GCP Professional Cloud Architect Practice Question
A financial-services company hosts its trading platform on Compute Engine VMs in a production VPC. Security policy states that:
Only outbound HTTPS traffic to approved market-data and partner APIs is allowed.
Developers must not be able to tunnel traffic through arbitrary TCP ports or visit unapproved websites even if they attach an external IP during troubleshooting. You are designing the egress path to satisfy the policy while keeping operations simple. Which solution best meets the requirements and follows Google-recommended architecture principles?
Force all egress traffic through an on-premises next-generation firewall over Cloud VPN, where URL filtering is applied, and return traffic to Google Cloud over the same tunnel.
Install host-based proxy agents on every VM, configure them to forward HTTPS requests to an external SaaS security proxy, and block direct internet egress with a DENY all-egress VPC firewall rule.
Deploy Cloud NAT for the subnet, add an egress firewall rule that allows tcp:443 only to the partner IP ranges, and rely on NAT's managed service to block all other destinations automatically.
Create a regional Secure Web Proxy forwarding rule in the VPC, publish the proxy's private IP as the default gateway for the VM subnet, and configure SWP URL policies that whitelist the required market-data and partner domains while blocking all other categories.
Secure Web Proxy (SWP) is a fully managed, scalable service that proxies egress web traffic (HTTP and HTTPS) directly from a VPC subnet. Instances send traffic to a regional SWP forwarding rule whose next hop is the service. SWP performs URL-based filtering against domain or category lists and allows administrators to enable CONNECT port restrictions so that only TCP 443 is permitted. Because traffic remains on Google's backbone until it exits through SWP, VMs do not need external IP addresses and firewall rules stay minimal.
Using Cloud NAT alone cannot filter by URL or restrict CONNECT destinations and therefore cannot enforce the "approved websites only" control. Adding host-based agents or on-premises appliances introduces operational overhead and back-haul latency that violate the simplicity objective. VPC Firewall rules operate at L3/L4 and cannot inspect URLs, so they cannot differentiate between approved and unapproved HTTPS sites.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Secure Web Proxy (SWP)?
Open an interactive chat with Bash
Why can't Cloud NAT enforce URL filtering or control HTTPS destinations?
Open an interactive chat with Bash
What are the drawbacks of using host-based proxy agents or on-premises firewalls for URL filtering in this scenario?