CCNA Pcse Network Security Questions

35 of 110 questions · Page 2/2 · Pcse Network Security topic · Answers revealed

76
MCQeasy

An organization needs to block all inbound SSH traffic (port 22) to a set of VM instances that have a common tag 'ssh-restricted'. They want to deny this traffic at the VPC firewall level. Which firewall rule configuration should they use?

A.Allow rule: direction EGRESS, protocol tcp, port 22, target tag 'ssh-restricted'
B.Deny rule: direction INGRESS, protocol tcp, port 22, target service account 'ssh-restricted'
C.Deny rule: direction INGRESS, protocol tcp, port 22, target tag 'ssh-restricted'
D.Allow rule: direction INGRESS, protocol tcp, port 22, source tag 'ssh-restricted'
AnswerC

This correctly denies inbound SSH to VMs with the specified tag.

Why this answer

To block SSH, a deny rule with direction INGRESS, protocol tcp, port 22, and target tag 'ssh-restricted' is needed.

77
MCQeasy

A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?

A.Set the minimum TLS version to 1.3 only
B.Set the minimum TLS version to 1.2 and cipher profile to MODERN
C.Set the minimum TLS version to 1.0 and cipher profile to RESTRICTED
D.Use a self-managed certificate with TLS 1.2 enforcement
AnswerB

This ensures that only TLS 1.2 or higher is accepted. MODERN profile supports TLS 1.2 and 1.3.

Why this answer

SSL policies allow you to set the minimum TLS version. To require TLS 1.2 or higher, set the minimum TLS version to 1.2. The cipher profile can be set to MODERN or RESTRICTED, but the key is the minimum TLS version.

78
MCQmedium

A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?

A.Use firewall rules with source service accounts and target service accounts
B.Use hierarchical firewall policies
C.Use firewall rules with source tags and target tags
D.Use network firewall policies
AnswerA

Service accounts provide identity-based security that is immutable and more scalable than tags.

Why this answer

Service accounts as firewall rule targets are preferred over network tags because they are immutable, tied to the identity of the instance, and reduce dependency on tag management. This approach is more secure and scalable.

79
MCQhard

An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?

A.Use an organization policy with a list constraint to require a specific tag on Compute Engine instances.
B.Create a Cloud Audit Logs sink and trigger a Cloud Function to delete instances without the tag.
C.Use a hierarchical firewall policy with a tag condition.
D.Create an organization policy with constraint `compute.requireOsLogin` set to true.
AnswerA

Organization policy constraints such as `compute.requireTags` (or custom constraint) can enforce that resources have specific tags.

Why this answer

Use Organization Policy with a constraint that requires tags on resources. The constraint `compute.requireOsLogin` is not related. Resource Manager tags can be enforced via Organization Policy using the `constraints/tags` constraint.

80
MCQeasy

An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?

A.Firewall Rules
B.Identity-Aware Proxy
C.Cloud Armor
D.VPC Service Controls
AnswerD

VPC Service Controls use service perimeters to restrict API access to resources within a VPC, preventing unauthorized access from other networks.

Why this answer

VPC Service Controls create service perimeters that restrict access to Google Cloud APIs based on the requesting network's context. This prevents data exfiltration and ensures only resources in the specified VPC can access the APIs.

81
MCQhard

A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?

A.Create a VPC firewall rule that denies ingress from the region's IP ranges.
B.Use Identity-Aware Proxy (IAP) to block access based on the user's location.
C.Configure a Cloud CDN policy to block traffic from certain regions.
D.Create a Cloud Armor security policy with a geo-based deny rule and attach it to the load balancer.
AnswerD

Correct: Cloud Armor can inspect client IPs even behind a load balancer and apply geo-blocking rules.

Why this answer

Cloud Armor security policies can be attached to external HTTPS load balancers to filter traffic based on geolocation. The engineer can create a Cloud Armor security policy with a rule that uses the geo-tag to deny traffic from the specified region.

82
MCQmedium

Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?

A.Use VPC Service Controls to create a service perimeter that restricts access to Cloud Storage, and configure the VMs to use Private Google Access
B.Create a deny-all egress firewall rule with priority 65535 and target tags 'storage-only', then create a higher-priority allow rule for traffic to 0.0.0.0/0 with destination tags 'storage-only'
C.Create a firewall rule that allows egress to the private IP ranges used by Cloud Storage (e.g., 199.36.153.4/30) and target the VMs using service accounts, then add a lower-priority deny-all egress rule
D.Create a network firewall policy that allows egress to the Cloud Storage API endpoint (storage.googleapis.com) and attach it to the VPC
AnswerC

This correctly allows only Cloud Storage traffic using service account targets for VMs, with a deny-all catch-all.

Why this answer

To restrict VMs to only communicate with a specific Cloud Storage bucket, you should use a firewall rule with service account targets (for the VMs) and deny all egress traffic except to the private Google Access IP ranges for Cloud Storage. Using service account targets is preferred for security as it follows the principle of least privilege and is independent of VM instance changes.

83
MCQmedium

A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?

A.Cloud IDS
B.Cloud Armor
C.VPC firewall rules
D.Network firewall policies
AnswerB

Cloud Armor provides IP blocking and rate limiting for HTTP(S) load balancers.

Why this answer

Cloud Armor security policies can be attached to load balancers to provide WAF capabilities, including IP allow/deny lists and rate limiting. This is the appropriate service for this scenario.

84
MCQhard

A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?

A.Use Cloud Armor to allow the IP.
B.Create an ingress rule in the service perimeter with an access level that includes the on-premises IP.
C.Add the on-premises IP to the list of allowed IPs in the VPC firewall rules.
D.Set up a VPN connection and include the on-premises VPC in the perimeter.
AnswerB

This allows the specific IP to access BigQuery while respecting the perimeter.

Why this answer

Create an ingress rule in the service perimeter that allows access from the on-premises IP (using access level) to BigQuery. Access levels can be IP-based, so create an access level that includes 203.0.113.10, and use that in the ingress rule.

85
MCQhard

A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?

A.Cloud NAT gateway
B.VPN tunnel
C.Producer endpoint (service attachment)
D.Consumer endpoint (forwarding rule with PSC backend)
AnswerD

Consumers create PSC endpoints to connect to the published service.

Why this answer

Consumers create Private Service Connect endpoints (forwarding rules with PSC backends) to connect to a published service. The producer publishes the service via a service attachment.

86
MCQeasy

A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?

A.Google-managed certificate
B.Certificate Manager with a self-managed certificate
C.Certificate Authority Service
D.Self-managed certificate
AnswerA

Google-managed certificates are automatically provisioned and renewed.

Why this answer

Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google for use with load balancers. This is the simplest option for automatic management.

87
MCQmedium

A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?

A.Cloud NAT
B.Cloud VPN with VPC peering
C.Private Service Connect
D.VPC Service Controls
AnswerC

PSC provides private endpoints for Google APIs, accessible via interconnect.

Why this answer

Private Service Connect (PSC) allows private access to Google APIs via private endpoints using internal IP addresses. With Dedicated Interconnect, on-premises traffic can reach these endpoints without going over the internet.

88
MCQmedium

A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?

A.Configure a Cloud Armor security policy to block requests to Cloud Storage from non-VPC IPs.
B.Create a firewall rule that denies all egress traffic from the VPC to Cloud Storage IP ranges except through a proxy VM.
C.Create a VPC Service Controls service perimeter with an ingress rule that allows access from the VPC network.
D.Use IAM conditions on the Cloud Storage bucket to restrict access based on VPC network tags.
AnswerC

This approach restricts access to Cloud Storage from outside the perimeter and allows only requests originating from the specified VPC.

Why this answer

Use VPC Service Controls to create a service perimeter around the Cloud Storage API, with an ingress rule allowing requests from the specific VPC (using VPC network source) and VMs using the appropriate service accounts. VPC Service Controls prevent data exfiltration by restricting access to Google-managed services from outside the perimeter.

89
MCQmedium

An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?

A.Egress rule with source service account 'sa-prod'
B.Ingress rule with target service account 'sa-prod'
C.Egress rule with target service account 'sa-prod'
D.Ingress rule with source tag 'sa-prod'
AnswerC

Egress rules can be applied to VMs using a specific service account as the target.

Why this answer

Firewall rules can target service accounts for egress rules. Since the VMs initiate connections to Spanner, an egress rule with target service account is appropriate.

90
MCQmedium

An organization needs to restrict access to Cloud Storage buckets so that only requests from a specific range of IP addresses (e.g., corporate VPN) are allowed. They also want to block all other IPs. Which combination of services should they use?

A.IAM conditions with source IP
B.Firewall rules with source IP
C.VPC Service Controls with an IP-based access level
D.Cloud Armor with IP allow list
AnswerC

Access levels in VPC Service Controls can be IP-based, and a service perimeter enforces that only requests from those IPs are allowed.

Why this answer

VPC Service Controls create a service perimeter that, combined with an access level based on IP addresses, can restrict access to Google Cloud services such as Cloud Storage to only those IPs. The access level defines the allowed IP ranges.

91
MCQhard

An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?

A.Create a Cloud Armor rule to allow the on-premises IP
B.Use Private Google Access for the on-premises network
C.Create an ingress rule in the service perimeter with the on-premises IP as the source
D.Add the on-premises IP to an access level and create an egress rule
AnswerC

An ingress rule with the source IP allows traffic from that IP into the perimeter for specified services.

Why this answer

VPC Service Controls allow ingress rules to permit traffic from specific IP ranges into a perimeter. By creating an ingress rule that allows the on-premises IP and specifies the BigQuery API, the on-premises application can access the dataset.

92
MCQmedium

A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?

A.Create a Google-managed certificate directly on the load balancer and configure a cron job to check renewal.
B.Use Certificate Manager with a DNS authorization to create a Google-managed certificate.
C.Use a third-party CA and upload the certificate with a longer validity.
D.Upload a self-managed certificate and configure a cron job to renew it.
AnswerB

Certificate Manager can create Google-managed certificates that auto-renew.

Why this answer

Google-managed SSL certificates automatically provision and renew certificates for domains hosted on Google Cloud, ideal for load balancers without manual intervention.

93
MCQeasy

Which GCP service provides managed intrusion detection by analyzing mirrored network traffic and using threat signatures from Palo Alto Networks?

A.Security Command Center
B.Chronicle
C.Cloud IDS
D.Cloud Armor
AnswerC

Cloud IDS provides managed network threat detection using Palo Alto Networks.

Why this answer

Cloud IDS is a managed intrusion detection service that uses packet mirroring to inspect traffic and applies Palo Alto Networks threat signatures.

94
MCQeasy

Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?

A.Create a custom rule with expression 'origin.region_code == "XY"' and set action to deny(403)
B.Use Cloud IDS to detect and block requests from country XY
C.Configure a firewall rule in the VPC to deny ingress from IP ranges associated with country XY
D.Add a preconfigured OWASP rule set for geolocation blocking and enable it for country XY
AnswerA

This is the correct way to block traffic from a specific country using Cloud Armor's custom rules.

Why this answer

Cloud Armor supports geolocation blocking using custom rules with expressions. The correct approach is to create a security policy rule that matches on the origin country code and sets the action to deny. The precedence (priority) ensures the deny rule is evaluated before the default allow rule.

95
MCQeasy

A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?

A.Preconfigured rules (OWASP CRS)
B.Rate limiting
C.Custom rules with IP allow/deny
D.Adaptive Protection
AnswerA

The OWASP CRS includes rules for SQLi, XSS, etc.

Why this answer

Cloud Armor's preconfigured WAF rules include the OWASP ModSecurity Core Rule Set, which detects SQLi, XSS, and other attacks.

96
Multi-Selectmedium

An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)

Select 2 answers
A.Select machine series that support AMD Secure Encrypted Virtualization (SEV).
B.Create an organization policy constraint that requires Confidential Computing for Compute Engine instances.
C.Enable VPC Flow Logs for all subnets.
D.Use Cloud IDS to detect non-confidential instances.
E.Use a hierarchical firewall policy to block non-confidential instances.
AnswersA, B

Confidential Computing requires SEV-capable machine types.

Why this answer

To enforce Confidential Computing, use an organization policy constraint to require the feature. Additionally, instance templates can be configured with Confidential Computing, but the enforcement is via policy. Also, ensuring the VM images support SEV is important.

However, the key steps: 1) Set organization policy to require `compute.requireConfidentialComputing` (or similar) and 2) Use machine series that support Confidential Computing (e.g., N2D). But the question asks for two steps. The options: creating a constraint and using appropriate machine types.

97
Multi-Selecthard

You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)

Select 3 answers
A.Set up a NAT gateway in the VPC for on-premises traffic
B.Create a Private Service Connect endpoint for Google APIs (e.g., storage.googleapis.com) in the VPC
C.Configure firewall rules to allow egress from the VPN gateway to the PSC endpoint's IP
D.Enable Private Google Access on the subnet that hosts the VPN gateway
E.Configure Cloud Router to advertise the PSC endpoint's IP address range to on-premises via BGP
AnswersB, D, E

PSC endpoints provide private IP addresses for Google APIs that can be accessed from VMs and on-premises via VPN.

Why this answer

To access Google APIs privately from on-premises via VPN, you need to enable Private Google Access in the VPC subnet, and use Private Service Connect (PSC) endpoints for Google APIs. Route advertisements via Cloud Router ensure on-premises traffic to Google API IP ranges goes to the PSC endpoints. Simply enabling Private Google Access on the subnet allows VMs in that subnet to access Google APIs via the default internet gateway, but on-premises traffic needs to be routed to the VPC and then to the PSC endpoint.

98
MCQmedium

A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?

A.VPC Service Controls with an access level that includes IP and device conditions
B.Firewall rules with source ranges and service accounts
C.Cloud Armor with geo-based access control
D.Cloud IDS with threat detection
AnswerA

Access levels can be defined with IP ranges and device policy requirements using Context-Aware Access.

Why this answer

VPC Service Controls access levels can combine IP-based conditions with device-based conditions (e.g., using BeyondCorp Enterprise). This allows restricting access to a service perimeter based on both the user's IP and device compliance.

99
MCQmedium

A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?

A.Cloud NAT
B.Private Service Connect
C.Cloud VPN
D.Internal load balancer
AnswerB

Correct: Private Service Connect enables private connectivity to managed services or custom internal services via endpoints.

Why this answer

Private Service Connect allows publishing services using internal IP addresses. It can be used to create a private endpoint for GKE services, accessible only within the VPC network via a Private Service Connect endpoint.

100
Multi-Selectmedium

An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)

Select 2 answers
A.Implement VPC Service Controls to create perimeters around sensitive APIs.
B.Use service account targets for firewall rules instead of tags.
C.Enable Private Google Access for all subnets.
D.Use network tags to group VMs for firewall rules.
E.Allow all outbound traffic and rely on intrusion detection.
AnswersA, B

Restricts API access based on identity and context.

Why this answer

Using service account targets for firewall rules aligns with identity-based security (zero-trust). VPC Service Controls restrict access to APIs based on identity and context, reducing reliance on network perimeter.

101
MCQmedium

A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?

A.Custom rules with CEL
B.Pre-configured WAF rules
C.Rate limiting
D.Adaptive Protection
AnswerD

Adaptive Protection uses ML models to detect anomalous traffic and generate rules.

Why this answer

Adaptive Protection uses ML to detect anomalous traffic and suggests rules to block it. Managed Protection Plus includes adaptive protection.

102
MCQeasy

A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?

A.Self-managed certificate
B.Upload a certificate via the Cloud Load Balancing UI
C.Certificate Manager with a self-managed certificate
D.Google-managed certificate
AnswerD

Google-managed certificates are automatically provisioned and renewed.

Why this answer

Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google. They are the correct choice for automatic lifecycle management. Self-managed certificates require the user to upload the certificate and renew it manually.

Certificate Manager is a service for managing certificates but does not automate renewal unless using Google-managed certificates.

103
MCQmedium

A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?

A.Create a VPC firewall rule with priority 0.
B.Use Cloud IDS to monitor and block traffic.
C.Create a firewall rule in each project and enforce via policy library.
D.Use a hierarchical firewall policy at the organization level.
AnswerD

Hierarchical policies cannot be overridden, enforcing baseline rules.

Why this answer

Hierarchical firewall policies are enforced at the organization or folder level and cannot be overridden at lower levels, ensuring baseline rules are always applied.

104
MCQhard

A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?

A.Create an ingress rule in the service perimeter that allows the on-premises IP range
B.Configure a firewall rule allowing traffic from the on-premises IP to Cloud Storage
C.Add the on-premises server's IP to the access level of the perimeter
D.Create an egress rule in the service perimeter that allows the on-premises IP range
AnswerA

Ingress rules permit traffic from outside the perimeter to access allowed services and resources.

Why this answer

In VPC Service Controls, ingress rules allow traffic from outside the perimeter to access resources inside. To allow an on-premises server with an external IP, an ingress rule from all identities (or the specific identity) using the source IP range of the on-premises server must be configured. This allows the server to cross the perimeter.

105
Multi-Selecthard

A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)

Select 3 answers
A.Cloud IDS
B.Private Service Connect
C.Access levels (IP-based)
D.Cloud Armor security policies
E.VPC Service Controls
AnswersB, C, E

Enables private connectivity for the partner.

Why this answer

VPC Service Controls restricts data access to authorized VPCs/environments. Access levels can enforce IP-based restrictions (corporate network). Private Service Connect can allow the partner to access the bucket privately via PSC endpoints without traversing the internet.

106
Multi-Selectmedium

You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)

Select 2 answers
A.Attach the hierarchical firewall policy to the organization node or to the folder containing all projects
B.Create a global network firewall policy and attach it to each service project's VPC
C.Create a hierarchical firewall policy at the organization level with the required rules
D.Use VPC Service Controls to enforce firewall rules across projects
E.Attach the hierarchical firewall policy to the shared VPC host project
AnswersA, C

This ensures the policy applies to all projects under that node and cannot be overridden.

Why this answer

Hierarchical firewall policies are inherited down the resource hierarchy and cannot be overridden by lower-level policies. Global network firewall policies can be applied at the VPC level but can be overridden by lower priority rules. The correct approach is to use a hierarchical firewall policy at the organization level, which enforces rules that cannot be overridden.

107
MCQhard

A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?

A.The VPC has a default route to the internet via NAT.
B.The DNS record for bigquery.googleapis.com points to the public IP.
C.Private Google Access is disabled on the subnet.
D.The PSC endpoint is not associated with a forwarding rule.
AnswerC

Private Google Access must be enabled for VMs to use the PSC endpoint for Google APIs.

Why this answer

For private access to Google APIs via PSC, the VPC must have Private Google Access enabled on the subnet. Without it, VMs will use the default public route.

108
MCQeasy

A company wants to use a Google-managed SSL certificate for their external HTTPS load balancer. Which step is required to provision the certificate?

A.Install the certificate on each backend instance.
B.Submit a Certificate Signing Request (CSR) to Google.
C.Upload the private key and certificate in PEM format.
D.Create a DNS record for the domain that resolves to the load balancer's IP address.
AnswerD

Correct: Google uses DNS records to verify domain ownership and automate certificate issuance.

Why this answer

Google-managed SSL certificates require domain ownership verification. You must create a DNS record (CNAME or A record) that points to the load balancer's IP address or a specific verification record. The certificate is automatically provisioned and renewed.

109
MCQmedium

An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?

A.Wildcard certificates purchased from a third-party CA
B.Self-managed certificates uploaded as PEM files
C.Google-managed certificates with DNS authorization
D.Certificates from a private CA
AnswerC

Google-managed certificates are automatically renewed when DNS authorization is configured.

Why this answer

Google-managed certificates automatically provision and renew certificates for domains that are DNS-authorized. Certificate Manager can manage these certificates and map them to load balancer targets.

110
MCQmedium

A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?

A.Assign external IPs to all VMs and use VPC firewall rules to restrict egress.
B.Use Cloud NAT to route traffic to Google APIs.
C.Enable Private Google Access on the subnet where the VMs reside.
D.Set up Private Service Connect to googleapis.com.
AnswerC

Private Google Access allows internal-only VMs to reach Google APIs privately.

Why this answer

Private Google Access enables VMs with only internal IPs to reach Google APIs via the Google Cloud private network, without needing external IPs or internet access.

← PreviousPage 2 of 2 · 110 questions total

Ready to test yourself?

Try a timed practice session using only Pcse Network Security questions.