Crucial Exams

GCP Professional Cloud Architect Practice Question

Your company has hundreds of projects under one Google Cloud organization. Security requires that no VM may connect directly to the public internet; all outbound traffic must go through an on-prem proxy reachable over Cloud VPN using a specific CIDR. Application teams still need to manage their own VPC firewall rules for east-west traffic. How can you enforce the egress restriction organization-wide while letting teams self-service other rules and keeping ops overhead low?

  • Create an organization-level hierarchical firewall policy with a top-priority rule that denies all egress to 0.0.0.0/0 (except the on-prem proxy CIDR). Allow project owners to continue managing their own VPC firewall rules for other traffic.

  • Apply the "restrict-VpcEgress" Organization Policy constraint at the organization node so that all projects inherit an egress block, and let project owners manage exceptions with custom constraints.

  • Attach a Cloud Armor security policy to each project's default external HTTP(S) load balancer that blocks all outbound traffic except to the proxy address range.

  • In the shared VPC host project, create a DENY egress firewall rule with the lowest priority and require all service projects to attach their VPC networks to the host project.

GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot