GCP Professional Cloud Architect Practice Question
Your company has hundreds of projects under one Google Cloud organization. Security requires that no VM may connect directly to the public internet; all outbound traffic must go through an on-prem proxy reachable over Cloud VPN using a specific CIDR. Application teams still need to manage their own VPC firewall rules for east-west traffic. How can you enforce the egress restriction organization-wide while letting teams self-service other rules and keeping ops overhead low?
Apply the "restrict-VpcEgress" Organization Policy constraint at the organization node so that all projects inherit an egress block, and let project owners manage exceptions with custom constraints.
Attach a Cloud Armor security policy to each project's default external HTTP(S) load balancer that blocks all outbound traffic except to the proxy address range.
In the shared VPC host project, create a DENY egress firewall rule with the lowest priority and require all service projects to attach their VPC networks to the host project.
Create an organization-level hierarchical firewall policy with a top-priority rule that denies all egress to 0.0.0.0/0 (except the on-prem proxy CIDR). Allow project owners to continue managing their own VPC firewall rules for other traffic.
A hierarchical firewall policy attached at the organization level is evaluated before any VPC-level firewall rules. By adding a high-priority egress deny rule to destination 0.0.0.0/0-while allowing the on-prem proxy CIDR-you create an organization-wide control that lower-level policies and per-project rules cannot override. Project teams retain the ability to define additional VPC firewall rules for intra- and inter-project traffic because these rules are evaluated only after the hierarchical policy. Organization Policy constraints, VPC Service Controls, shared VPC host-project rules, and Cloud Armor cannot accomplish the same network-layer egress deny across all VMs or do not affect direct VM egress.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a hierarchical firewall policy in GCP?
Open an interactive chat with Bash
How does Cloud VPN help in enforcing egress restrictions?
Open an interactive chat with Bash
What is east-west traffic when managing VPC firewall rules?
Open an interactive chat with Bash
What is a hierarchical firewall policy in GCP?
Open an interactive chat with Bash
How do hierarchical firewall policies interact with VPC firewall rules?
Open an interactive chat with Bash
Why is a hierarchical firewall policy better than an Organization Policy constraint in this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .