GCP Professional Cloud Security Engineer Practice Question
A healthcare analytics company plans to spin up Vertex AI Workbench user-managed notebook instances for model training. Security architects mandate that notebook VMs must never expose external IP addresses, all traffic must remain inside the existing VPC Service Controls perimeter, and corporate policy bans use of the default network. Which network configuration satisfies these constraints while requiring the least ongoing network administration?
Use user-managed notebooks with public IP addresses but apply an organization policy that blocks all outbound internet traffic from the project.
Deploy each notebook in the default network, delete the default internet gateway route, and rely on firewall egress rules to block external traffic.
Launch notebooks in a shared host project that already uses Cloud NAT for egress and enable Private Google Access on that subnet.
Create the notebooks in a new custom VPC subnet that has Private Service Connect enabled, disable external IP assignment for the instances, and add the project to the existing VPC Service Controls perimeter.
Vertex AI Workbench notebooks can be created in any VPC network, not just the default. By choosing a new or existing custom VPC subnet that already belongs to the organization's VPC Service Controls perimeter, disabling the assignment of public IP addresses at creation time, and enabling Private Service Connect (or Private Google Access) for Google APIs on that subnet, notebook traffic remains on Google's private network. No external IPs are provisioned, and the deployment avoids the default network entirely. Firewall-only approaches (removing default routes) still leave the instances in the disallowed default network, and Cloud NAT or public IPs breach the no-external-IP requirement. Project-level egress restrictions on public IPs do not prevent the assignment of the public interface itself, so they violate the mandate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC Service Controls perimeter?
Open an interactive chat with Bash
What is Private Service Connect?
Open an interactive chat with Bash
Why are external IP addresses considered risky in this scenario?
Open an interactive chat with Bash
What is Private Service Connect in Google Cloud?
Open an interactive chat with Bash
What is the role of VPC Service Controls in securing the environment?
Open an interactive chat with Bash
Why is the default network discouraged in enterprise environments?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .