GCP Professional Cloud Security Engineer Practice Question

A multinational enterprise has hundreds of projects in a Google Cloud organization. Security architects must enforce these requirements:

Block all direct internet traffic to any VM except traffic that first terminates on the production external HTTP(S) load balancer.
Allow outbound connections from all VMs only to a small set of approved external domains (for example, github.com and security-updates.example.com) and perform TLS decryption and inspection on that egress traffic.
Enable individual project teams to create additional egress allow rules but never to override organization-wide denies. Which design satisfies all requirements with the least operational overhead?

Attach a Cloud Armor security policy to the external HTTP(S) load balancer for ingress filtering, and use Cloud NAT gateways with subnet-level firewall rules that allow only the IP address ranges of the approved SaaS providers for egress.
Enable Identity-Aware Proxy for the application and deploy Secure Web Proxy in each project to filter egress traffic; manage per-project proxy rules to restrict destinations.
Place all projects inside a VPC Service Controls perimeter that blocks egress to the internet and create perimeter-level ingress rules allowing only the load balancer; rely on perimeter egress exceptions for the approved external domains.
Create a global hierarchical Cloud Next Generation Firewall policy at the organization node that (1) denies all ingress traffic to VM targets except an allow rule for the external HTTP(S) load balancer's backend service, and (2) adds a TLS-inspection egress rule that permits only the approved FQDN list followed by a default deny; allow projects to add lower-priority egress allow rules as needed.

Report Issue

Answer Description

An organization-level hierarchical Cloud NGFW policy enforces deny-by-default ingress rules that block traffic to VM NICs while allowing traffic reaching the external HTTP(S) load balancer's backend service. In the same policy, an egress rule that allows only specific FQDNs with TLS inspection followed by a lower-priority default deny blocks every other destination. Because hierarchical firewall policies are evaluated from the organization downward and deny rules at a higher level cannot be overridden, project teams may add additional allow rules with lower priority without being able to bypass the org-wide denies. Cloud Armor, VPC Service Controls, or Cloud NAT alone cannot provide mandatory FQDN filtering with TLS inspection or the hierarchical enforcement required.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.