity CRS)
D.Adaptive Protection
AnswerC

The CRS includes rules to detect and block SQL injection, XSS, and other web attacks.

Why this answer

Cloud Armor provides preconfigured WAF rules, including the OWASP ModSecurity Core Rule Set (CRS), which includes SQL injection detection rules. Enabling this set blocks SQL injection attempts.

17
Multi-Selecthard

A security team is configuring Cloud Armor to protect a web application. They need to block requests that contain SQL injection patterns, block requests from a known malicious IP list, and limit requests from any single IP to 2000 requests per minute. Which THREE actions must they take? (Choose three.)

Select 3 answers
A.Create a custom rule with a deny action for the malicious IP list using a CEL expression
B.Create a single rule that combines SQLi detection, IP blocking, and rate limiting using CEL
C.Enable the preconfigured rule set for SQL injection (OWASP ModSecurity CRS)
D.Enable Cloud Armor Managed Protection Plus for automatic IP reputation
E.Create a rate limiting rule with a threshold of 2000 requests per minute per IP
AnswersA, C, E

You can use a deny list rule to block specific IP addresses.

Why this answer

To implement these requirements, you need to enable the preconfigured SQL injection rule set, create a custom rule with an IP allow/deny list for the malicious IPs, and create a rate limiting rule. Cloud Armor does not have a built-in list of malicious IPs; you must provide the list. The rate limiting is configured as a separate rule with action 'rateBasedThrottle'.

18
Multi-Selecthard

A security team needs to inspect all egress traffic from Compute Engine instances for malware using a third-party security appliance. They want to deploy the appliance in a separate VPC and route all egress traffic through it. Which THREE components are required? (Choose 3)

Select 3 answers
A.VPC peering between the application VPC and the appliance VPC
B.Custom route for 0.0.0.0/0 with next hop to an internal load balancer
C.Cloud VPN tunnel between VPCs
D.Internal load balancer in the appliance VPC
E.Cloud NAT gateway
AnswersA, B, D

Required for traffic to cross VPCs if appliance is in a separate VPC.

Why this answer

Use a custom route to direct default egress traffic to the appliance, which is an internal load balancer (ILB) forwarding to the appliance instances. The appliance must be deployed in a different VPC, and VPC peering or Network Connectivity Center connects the VPCs. However, the simplest is to use an ILB in the same VPC as the instances, but the requirement says separate VPC.

So use VPC peering. The three required: custom route for default route (0.0.0.0/0) with next hop to ILB, an internal load balancer forwarding traffic to the appliance, and VPC peering (or VPN) to connect the VPCs. Alternatively, if using the same VPC, peering not needed.

But given separate VPC, peering is needed.

19
MCQmedium

An engineer needs to allow a specific service account from another project to access a Cloud Storage bucket in the current project. The engineer wants to use the principle of least privilege. Which IAM role should be granted directly on the bucket to the service account?

A.roles/storage.objectViewer on the bucket
B.roles/storage.legacyBucketReader on the bucket
C.roles/storage.objectAdmin on the bucket
D.roles/storage.admin on the project
AnswerA

Provides read-only access to objects, which is least privilege for reading.

Why this answer

Grant the predefined role `roles/storage.objectViewer` to the service account. This role provides read-only access to objects in the bucket.

20
MCQeasy

An engineer needs to block a specific IP address from accessing an HTTPS load balancer. Which Cloud Armor rule should be used?

A.A VPC firewall rule with a deny ingress for that IP
B.A custom rule with a 'deny' action and the IP address in the 'src_ip_ranges' field
C.A Cloud Armor rate limiting rule
D.A preconfigured rule from the OWASP ModSecurity CRS
AnswerB

Custom rules can block specific IPs using 'src_ip_ranges'.

Why this answer

Cloud Armor custom rules allow IP allow/deny lists. A deny rule with the specific IP address will block traffic.

21
MCQmedium

A security engineer needs to allow HTTP (port 80) traffic from all VMs in the production environment to a specific set of VMs running a web server. The web server VMs are identified by a service account 'web-sa@...'. Which firewall rule configuration should the engineer create?

A.Egress rule: destination = 0.0.0.0/0, targetServiceAccounts = ['web-sa@...'], allow tcp:80
B.Ingress rule: source = 0.0.0.0/0, targetTags = ['web-server'], deny tcp:80
C.Ingress rule: source = 0.0.0.0/0, targetTags = ['web-server'], allow tcp:80
D.Ingress rule: source = 0.0.0.0/0, targetServiceAccounts = ['web-sa@...'], allow tcp:80
AnswerD

This rule allows HTTP traffic to VMs with the specified service account, which is the recommended approach.

Why this answer

Using a service account as the target (serviceAccount = web-sa@...) is the recommended approach for security, as it is more dynamic and less error-prone than using network tags. The rule allows ingress traffic from any source (0.0.0.0/0) on TCP port 80 to VMs with that service account.

22
MCQeasy

A security engineer needs to restrict access to Cloud Storage buckets so that only resources in a specific VPC can reach the Google APIs. Which Google Cloud service should be used?

A.Firewall Rules
B.VPC Service Controls
C.Identity-Aware Proxy
D.Cloud Armor
AnswerB

VPC Service Controls enforces perimeters around Google Cloud APIs to control data access.

Why this answer

VPC Service Controls allows you to define a service perimeter that restricts access to Google Cloud APIs (like Cloud Storage) to only resources from authorized VPCs, preventing data exfiltration.

23
MCQeasy

A company wants to detect and alert on potential network threats, such as malware and command-and-control traffic, within their VPC. They need a managed service that integrates with packet mirroring. Which Google Cloud service should they use?

A.Cloud IDS
B.Security Command Center
C.VPC Flow Logs
D.Cloud Armor
AnswerA

Cloud IDS provides managed threat detection using packet mirroring.

Why this answer

Cloud IDS (Intrusion Detection System) is a managed network threat detection service that uses packet mirroring to inspect traffic for threats. It is powered by Palo Alto Networks.

24
Multi-Selecthard

A security engineer is designing a VPC Service Controls perimeter to protect sensitive BigQuery data. They need to allow a specific on-premises application (source IP range 203.0.113.0/24) to query BigQuery, and also allow a managed instance group in another project (project 'analytics') to export data from BigQuery to Cloud Storage. Which THREE configurations are required? (Choose three.)

Select 3 answers
A.Add the analytics project to the service perimeter
B.Configure Cloud Armor to allow the on-premises IP
C.Create an egress rule to allow Cloud Storage access from the perimeter
D.Create an ingress rule to allow the service account of the managed instance group
E.Add the on-premises IP range to an access level and create an ingress rule
AnswersA, C, E

The managed instance group's project must be within the perimeter to access BigQuery.

Why this answer

To allow on-premises access, an ingress rule with the source IP range is needed. To allow the managed instance group in another project, that project must be added to the perimeter (as a project within the perimeter) and an ingress rule for the service account or VPC of that project must be created. Also, the managed instance group will need an egress rule to allow access to Cloud Storage from within the perimeter.

So ingress rule for on-premises, adding the analytics project to the perimeter, and an egress rule for Cloud Storage are required.

25
MCQmedium

A company is using Cloud Armor with adaptive protection enabled. They notice that adaptive protection has generated a rule that is blocking some legitimate traffic. What should they do to minimize false positives while still benefiting from adaptive protection?

A.Disable adaptive protection immediately
B.Add a higher-priority allow rule for the legitimate traffic
C.Increase the sensitivity threshold of adaptive protection
D.Change the adaptive protection rule action to 'throttle'
AnswerB

A higher-priority allow rule can override the adaptive protection rule for specific traffic.

Why this answer

Adaptive protection works by learning traffic patterns and generating rules. The best practice is to initially set the adaptive protection rule to 'throttle' or 'log' mode (or use a low priority) to monitor its impact. Alternatively, you can override the rule with a higher-priority allow rule for known good traffic.

The recommended approach is to use the rule in preview or monitoring mode before enforcing.

26
MCQhard

A company uses VPC Service Controls to protect a project containing BigQuery datasets. They have an ingress rule that allows traffic from an on-premises network via a Cloud VPN tunnel. The on-premises IP range is 10.0.0.0/8. However, users on-premises are still getting access denied errors when querying BigQuery. The VPC Service Controls perimeter is in dry-run mode. What is the most likely cause?

A.The perimeter is in dry-run mode, which blocks all traffic until the rule is finalized.
B.The ingress rule does not include the on-premises user identities or service accounts.
C.The dry-run mode only applies to egress rules, not ingress.
D.Cloud VPN is not a supported access method for VPC Service Controls.
AnswerB

The ingress rule must specify both the source network (on-prem IP range) and the identities (users or service accounts) to allow access. If identities are missing, access is denied by IAM, not VPC SC.

Why this answer

In dry-run mode, VPC Service Controls logs violations but does not enforce them. The access denied errors are likely caused by something else, such as IAM permissions or a missing identity in the ingress rule. Dry-run mode only logs, it does not block or allow access.

If the ingress rule is correctly configured, access should be allowed in dry-run mode. But the error persists, so the issue is not VPC Service Controls enforcement.

27
MCQmedium

An engineer wants to allow egress traffic from a group of VM instances with a specific service account to a set of IP addresses. They need to choose between using tags or service accounts as targets in a VPC firewall rule. Which approach is recommended for better security and why?

A.Use tags because they are easier to manage and provide the same level of security as service accounts.
B.Use target tags with a network tag that is automatically assigned by a management tool.
C.Either is acceptable; Google recommends using tags for simplicity.
D.Use service accounts because they are managed by IAM and provide a stronger identity-based security model.
AnswerD

Service accounts are IAM-controlled and tied to VM identity, making them more secure.

Why this answer

Service account targets are preferred because they are more secure. Tags can be added or removed by anyone with compute.instances.setTags permission, while service accounts are managed centrally with IAM. Using service accounts ensures that the firewall rule applies based on the identity of the VM, which is harder to spoof.

28
Multi-Selecthard

A company is designing a secure multi-tenant environment in Google Cloud. Each tenant has its own VPC network and resources. The security team wants to centrally enforce a rule that denies all egress traffic to the internet from tenant VPCs, except for traffic to specific trusted IP ranges for software updates. They also want to ensure that tenant admins cannot override this rule. Which two actions should they take? (Choose two.)

Select 2 answers
A.Create a hierarchical firewall policy at the folder level that denies egress to 0.0.0.0/0 except for the trusted IP ranges.
B.Restrict tenant admins from modifying hierarchical firewall policies by not granting the compute.firewallPolicies.create/update/delete permissions at the organization or folder level.
C.Grant tenant admins the compute.securityAdmin role to manage firewall rules.
D.Use VPC Service Controls to block egress traffic.
E.Create a VPC firewall rule in each tenant project to deny egress traffic.
AnswersA, B

Hierarchical policies apply to all projects below and cannot be overridden by VPC firewall rules.

Why this answer

Hierarchical firewall policies are inherited and cannot be overridden at lower levels. They can be used to enforce mandatory rules. The organization can create a hierarchical firewall policy at the organization or folder level that denies all egress to 0.0.0.0/0 except for the trusted IP ranges.

Additionally, to prevent tenant admins from overriding, they should not grant them the compute.firewallPolicies.update permission or similar. The correct choices are: create a hierarchical firewall policy and restrict permissions to modify firewall policies.

29
Multi-Selectmedium

A company wants to protect a web application hosted on Google Cloud from common web attacks like SQL injection and cross-site scripting (XSS). They have deployed a global external HTTPS load balancer. Which TWO services or configurations should they use?

Select 2 answers
A.Cloud Armor security policy with OWASP ModSecurity CRS rule set
B.HTTPS load balancer (already in place)
C.SSL policy with RESTRICTED profile
D.VPC Service Controls
E.Cloud IDS
AnswersA, B

Cloud Armor includes preconfigured rules for SQLi, XSS, etc.

Why this answer

Cloud Armor provides WAF capabilities with preconfigured rules for OWASP Top 10 threats, including SQLi and XSS. Additionally, using an HTTPS load balancer ensures encrypted traffic. For this question, the correct answers are Cloud Armor and enabling HTTPS (which is already done).

But since the load balancer is already HTTPS, the focus is on Cloud Armor. The other options: Cloud IDS is for network threat detection, not WAF; VPC Service Controls is for API access control; SSL policy is for TLS settings.

30
MCQeasy

A security engineer wants to restrict access to a Cloud Storage bucket so that only requests originating from within a specific VPC network can access the bucket. Which Google Cloud service should they use?

A.Identity-Aware Proxy (IAP)
B.VPC Service Controls
C.Firewall rules
D.Cloud Armor
AnswerB

VPC Service Controls use service perimeters to restrict access to Google Cloud services based on context like VPC network.

Why this answer

VPC Service Controls allow you to define a service perimeter that restricts access to Google Cloud services (including Cloud Storage) based on the originating VPC network and identity.

31
Multi-Selectmedium

A security engineer is configuring a VPC Service Controls perimeter to protect a Cloud Storage bucket. They want to allow a specific on-premises network (IP range 203.0.113.0/24) to access the bucket, while still blocking other external networks. Which TWO components must they configure? (Choose TWO.)

Select 2 answers
A.Cloud Armor security policy
B.Service perimeter in enforced mode
C.Ingress rule that permits the access level
D.Access level with IP-based condition
E.Egress rule to allow traffic to the on-premises network
AnswersC, D

Ingress rules allow specified access levels to cross the perimeter.

Why this answer

You need an access level (based on IP) to define the allowed IPs, and an ingress rule to allow traffic from that access level into the perimeter.

32
Multi-Selectmedium

A company wants to enable private connectivity from its on-premises network to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs. They have a Cloud VPN connection to a VPC. Which TWO services or configurations are required? (Choose two.)

Select 2 answers
A.Cloud Armor
B.Cloud NAT
C.Private Google Access
D.Private Service Connect
E.VPC Service Controls
AnswersC, D

Private Google Access enables the VPC (and on-premises via VPN) to use the PSC endpoints.

Why this answer

Private Service Connect provides private IP endpoints for Google APIs in a VPC. Private Google Access enables VMs in the VPC to use those endpoints. For on-premises, Cloud VPN provides connectivity to the VPC.

However, Private Google Access is required for on-premises to reach the endpoints via the VPN. So the two correct answers are Private Service Connect and Private Google Access.

33
MCQhard

You are designing a VPC Service Controls perimeter to protect a project containing BigQuery datasets accessible from a data analytics VPC. You need to allow a specific set of on-premises users (identified by IP range 203.0.113.0/24) to query BigQuery from outside the perimeter, but block all other external access. What is the correct configuration?

A.Remove the on-premises IP range from the project's allowed external IPs list in the VPC Service Controls configuration
B.Create a service perimeter in dry-run mode, then configure a firewall rule in the on-premises VPC to allow egress to BigQuery
C.Create a service perimeter with restricted services including BigQuery. Add an ingress rule that allows access from the identity group containing the on-premises users, with source IP range 203.0.113.0/24 in the access level
D.Create a service perimeter with restricted services, create an access level with IP condition 203.0.113.0/24, and add an ingress rule that allows access from the access level to all identities
AnswerD

This correctly uses an access level for IP restriction and an ingress rule to allow that access level into the perimeter.

Why this answer

VPC Service Controls uses access levels for IP-based restrictions. To allow external access from a specific IP range, you create an access level that includes that IP range, then define an ingress rule in the service perimeter that grants access to that access level. Dry-run mode is for testing, not production enforcement.

34
MCQhard

A company has a global HTTPS load balancer and wants to use a self-managed SSL certificate. They have uploaded the PEM-encoded certificate and private key to the load balancer. However, the certificate is about to expire. What is the correct way to renew it without downtime?

A.Create a new SSL certificate resource with the new certificate and key, then update the target HTTPS proxy to use it
B.Use gcloud compute ssl-certificates update to replace the certificate
C.Update the existing SSL certificate resource with the new certificate and key
D.Delete the existing certificate and upload the new one with the same name
AnswerA

Creating a new certificate and updating the proxy is the correct procedure and avoids downtime.

Why this answer

To renew a self-managed certificate, you create a new SSL certificate resource with the updated certificate and key, and then update the load balancer's target HTTPS proxy to use the new certificate. This can be done without downtime by updating the proxy.

35
MCQhard

An organization uses SSL policies for their HTTPS load balancer. They need to allow TLS 1.2 and 1.3 only, and use the most secure cipher profile available. Which SSL policy configuration should they choose?

A.minTlsVersion: 1.2, profile: RESTRICTED
B.minTlsVersion: 1.2, profile: MODERN
C.minTlsVersion: 1.2, profile: COMPATIBLE
D.minTlsVersion: 1.3, profile: CUSTOM
AnswerA

RESTRICTED enforces the strongest ciphers with TLS 1.2+.

Why this answer

The 'RESTRICTED' cipher profile enforces strong ciphers (TLS 1.2+), while 'MODERN' allows TLS 1.2 and 1.3 with good security. However, 'RESTRICTED' is the most secure profile that supports TLS 1.2 and 1.3.

36
MCQmedium

An organization wants to provide private, on-premises access to Google Cloud APIs (e.g., Cloud Storage, BigQuery) without traversing the public internet. They have a Direct Connect link to Google Cloud. Which solution should they implement?

A.VPC Service Controls
B.Cloud NAT
C.Private Service Connect
D.Private Google Access
AnswerC

Private Service Connect enables private endpoints to Google APIs using internal IP addresses.

Why this answer

Private Service Connect allows you to create private endpoints to access Google APIs (like googleapis.com) using internal IP addresses, without going over the internet. It works with Direct Connect or VPN. VPC Service Controls restrict access but do not provide private connectivity.

Cloud NAT provides outbound internet access, not private API access. Private Google Access enables on-premises access to Google APIs via on-premises DNS, but it still uses public IPs unless combined with Private Service Connect.

37
MCQeasy

A security engineer wants to allow egress traffic from Compute Engine instances to the internet only for updates to a specific set of packages. All other egress must be denied. Which VPC firewall rule configuration should the engineer use?

A.Create an egress allow rule for the specific package sources and a deny all egress rule with lower priority (higher number).
B.Create an egress deny rule for all traffic and then a higher-priority allow rule for the package sources.
C.Create an ingress allow rule for the package sources and a deny all egress rule with higher priority.
D.Use Cloud NAT to force all egress through a single IP and then restrict with a firewall rule.
AnswerA

Correct: The allow rule matches the specific destinations, and the deny all rule with lower priority (higher number) catches everything else. Because VPC firewall rules are evaluated from highest to lowest priority, the allow rule first permits the desired traffic, then the deny rule blocks the rest.

Why this answer

VPC firewall rules are stateful, so allowing egress for specific destinations (e.g., package repositories) automatically allows return traffic. Deny rules should be used to block all other egress. The correct approach is an egress allow rule for the specific destinations and a lower-priority egress deny rule for all other traffic.

38
MCQhard

A company uses VPC Service Controls to protect a BigQuery dataset. They need to allow an external on-premises application to query the dataset without being inside the service perimeter. The external application has a static IP address. Which configuration is required?

A.Add the external IP to an access level and configure an ingress rule in the service perimeter.
B.Whitelist the external IP in the BigQuery dataset's IAM policy.
C.Create a Cloud VPN tunnel between the on-premises network and the VPC, and add the tunnel to the service perimeter.
D.Use Private Google Access on the VPC to allow on-premises traffic.
AnswerA

An ingress rule with an IP-based access level allows traffic from that IP to cross the perimeter.

Why this answer

VPC Service Controls access levels can define IP-based conditions. By creating an ingress rule that allows traffic from the specified IP address to access the BigQuery API, the external application can be authorized.

39
MCQhard

A company has a VPC Service Controls perimeter that includes BigQuery and Cloud Storage. They need to allow a specific on-premises application (with a static IP) to access a BigQuery dataset within the perimeter. Which configuration should they use?

A.Create a VPC firewall rule allowing ingress from the on-premises IP to the BigQuery API.
B.Exempt the on-premises service account from the perimeter.
C.Use Private Google Access from the on-premises network.
D.Add the on-premises IP to an access level and create an ingress rule in the service perimeter.
AnswerD

Correct: An access level can be defined using the IP address, and an ingress rule allows that access level to cross the perimeter.

Why this answer

VPC Service Controls allows ingress rules to permit traffic from specific identities or IP ranges into the perimeter. They need to create an ingress rule that allows the on-premises IP to access BigQuery.

40
MCQhard

An organization has a security policy that requires TLS 1.2 or higher for all HTTPS traffic to their external HTTP(S) load balancer. They also need to disable weak cipher suites. Which configuration should be applied?

A.Configure the SSL policy on the load balancer's backend bucket.
B.Use Cloud Armor WAF rules to block TLS 1.0/1.1 traffic.
C.Set the SSL policy on the target HTTPS proxy with minimum TLS version 1.2 and a compatible profile.
D.Set the SSL policy on the target HTTPS proxy with minimum TLS version 1.2 and a MODERN or RESTRICTED cipher profile.
AnswerD

This ensures only strong ciphers are allowed with TLS 1.2+.

Why this answer

SSL policies on the target HTTPS proxy allow setting minimum TLS version and cipher profile. Set the minimum TLS version to 1.2 and choose the MODERN or RESTRICTED profile to disable weak ciphers.

41
MCQeasy

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only requests originating from a specific VPC network are allowed. Which Google Cloud service should they use?

A.Private Service Connect
B.VPC firewall rules
C.VPC Service Controls
D.Cloud Armor
AnswerC

VPC Service Controls create a perimeter around Google Cloud APIs, restricting access based on network and identity.

Why this answer

VPC Service Controls allow you to define a service perimeter around a set of Google Cloud APIs, restricting access to only those identities and networks you specify. This is the correct service for this requirement. Firewall rules control network traffic to VM instances, not API access.

Cloud Armor protects against web attacks. Private Service Connect provides private connectivity to Google APIs but does not restrict access.

42
MCQhard

An organization has a hub-and-spoke VPC setup with Shared VPC. The security team wants to enforce a rule that all egress traffic from any project in the organization must pass through a central inspection appliance in the hub VPC. Which firewall configuration approach meets this requirement?

A.Use VPC firewall rules with a deny-all egress rule, then allow egress only from instances running in the hub VPC.
B.Configure private Google Access and VPC Service Controls to restrict egress.
C.Create a hierarchical firewall policy that denies all egress traffic unless it has a specific tag.
D.Set up a default route in each spoke VPC that sends egress traffic to the inspection appliance in the hub, and use firewall rules to allow only that traffic.
AnswerD

Correct: By configuring a default route (0.0.0.0/0) with the inspection appliance as next hop, all egress traffic is forced through it. Firewall rules can then allow only traffic that matches this path.

Why this answer

Hierarchical firewall policies apply to the entire organization, folder, or project and cannot be overridden by VPC firewall rules. They can be used to enforce mandatory inspection. However, they cannot specify next-hop appliances.

To force traffic through an inspection appliance, you need to use a combination of routes and firewall rules. The correct approach is to set up a default route pointing to the inspection appliance as next hop, and use firewall rules to block direct egress unless it goes through the appliance.

43
MCQmedium

A company wants to provide private connectivity from its VPC to Google APIs (e.g., Cloud Storage, BigQuery) without using public IPs or NAT. The solution must also support on-premises connectivity via Cloud VPN. Which service should they use?

A.Private Google Access
B.Cloud NAT
C.Private Service Connect
D.Cloud VPN
AnswerC

Private Service Connect endpoints in a VPC provide private IP access to Google APIs, and can be reached from on-premises via Cloud VPN or Interconnect.

Why this answer

Private Service Connect enables private connectivity to Google APIs via internal IPs. It supports both VPC and on-premises (via Cloud VPN or Interconnect) access to Google APIs without traversing the internet.

44
MCQhard

A security team needs to apply a security policy that blocks requests to their HTTP load balancer from a specific geographic region (e.g., Country A). Which Cloud Armor feature should they use?

A.Preconfigured WAF rules
B.Custom rules with CEL expressions
C.Adaptive Protection
D.Rate limiting
AnswerB

Custom rules using CEL can match on geographic attributes like origin.region_code.

Why this answer

Cloud Armor supports geolocation-based blocking using custom rules with geographic origin matching (e.g., origin.region_code).

45
MCQhard

An organization uses a global HTTPS load balancer with a Google-managed SSL certificate. The certificate was automatically provisioned and renewed. Recently, the certificate renewal failed and the site shows a warning. The load balancer's frontend uses the certificate. What is the most likely cause?

A.The load balancer's frontend IP address has changed
B.The certificate has reached its maximum validity period
C.The DNS CNAME record for domain validation is misconfigured or missing
D.The load balancer's SSL policy requires a minimum TLS version that the managed certificate does not support
AnswerC

Managed certificates require DNS records to prove domain ownership; incorrect records prevent renewal.

Why this answer

Google-managed certificates are provisioned using DNS authorization. If the DNS records are misconfigured (e.g., the CNAME record for domain ownership validation is missing or incorrect), renewal will fail. The load balancer settings themselves are typically fine.

46
MCQeasy

A company wants to enforce that traffic between two projects in the same organization must go through a central inspection VPC. They need a firewall rule that denies all traffic between the projects except through the inspection VPC. Which type of firewall rule should they use?

A.Cloud IDS
B.VPC Service Controls
C.Network firewall rules in each project
D.Hierarchical firewall policy at the folder level
AnswerD

Hierarchical policies can enforce rules across projects and cannot be overridden, ensuring central inspection.

Why this answer

Hierarchical firewall policies are applied at the folder or organization level and can enforce rules across projects. They are inherited and cannot be overridden by lower-level rules, making them suitable for central enforcement.

47
Multi-Selectmedium

A security engineer is designing a network security architecture for a multi-project environment. They need to enforce a baseline set of firewall rules across all projects in the organization, but allow individual project teams to add their own specific rules. Which TWO components should they use?

Select 2 answers
A.Project-level VPC firewall rules
B.Network firewall policy
C.Shared VPC
D.Cloud Armor security policy
E.Organization-level hierarchical firewall policy
AnswersA, E

Project teams can add their own rules using VPC firewall rules (or project-level hierarchical policies).

Why this answer

Hierarchical firewall policies can be applied at the organization level to enforce baseline rules. These policies are inherited by all projects. Individual project teams can then create their own VPC firewall rules (or project-level hierarchical policies) that are evaluated after the org-level policies, allowing them to add specific rules without overriding the baseline.

48
MCQeasy

An organization wants to allow only specific trusted IP ranges to access a web application behind a Cloud Load Balancer. Which Cloud Armor feature should be used?

A.Preconfigured rules for OWASP ModSecurity CRS
B.Geolocation-based access control
C.Custom rules with source IP allow/deny lists
D.Adaptive protection
AnswerC

Cloud Armor custom rules can match on source IP ranges and allow or deny traffic accordingly.

Why this answer

Cloud Armor allows IP allow/deny lists using custom rules. Use a security policy with a rule that allows traffic from specified IP ranges and denies all other traffic.

49
MCQmedium

An organization has multiple VPC networks in different projects. They need to centrally manage firewall rules that apply to all VPCs in the organization and ensure that project owners cannot override them. Which solution should they use?

A.Create a hierarchical firewall policy at the organization level
B.Create a network firewall policy and attach it to each VPC network
C.Use Cloud Armor security policies with the load balancers
D.Use VPC firewall rules with tags applied to all VMs across projects
AnswerA

Hierarchical policies are inherited and cannot be overridden by lower-level rules.

Why this answer

Hierarchical firewall policies can be applied at the organization or folder level and are inherited by all VPC networks. They cannot be overridden by lower-level firewall rules. This is the correct solution for centralized, unoverrideable rules.

Network firewall policies are scoped to a single VPC network.

50
Multi-Selectmedium

A security team wants to enforce SSL/TLS best practices for their HTTPS load balancer. They need to require TLS 1.2 or higher and restrict ciphers to strong ones only. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Cloud Armor WAF rules
B.Attach the SSL policy to the target HTTPS proxy
C.Create an SSL policy with minTlsVersion = TLS_1_2 and profile = RESTRICTED
D.Set the SSL policy to COMPATIBLE profile
E.Use a Google-managed SSL certificate
AnswersB, C

The policy takes effect when attached to the proxy.

Why this answer

To enforce TLS version and cipher strength, you create an SSL policy. The policy can set the minimum TLS version to 1.2 and the profile to RESTRICTED (which only allows strong ciphers). Then you attach the policy to the load balancer's target HTTPS proxy.

51
MCQeasy

Which VPC firewall rule target type is recommended for security because it can be dynamically applied to instances based on their service account?

A.Instance names
B.Subnets
C.Tags
D.Service accounts
AnswerD

Service accounts are dynamic and align with identity-based security.

Why this answer

Service account targets allow rules to be applied based on the instance's service account, enabling dynamic and scalable security policies compared to static network tags.

52
MCQeasy

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They do not want to manually manage certificate files. Which approach should they use?

A.Upload a self-managed certificate in PEM format.
B.Configure SSL policies to enforce TLS version.
C.Create a Google-managed SSL certificate resource.
D.Use Certificate Manager with a DNS-authorized certificate.
AnswerC

Google-managed certificates handle provisioning and renewal automatically.

Why this answer

Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google for load balancers. No manual file uploads are needed.

53
MCQmedium

A security engineer needs to monitor network traffic for potential threats in a VPC. They want to inspect all traffic for malware signatures and alert on high-severity threats. The solution should be natively integrated with GCP. Which service should they use?

A.VPC Flow Logs
B.Security Command Center
C.Cloud Armor
D.Cloud IDS
AnswerD

Cloud IDS provides network threat detection using Palo Alto Networks and monitors all VPC traffic.

Why this answer

Cloud IDS (Intrusion Detection System) is a managed service that uses Palo Alto Networks threat detection to inspect traffic for malware and other threats. It integrates with packet mirroring in GCP.

54
Multi-Selecthard

An organization wants to use VPC Service Controls to protect BigQuery data. They need to allow a group of data analysts to access BigQuery from outside the perimeter (e.g., from their laptops) while maintaining the perimeter for all other users. Which TWO configurations are necessary?

Select 2 answers
A.Define an access level that includes the analysts' identities or IPs
B.Create an egress rule in the service perimeter that allows the analysts to leave the perimeter
C.Assign the analysts the roles/bigquery.user role
D.Enable dry-run mode on the perimeter
E.Create an ingress rule in the service perimeter that allows the analysts' identities or IPs to access BigQuery
AnswersA, E

Access levels are used in ingress rules to specify who is allowed to cross the perimeter.

Why this answer

To allow specific users to access a service from outside the perimeter, you must create an access level that identifies those users (e.g., by IP range or device) and then create an ingress rule that permits traffic from that access level to BigQuery. The access level can be based on user identity (e.g., via BeyondCorp) or IP ranges.

55
MCQmedium

A security team wants to block all incoming traffic from a specific country to their web application behind a global HTTPS load balancer. They also need to allow traffic from all other countries. Which Cloud Armor feature should be used?

A.Rate limiting
B.Preconfigured WAF rules
C.Adaptive Protection
D.Custom rule with geo-based condition
AnswerD

Cloud Armor custom rules can use the origin.region_code field to match the source country.

Why this answer

Cloud Armor supports geo-based access control. By creating a custom rule that uses a GeoIP match condition to deny traffic from the specific country, all other traffic is allowed by default (or via another rule).

56
Multi-Selectmedium

A company wants to use Cloud IDS to detect threats in their VPC. They have created a Cloud IDS endpoint and need to configure packet mirroring. Which TWO resources must be in place for packet mirroring to work? (Choose TWO.)

Select 2 answers
A.A Collector VPC network with the IDS endpoint
B.Public IP addresses on the source VMs
C.A mirrored VPC network with the VMs to be monitored
D.Cloud NAT on the mirrored VPC
E.A VPN tunnel between the collector and mirrored VPCs
AnswersA, C

The IDS endpoint is in the collector network.

Why this answer

Packet mirroring requires a Collector VPC (where the IDS endpoint resides) and a mirrored VPC (where source VMs are). The source VMs must be tagged.

57
MCQmedium

A company wants to restrict access to Cloud Storage buckets so that only resources in a specific VPC network can reach them, and data cannot be exfiltrated to other networks. Which Google Cloud service should they use?

A.Identity-Aware Proxy (IAP)
B.Cloud Armor
C.VPC Firewall Rules
D.VPC Service Controls
AnswerD

Correct: VPC Service Controls create a service perimeter that isolates Google Cloud services and prevents data exfiltration.

Why this answer

VPC Service Controls allows creating service perimeters that protect Google Cloud services (including Cloud Storage) by restricting access from outside the perimeter. Resources inside the perimeter can access the protected services, but data cannot be exfiltrated to external networks.

58
MCQmedium

A security team needs to apply a set of firewall rules that enforce baseline security for all VPC networks across multiple projects in an organization. These rules must be inherited and cannot be overridden by project-level rules. What should they use?

A.VPC firewall rules
B.Network firewall policies
C.Cloud Armor security policies
D.Hierarchical firewall policies
AnswerD

Hierarchical firewall policies are applied at the organization or folder level, inherited, and cannot be overridden.

Why this answer

Hierarchical firewall policies can be applied at the organization or folder level and are inherited by all VPC networks in the hierarchy. They cannot be overridden by lower-level firewall rules, making them ideal for baseline security policies. Network firewall policies are applied to a specific VPC network.

VPC firewall rules are per project and can be overridden.

59
MCQmedium

A company uses Cloud Armor Managed Protection Plus to protect their applications. They want to automatically block IP addresses that are identified as malicious by adaptive protection. How should they configure this?

A.Manually review adaptive protection alerts and create deny rules.
B.Use the 'rate limiting' rule to block high-traffic IPs.
C.Set up a Cloud Function to parse logs and create rules via API.
D.Enable 'auto-deploy' in the adaptive protection configuration.
AnswerD

Correct: Adaptive protection has an auto-deploy option that automatically creates deny rules for identified malicious IPs.

Why this answer

Cloud Armor adaptive protection uses machine learning to detect DDoS attacks. It can automatically create deny rules for malicious IPs if configured to do so. The setting is in the security policy's adaptive protection configuration.

60
MCQhard

An organization uses VPC Service Controls with a service perimeter that includes Cloud Storage and BigQuery. They need to allow a specific on-premises service account to write data to a Cloud Storage bucket inside the perimeter. The on-premises network connects via Cloud VPN. What must be configured in the perimeter?

A.An ingress rule that specifies the on-premises service account and the Cloud VPN network as sources
B.A VPC firewall rule allowing traffic from the VPN to the Cloud Storage bucket
C.An egress rule that allows the service account to exit the perimeter
D.An access level that includes the on-premises IP range
AnswerA

Ingress rules allow external identities and networks to access resources inside the perimeter.

Why this answer

To allow an on-premises service account to access resources inside a service perimeter, you need an ingress rule that specifies the source (the on-premises identities and network) and the target resources (the Cloud Storage bucket). The source must include both the identity (service account) and the network (VPC or IP range).

61
MCQhard

An organization uses VPC Service Controls in dry-run mode for a project containing Google Cloud Storage. They notice that BigQuery jobs are being logged as violations. How should they interpret this?

A.The perimeters are logging potential violations; no action has been taken yet.
B.The dry-run mode is not supported for Cloud Storage projects.
C.The perimeters are not configured correctly because BigQuery should not be affected.
D.The perimeters are working correctly and BigQuery access is blocked.
AnswerA

Dry-run logs violations without enforcement.

Why this answer

In dry-run mode, VPC Service Controls logs violations without enforcement, allowing administrators to review and adjust perimeters before enabling enforcement.

62
MCQeasy

A security team wants to detect and block network-based threats such as malware and command-and-control traffic within their VPC. They need a managed service that provides deep packet inspection. Which Google Cloud service should they use?

A.Cloud IDS
B.Security Command Center
C.VPC Flow Logs
D.Cloud Armor
AnswerA

Correct: Cloud IDS provides managed network threat detection and can block threats.

Why this answer

Cloud IDS (Intrusion Detection System) is a managed service that uses Palo Alto Networks threat detection to inspect network traffic for threats. It integrates with packet mirroring to analyze traffic.

63
MCQmedium

A company uses hierarchical firewall policies at the organization level to enforce a baseline deny-all rule. A project administrator wants to create a firewall rule that allows HTTP traffic to a specific VM. Which statement is correct?

A.The project administrator can modify the hierarchical policy to allow HTTP.
B.The project administrator can create a VPC firewall rule to allow HTTP, and it will work if the policy is not enforced.
C.The project administrator cannot allow HTTP because the hierarchical policy denies all traffic.
D.The project administrator can create a VPC firewall rule with higher priority to override the policy.
AnswerC

Hierarchical policies are mandatory and override lower-level rules.

Why this answer

Hierarchical firewall policies are inherited and cannot be overridden by lower-level rules. The deny-all rule from the policy takes precedence over any VPC firewall rule that would allow traffic.

64
MCQeasy

Which Cloud Armor feature uses machine learning to detect and mitigate DDoS attacks?

A.Preconfigured WAF rules
B.Rate limiting
C.Adaptive Protection
D.Custom rules
AnswerC

Adaptive Protection uses ML to detect anomalies.

Why this answer

Cloud Armor Adaptive Protection uses ML-based DDoS detection to automatically learn normal traffic patterns and alert or mitigate attacks.

65
Multi-Selectmedium

A company is implementing VPC Service Controls to protect a project that contains Cloud Storage and BigQuery. They want to allow a specific on-premises service account to read data from Cloud Storage and write to BigQuery. The on-premises network connects via Cloud VPN. Which TWO components must be configured in the service perimeter? (Choose two.)

Select 2 answers
A.Add Cloud Storage and BigQuery to the list of restricted services in the perimeter (they already are)
B.An ingress rule that allows the on-premises service account to access Cloud Storage and BigQuery
C.An access level based on the on-premises IP range (10.0.0.0/8)
D.A VPC firewall rule allowing traffic from the VPN to the Cloud Storage and BigQuery APIs
E.An egress rule that allows the on-premises service account to leave the perimeter
AnswersB, C

Ingress rules allow external identities to access resources inside the perimeter.

Why this answer

To allow external access, you need an ingress rule that specifies the source (on-premises service account and the Cloud VPN network) and the allowed services (Cloud Storage and BigQuery). An access level can be used to define the IP range, but the ingress rule is the primary mechanism. Adding the service to the perimeter is already done; you don't need to add it again.

An egress rule is not needed for inbound access.

66
Multi-Selectmedium

A company wants to prevent data exfiltration by restricting access to Google APIs from only authorized VPC networks. They also need to allow a specific on-premises IP range to access BigQuery. Which TWO services should be used together? (Choose 2)

Select 2 answers
A.Cloud Armor
B.Access levels (IP-based)
C.Hierarchical firewall policy
D.Private Service Connect
E.VPC Service Controls
AnswersB, E

Access levels define conditions (like IP ranges) to allow access into the perimeter.

Why this answer

VPC Service Controls create a service perimeter around Google APIs, and an access level (IP-based) can be used to allow the on-premises IP range into the perimeter.

67
MCQmedium

A company is deploying an internal service on GKE that needs to be accessible privately from on-premises data centers over a VPN connection. The service should not be exposed to the internet. Which connectivity solution is MOST appropriate?

A.Expose the service via an external load balancer with Cloud Armor IP allowlisting
B.Cloud NAT with firewall rules to allow on-premises IPs
C.VPC peering between the GKE VPC and on-premises
D.Private Service Connect with an internal load balancer
AnswerD

PSC enables private connectivity; internal load balancer keeps traffic within the VPC and on-premises via VPN.

Why this answer

Private Service Connect (PSC) allows publishing services using internal IP addresses that are accessible via VPC peering or VPN. The service can be exposed as an internal load balancer and attached to a PSC service attachment. On-premises can reach it via the VPN tunnel to the VPC.

68
MCQmedium

An organization wants to use Cloud IDS to detect network threats within their VPC. They have enabled the Cloud IDS endpoint and configured packet mirroring. Which of the following is required for the packet mirroring policy to work?

A.The IDS endpoint must be in the same zone as the VMs.
B.VPC firewall rules must allow traffic to the IDS endpoint.
C.VMs must be tagged with 'cloud-ids-packet-mirroring'.
D.All VMs must have an external IP address.
AnswerC

This tag is used to select which VMs have their traffic mirrored.

Why this answer

Packet mirroring requires that the source VMs have the cloud-ids-packet-mirroring tag. The mirrored traffic is sent to the IDS endpoint via an internal load balancer.

69
MCQmedium

A company uses Cloud Armor to protect a web application. They want to block requests that contain SQL injection patterns based on the OWASP ModSecurity Core Rule Set. Which preconfigured rule set should they enable?

A.Custom rules using CEL expression
B.OWASP ModSecurity CRS
C.Google Cloud Armor Managed Rules (SQL Injection)
D.Rate limiting rules
AnswerB

Correct: The OWASP CRS includes rules for SQL injection, XSS, etc.

Why this answer

Cloud Armor provides preconfigured WAF rules based on the OWASP ModSecurity CRS. To block SQL injection, the rule set 'owasp-crs' with the specific paranoia level can be used, or the 'sqli' rule set if available. The correct answer is the OWASP ModSecurity CRS rule set that includes SQL injection detection.

70
Multi-Selectmedium

A company wants to deploy a web application with a global load balancer and needs to configure SSL/TLS termination. They want to use a certificate from their own CA and have the ability to manage multiple certificates for different domains. Which THREE steps should they take?

Select 3 answers
A.Ensure the certificate chain includes intermediate CA certificates
B.Set up a Cloud DNS zone with DNSSEC
C.Create a Certificate Manager certificate resource and map it to the load balancer
D.Upload the PEM certificate to the load balancer as a self-managed certificate
E.Use a Google-managed certificate for automatic renewal
AnswersA, C, D

For self-managed certificates, the full chain (leaf, intermediates) must be uploaded for the load balancer to trust the certificate.

Why this answer

To use self-managed certificates with a load balancer, you can upload the PEM file directly to the load balancer, or use Certificate Manager to manage multiple certificates. The steps: create a Certificate Manager certificate resource with your PEM, map it to the load balancer target, and ensure the certificate is properly uploaded. Self-managed certificates require manual renewal, so you need to monitor expiration.

71
MCQmedium

A company wants to enforce that no Compute Engine firewall rule in any project under an organization can have a source range of 0.0.0.0/0 for RDP (port 3389). Which approach should be used?

A.Apply a hierarchical firewall policy at the organization level that denies ingress on port 3389 from 0.0.0.0/0.
B.Create a Cloud IDS rule to block RDP traffic.
C.Create a VPC firewall rule with priority 0 to deny RDP from 0.0.0.0/0 in each project.
D.Use organization policy with constraint `compute.skipDefaultNetworkCreation` set to true.
AnswerA

Hierarchical firewall policies are enforced across all VPCs under the organization and cannot be overridden.

Why this answer

Use a hierarchical firewall policy at the organization level that denies ingress traffic on port 3389 from any source (0.0.0.0/0). Hierarchical policies are inherited and cannot be overridden by lower-level firewall rules.

72
MCQeasy

Which feature of Cloud Armor uses machine learning to detect and block distributed denial-of-service (DDoS) attacks?

A.Security policies
B.Rate limiting
C.Preconfigured WAF rules
D.Adaptive Protection
AnswerD

Adaptive Protection uses ML for DDoS detection.

Why this answer

Cloud Armor Adaptive Protection uses ML to model normal traffic and detect anomalous patterns indicative of DDoS attacks.

73
MCQmedium

An organization uses VPC Service Controls to protect BigQuery. They want to test a new access level that allows access only from a specific IP range before enforcing it. Which mode should they use?

A.Dry-run mode
B.Audit mode
C.Enforced mode
D.Preview mode
AnswerA

Dry-run mode logs violations but does not block them.

Why this answer

Dry-run mode allows testing perimeters without enforcement, logging violations for review.

74
MCQmedium

An organization needs to enforce a TLS minimum version of 1.2 for all traffic to their HTTPS load balancers. They have multiple load balancers serving different domains. Which Google Cloud feature should they use?

A.Use a global network endpoint group (NEG) with an SSL policy.
B.Create an SSL policy with TLS 1.2 as the minimum version and attach it to the target HTTPS proxy.
C.Create a Cloud Armor security policy with a rule to block TLS 1.0 and 1.1.
D.Configure the backend instances to reject TLS 1.0 and 1.1 connections.
AnswerB

Correct: SSL policies define TLS profiles and can enforce minimum TLS version.

Why this answer

SSL policies allow you to configure the minimum TLS version and cipher suites for HTTPS load balancers. You can create an SSL policy with TLS 1.2 as the minimum and attach it to the target HTTPS proxy of each load balancer.

75
MCQmedium

A service provider wants to expose an internal service to external consumers in a controlled manner, without giving them direct access to the VPC. Which Google Cloud service should be used?

A.Private Service Connect
B.Cloud VPN
C.Cloud NAT
D.VPC Peering
AnswerA

PSC enables publishing services with private connectivity.

Why this answer

Private Service Connect allows service providers to publish their services via PSC endpoints, which consumers can access privately from their own VPCs without traversing the internet.

Page 1 of 2 · 110 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcse Network Security questions.