Question 304 of 500
Configuring network securitymediumMultiple SelectObjective-mapped

Quick Answer

The correct steps are to delete the default-allow-ssh rule and create a firewall rule with priority 1000 allowing ingress from instances tagged 'web-servers' on TCP port 80. This works because VPC firewall rules are evaluated from lowest to highest priority number, so a rule with priority 1000 will be checked before the default lower-priority rules (typically 65535), and deleting the default SSH rule removes the blanket permission from 0.0.0.0/0 that would otherwise allow unwanted SSH traffic. On the Google Professional Cloud Security Engineer exam, this scenario tests your understanding of implicit deny, rule priority ordering, and tag-based source filtering—a common trap is forgetting that default rules remain in effect unless explicitly deleted or overridden by a lower-numbered rule. Remember that in GCP, lower priority numbers mean higher precedence, so a rule at priority 1000 will always beat a default rule at priority 65535. Memory tip: "Low number wins, high number loses—delete the default to close the doors."

PCSE Configuring network security Practice Question

This PCSE practice question tests your understanding of configuring network security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Your VPC has a default firewall rule that allows SSH (TCP port 22) from all sources. You need to allow HTTP traffic (TCP port 80) only from instances tagged 'web-servers' to the target instances, and block all other inbound traffic including SSH. Which TWO steps should you take?

Question 1mediummulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Delete the default-allow-ssh rule.

Option C is correct because deleting the default-allow-ssh rule removes the rule that permits SSH from all sources (0.0.0.0/0), which is necessary to block all inbound SSH traffic as required. Option D is correct because creating a firewall rule with priority 1000 that allows ingress on TCP port 80 from instances tagged 'web-servers' explicitly permits HTTP traffic only from the desired source, and since lower priority numbers are evaluated first, this rule will be applied before any higher-numbered (lower priority) default rules.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Modify the default-allow-ssh rule to set its source filter to an empty range.

    Why it's wrong here

    VPC firewall rules are allow-only; you cannot modify a rule to deny. You should delete the rule instead.

  • Create a firewall rule with priority 65535 allowing all traffic from 0.0.0.0/0.

    Why it's wrong here

    This would allow all inbound traffic, violating the requirement to block other traffic.

  • Delete the default-allow-ssh rule.

    Why this is correct

    This removes the default allow for SSH, which is necessary to block SSH traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Create a firewall rule with priority 1000 allowing ingress from instances with tag 'web-servers' on TCP port 80.

    Why this is correct

    This allows HTTP from the specified source tag.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Create a firewall rule with priority 1000 allowing ingress from instances with tag 'web-servers' on TCP port 443.

    Why it's wrong here

    HTTPS on port 443 is not required; only HTTP is needed.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Google Cloud often tests the misconception that you can simply modify or override a default rule by adding a higher-priority deny rule, but in Google Cloud VPC, firewall rules are allow-only (no explicit deny rules), so the only way to block traffic allowed by a default rule is to delete that rule or change its source filter to a non-matching range.

Detailed technical explanation

How to think about this question

In Google Cloud VPC firewall rules, each rule has a priority from 0 (highest) to 65535 (lowest); rules with lower numerical priority are evaluated first, and the first matching rule determines whether traffic is allowed or denied. The default-allow-ssh rule has a priority of 65534, so deleting it removes the implicit SSH allowance; if left in place, even with a higher-priority rule allowing HTTP, the SSH rule would still permit SSH from all sources because it matches before any deny-all implicit rule (since implicit deny is only applied after all rules are evaluated). In real-world scenarios, you must carefully manage default rules to avoid leaving unintended open ports, especially when migrating from default configurations to a least-privilege model.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCSE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCSE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCSE question test?

Configuring network security — This question tests Configuring network security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Delete the default-allow-ssh rule. — Option C is correct because deleting the default-allow-ssh rule removes the rule that permits SSH from all sources (0.0.0.0/0), which is necessary to block all inbound SSH traffic as required. Option D is correct because creating a firewall rule with priority 1000 that allows ingress on TCP port 80 from instances tagged 'web-servers' explicitly permits HTTP traffic only from the desired source, and since lower priority numbers are evaluated first, this rule will be applied before any higher-numbered (lower priority) default rules.

What should I do if I get this PCSE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCSE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCSE exam.