GCP Professional Cloud Security Engineer Practice Question
A life-sciences company trains sensitive genomic models on Vertex AI. Security policy requires that every API request made by Vertex AI training jobs, batch predictions, or pipeline components must remain confined to a list of approved Google Cloud projects; any attempt to move data or models to resources outside those projects must be blocked, even if someone later grants broad IAM permissions by mistake. What is the most effective network-layer control that satisfies these requirements while letting data scientists continue to use the fully managed Vertex AI service with minimal ongoing maintenance effort?
Configure Private Service Connect endpoints for Vertex AI and require data scientists to use the private.googleapis.com domain for API access.
Create a VPC Service Controls perimeter that includes aiplatform.googleapis.com and storage.googleapis.com and limits access to only the sanctioned projects.
Remove all external IP addresses from training VMs and force any remaining egress through Cloud NAT governed by an egress-deny firewall rule.
Protect every dataset and model with CMEK and plan to destroy the keys immediately if data exfiltration is suspected.
Creating a VPC Service Controls (VPC SC) service perimeter around the approved projects and adding both aiplatform.googleapis.com (Vertex AI) and storage.googleapis.com (Cloud Storage) to the protected services list prevents data exfiltration at Google's network edge. API calls that try to read from or write to resources outside the perimeter are denied before IAM is evaluated, so even an overly permissive IAM role cannot bypass the restriction. Removing external IPs or relying only on Cloud NAT or Private Service Connect controls traffic that traverses customer VPCs but does not block Google-managed service-to-service APIs. CMEK governs encryption, not network egress, and cannot stop exfiltration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls?
Open an interactive chat with Bash
How do APIs work within a VPC SC perimeter?
Open an interactive chat with Bash
Why can’t external IP removal or Private Service Connect work for this use case?
Open an interactive chat with Bash
What is VPC Service Controls, and how does it work?
Open an interactive chat with Bash
What are the benefits of adding aiplatform.googleapis.com and storage.googleapis.com to the VPC Service Controls perimeter?
Open an interactive chat with Bash
Why doesn't removing external IP addresses or using Cloud NAT effectively solve this problem?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .