This correctly denies inbound SSH to VMs with the specified tag.
35 of 110 questions · Page 2/2 · Pcse Network Security topic · Answers revealed
This correctly denies inbound SSH to VMs with the specified tag.
A company needs to enforce that all incoming traffic to their HTTPS load balancer must use TLS 1.2 or higher. Which SSL policy setting should they configure on the target HTTPS proxy?
This ensures that only TLS 1.2 or higher is accepted. MODERN profile supports TLS 1.2 and 1.3.
Why this answer
SSL policies allow you to set the minimum TLS version. To require TLS 1.2 or higher, set the minimum TLS version to 1.2. The cipher profile can be set to MODERN or RESTRICTED, but the key is the minimum TLS version.
A security engineer needs to configure firewall rules to allow traffic from a set of compute instances to a set of backend instances. The engineer wants to use a method that is more secure and scalable than using network tags. Which approach should they use?
Service accounts provide identity-based security that is immutable and more scalable than tags.
Why this answer
Service accounts as firewall rule targets are preferred over network tags because they are immutable, tied to the identity of the instance, and reduce dependency on tag management. This approach is more secure and scalable.
An organization wants to enforce that all Compute Engine instances in a project have a specific tag (e.g., 'env=prod') before they can be created. Which approach should be used?
Organization policy constraints such as `compute.requireTags` (or custom constraint) can enforce that resources have specific tags.
Why this answer
Use Organization Policy with a constraint that requires tags on resources. The constraint `compute.requireOsLogin` is not related. Resource Manager tags can be enforced via Organization Policy using the `constraints/tags` constraint.
An organization wants to restrict access to Google Cloud APIs such as BigQuery and Cloud Storage so that only resources within a specific VPC network can call these APIs, and no traffic from other VPCs or on-premises networks is allowed. Which Google Cloud service should they use?
VPC Service Controls use service perimeters to restrict API access to resources within a VPC, preventing unauthorized access from other networks.
Why this answer
VPC Service Controls create service perimeters that restrict access to Google Cloud APIs based on the requesting network's context. This prevents data exfiltration and ensures only resources in the specified VPC can access the APIs.
A security engineer needs to block traffic from all IP addresses in a specific geographic region from reaching an HTTPS load-balanced application. The application uses Cloud Load Balancing with an external HTTPS load balancer. Which approach should the engineer use?
Correct: Cloud Armor can inspect client IPs even behind a load balancer and apply geo-blocking rules.
Why this answer
Cloud Armor security policies can be attached to external HTTPS load balancers to filter traffic based on geolocation. The engineer can create a Cloud Armor security policy with a rule that uses the geo-tag to deny traffic from the specified region.
Your organization wants to enforce that all VMs in a project can only communicate with a specific Cloud Storage bucket, and no other external IP addresses. You need to configure firewall rules to achieve this. Which approach should you take?
This correctly allows only Cloud Storage traffic using service account targets for VMs, with a deny-all catch-all.
Why this answer
To restrict VMs to only communicate with a specific Cloud Storage bucket, you should use a firewall rule with service account targets (for the VMs) and deny all egress traffic except to the private Google Access IP ranges for Cloud Storage. Using service account targets is preferred for security as it follows the principle of least privilege and is independent of VM instance changes.
A security engineer needs to block traffic to a set of VMs from specific IP addresses and also apply rate limiting for HTTP traffic. The VMs are behind a global external HTTPS load balancer. Which service should they use?
Cloud Armor provides IP blocking and rate limiting for HTTP(S) load balancers.
Why this answer
Cloud Armor security policies can be attached to load balancers to provide WAF capabilities, including IP allow/deny lists and rate limiting. This is the appropriate service for this scenario.
A company uses VPC Service Controls to protect a service perimeter around BigQuery. They need to allow a specific on-premises application (with static IP 203.0.113.10) to query BigQuery tables within the perimeter, while still blocking other internet traffic. Which configuration should be used?
This allows the specific IP to access BigQuery while respecting the perimeter.
Why this answer
Create an ingress rule in the service perimeter that allows access from the on-premises IP (using access level) to BigQuery. Access levels can be IP-based, so create an access level that includes 203.0.113.10, and use that in the ingress rule.
A company has multiple VPCs in different projects that need to privately connect to a common internal service (e.g., a managed database) running in a central project. They want to expose this service via Private Service Connect. Which type of PSC endpoint should the consumer VPCs create?
Consumers create PSC endpoints to connect to the published service.
Why this answer
Consumers create Private Service Connect endpoints (forwarding rules with PSC backends) to connect to a published service. The producer publishes the service via a service attachment.
A company wants to use a Google Cloud load balancer with an SSL certificate that is automatically provisioned and renewed. Which type of certificate should they use?
Google-managed certificates are automatically provisioned and renewed.
Why this answer
Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google for use with load balancers. This is the simplest option for automatic management.
A company wants to provide private connectivity from its on-premises network to Google Cloud APIs (e.g., BigQuery, Cloud Storage) without traversing the public internet. They have an existing Dedicated Interconnect connection. Which solution should they use?
PSC provides private endpoints for Google APIs, accessible via interconnect.
Why this answer
Private Service Connect (PSC) allows private access to Google APIs via private endpoints using internal IP addresses. With Dedicated Interconnect, on-premises traffic can reach these endpoints without going over the internet.
A security engineer wants to restrict access to Cloud Storage buckets such that only workloads running on Compute Engine VMs in a specific VPC can read data. The VMs are managed by multiple GKE clusters and autoscaling instance groups. Which approach BEST enforces this restriction?
This approach restricts access to Cloud Storage from outside the perimeter and allows only requests originating from the specified VPC.
Why this answer
Use VPC Service Controls to create a service perimeter around the Cloud Storage API, with an ingress rule allowing requests from the specific VPC (using VPC network source) and VMs using the appropriate service accounts. VPC Service Controls prevent data exfiltration by restricting access to Google-managed services from outside the perimeter.
An engineer needs to ensure that only VMs with a specific service account (sa-prod@project.iam.gserviceaccount.com) can access a Cloud Spanner instance. They want to control this at the network level, not using IAM. Which VPC firewall rule configuration should they use?
Egress rules can be applied to VMs using a specific service account as the target.
Why this answer
Firewall rules can target service accounts for egress rules. Since the VMs initiate connections to Spanner, an egress rule with target service account is appropriate.
Access levels in VPC Service Controls can be IP-based, and a service perimeter enforces that only requests from those IPs are allowed.
Why this answer
VPC Service Controls create a service perimeter that, combined with an access level based on IP addresses, can restrict access to Google Cloud services such as Cloud Storage to only those IPs. The access level defines the allowed IP ranges.
An organization uses VPC Service Controls to protect BigQuery datasets. They need to allow a specific on-premises application, which uses a static IP address, to query a BigQuery dataset inside the service perimeter. Which configuration is required?
An ingress rule with the source IP allows traffic from that IP into the perimeter for specified services.
Why this answer
VPC Service Controls allow ingress rules to permit traffic from specific IP ranges into a perimeter. By creating an ingress rule that allows the on-premises IP and specifies the BigQuery API, the on-premises application can access the dataset.
A DevOps team wants to automatically provision and renew SSL certificates for a global HTTPS load balancer. Which certificate management option should be used?
Certificate Manager can create Google-managed certificates that auto-renew.
Why this answer
Google-managed SSL certificates automatically provision and renew certificates for domains hosted on Google Cloud, ideal for load balancers without manual intervention.
Which GCP service provides managed intrusion detection by analyzing mirrored network traffic and using threat signatures from Palo Alto Networks?
Cloud IDS provides managed network threat detection using Palo Alto Networks.
Why this answer
Cloud IDS is a managed intrusion detection service that uses packet mirroring to inspect traffic and applies Palo Alto Networks threat signatures.
Your organization uses Cloud Armor to protect HTTP Load Balancers. You need to block all incoming requests from a specific geographic region (country code 'XY') while allowing all other traffic. What is the correct configuration?
This is the correct way to block traffic from a specific country using Cloud Armor's custom rules.
Why this answer
Cloud Armor supports geolocation blocking using custom rules with expressions. The correct approach is to create a security policy rule that matches on the origin country code and sets the action to deny. The precedence (priority) ensures the deny rule is evaluated before the default allow rule.
A DevOps engineer wants to use Cloud Armor to block common web application attacks like SQL injection and cross-site scripting. Which feature should they enable?
The OWASP CRS includes rules for SQLi, XSS, etc.
Why this answer
Cloud Armor's preconfigured WAF rules include the OWASP ModSecurity Core Rule Set, which detects SQLi, XSS, and other attacks.
An organization wants to enforce that all Compute Engine instances have Confidential Computing enabled for sensitive workloads. Which TWO steps should be taken? (Choose 2)
Confidential Computing requires SEV-capable machine types.
Why this answer
To enforce Confidential Computing, use an organization policy constraint to require the feature. Additionally, instance templates can be configured with Confidential Computing, but the enforcement is via policy. Also, ensuring the VM images support SEV is important.
However, the key steps: 1) Set organization policy to require `compute.requireConfidentialComputing` (or similar) and 2) Use machine series that support Confidential Computing (e.g., N2D). But the question asks for two steps. The options: creating a constraint and using appropriate machine types.
You are designing a private connectivity solution for a Google Cloud project that needs to access Google APIs (e.g., Cloud Storage) without traversing the public internet. The VPC has on-premises connectivity via Cloud VPN. Which THREE steps are required to achieve private, on-premises to Google API access? (Choose 3)
PSC endpoints provide private IP addresses for Google APIs that can be accessed from VMs and on-premises via VPN.
Why this answer
To access Google APIs privately from on-premises via VPN, you need to enable Private Google Access in the VPC subnet, and use Private Service Connect (PSC) endpoints for Google APIs. Route advertisements via Cloud Router ensure on-premises traffic to Google API IP ranges goes to the PSC endpoints. Simply enabling Private Google Access on the subnet allows VMs in that subnet to access Google APIs via the default internet gateway, but on-premises traffic needs to be routed to the VPC and then to the PSC endpoint.
A company wants to allow users from a specific on-premises IP range to access a service deployed on Google Cloud, but only if the user's device is compliant with corporate security policies (e.g., has antivirus enabled). Which combination of services can achieve this?
Access levels can be defined with IP ranges and device policy requirements using Context-Aware Access.
Why this answer
VPC Service Controls access levels can combine IP-based conditions with device-based conditions (e.g., using BeyondCorp Enterprise). This allows restricting access to a service perimeter based on both the user's IP and device compliance.
A company wants to expose an internal web service running on a private GKE cluster to other services within the same VPC network using a private IP address. They do not want to use a public load balancer. Which Google Cloud service should they use?
Correct: Private Service Connect enables private connectivity to managed services or custom internal services via endpoints.
Why this answer
Private Service Connect allows publishing services using internal IP addresses. It can be used to create a private endpoint for GKE services, accessible only within the VPC network via a Private Service Connect endpoint.
An organization wants to implement a zero-trust network security model for their Google Cloud environment. Which TWO practices should they adopt? (Choose TWO.)
Restricts API access based on identity and context.
Why this answer
Using service account targets for firewall rules aligns with identity-based security (zero-trust). VPC Service Controls restrict access to APIs based on identity and context, reducing reliance on network perimeter.
A company wants to use Cloud Armor Managed Protection Plus to protect their HTTP(S) load balancer from DDoS attacks. They need to automatically block traffic from IP addresses that exhibit anomalous behavior based on machine learning. Which Cloud Armor feature should they enable?
Adaptive Protection uses ML models to detect anomalous traffic and generate rules.
Why this answer
Adaptive Protection uses ML to detect anomalous traffic and suggests rules to block it. Managed Protection Plus includes adaptive protection.
A company wants to automatically provision and renew SSL certificates for their HTTPS load balancer. They want Google to manage the certificate lifecycle. Which certificate type should they use?
Google-managed certificates are automatically provisioned and renewed.
Why this answer
Google-managed SSL certificates are automatically provisioned, renewed, and managed by Google. They are the correct choice for automatic lifecycle management. Self-managed certificates require the user to upload the certificate and renew it manually.
Certificate Manager is a service for managing certificates but does not automate renewal unless using Google-managed certificates.
A security engineer wants to apply a baseline set of firewall rules that apply to all new and existing VMs in an organization, and these rules must not be overridden by project-level rules. Which approach should be used?
Hierarchical policies cannot be overridden, enforcing baseline rules.
Why this answer
Hierarchical firewall policies are enforced at the organization or folder level and cannot be overridden at lower levels, ensuring baseline rules are always applied.
A company has set up a VPC Service Controls perimeter that includes Cloud Storage. They want to allow a specific on-premises server to copy data to a Cloud Storage bucket inside the perimeter. The on-premises server uses an external IP address. Which configuration is required?
Ingress rules permit traffic from outside the perimeter to access allowed services and resources.
Why this answer
In VPC Service Controls, ingress rules allow traffic from outside the perimeter to access resources inside. To allow an on-premises server with an external IP, an ingress rule from all identities (or the specific identity) using the source IP range of the on-premises server must be configured. This allows the server to cross the perimeter.
A financial services company must ensure that all data in Cloud Storage remains within a specific region and that no data can be accessed from outside the corporate network. They also need to allow a partner organization to access a specific bucket. Which THREE Google Cloud services or features should be combined to meet these requirements? (Choose THREE.)
Enables private connectivity for the partner.
Why this answer
VPC Service Controls restricts data access to authorized VPCs/environments. Access levels can enforce IP-based restrictions (corporate network). Private Service Connect can allow the partner to access the bucket privately via PSC endpoints without traversing the internet.
You manage a Google Cloud environment using shared VPC with multiple service projects. You need to enforce consistent firewall rules across all projects in the organization, ensuring that certain security rules cannot be overridden by project administrators. Which TWO steps should you take? (Choose 2)
This ensures the policy applies to all projects under that node and cannot be overridden.
Why this answer
Hierarchical firewall policies are inherited down the resource hierarchy and cannot be overridden by lower-level policies. Global network firewall policies can be applied at the VPC level but can be overridden by lower priority rules. The correct approach is to use a hierarchical firewall policy at the organization level, which enforces rules that cannot be overridden.
A financial services company must ensure that all data egress from a VPC to BigQuery goes through a Private Service Connect endpoint for private access. They have set up the PSC endpoint and configured DNS. However, connections from VMs are still using the public internet. What is the most likely cause?
Private Google Access must be enabled for VMs to use the PSC endpoint for Google APIs.
Why this answer
For private access to Google APIs via PSC, the VPC must have Private Google Access enabled on the subnet. Without it, VMs will use the default public route.
A company wants to use a Google-managed SSL certificate for their external HTTPS load balancer. Which step is required to provision the certificate?
Correct: Google uses DNS records to verify domain ownership and automate certificate issuance.
Why this answer
Google-managed SSL certificates require domain ownership verification. You must create a DNS record (CNAME or A record) that points to the load balancer's IP address or a specific verification record. The certificate is automatically provisioned and renewed.
An organization uses Certificate Manager to provision SSL certificates for multiple domains across several load balancers. They want to automate certificate renewal. Which type of certificate should be used?
Google-managed certificates are automatically renewed when DNS authorization is configured.
Why this answer
Google-managed certificates automatically provision and renew certificates for domains that are DNS-authorized. Certificate Manager can manage these certificates and map them to load balancer targets.
A company wants internal VMs to access Google APIs (e.g., Cloud Storage, BigQuery) without traversing the internet. What is the simplest configuration?
Private Google Access allows internal-only VMs to reach Google APIs privately.
Why this answer
Private Google Access enables VMs with only internal IPs to reach Google APIs via the Google Cloud private network, without needing external IPs or internet access.
Ready to test yourself?
Try a timed practice session using only Pcse Network Security questions.