GCP Professional Cloud Security Engineer Practice Question
A security engineer needs to feed Compute Engine VM traffic into Cloud IDS for threat detection. The VMs run in the prod-vpc network in europe-west1. To centralize inspection, the engineer created a Packet Mirroring policy that lists the VMs as sources and chooses an existing Cloud IDS endpoint deployed in us-central1 as the collector. No mirrored packets arrive at Cloud IDS and no firewall drops are observed. What change will allow the mirrored traffic to be delivered?
Replace the Cloud IDS collector with an internal TCP/UDP load balancer, because Cloud IDS endpoints cannot be used as Packet Mirroring collectors.
Create or select a Cloud IDS endpoint in europe-west1 and update the Packet Mirroring policy so the collector is in the same region as the mirrored VMs.
Enable VPC Flow Logs on prod-vpc, because Packet Mirroring forwards only traffic from subnets that have flow logs turned on.
Assign only internal IP addresses to the VMs; Packet Mirroring ignores interfaces that also have external IPs.
Packet Mirroring is a regional feature. Both the mirrored sources and the collector destination must reside in the same region as the Packet Mirroring policy. Because the engineer chose a Cloud IDS endpoint in us-central1 while the VMs are in europe-west1, the platform silently discards the mirrored packets. Selecting or deploying a Cloud IDS endpoint (or another supported collector such as an internal load balancer) in europe-west1 and updating the policy resolves the issue. Enabling VPC Flow Logs, removing external IPs, or replacing Cloud IDS with a load balancer would not address the regional mismatch, and Cloud IDS is fully supported as a collector when located in the correct region.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Packet Mirroring in GCP?
Open an interactive chat with Bash
What is Cloud IDS in Google Cloud?
Open an interactive chat with Bash
Why must Packet Mirroring sources and collectors be in the same region?
Open an interactive chat with Bash
What is Packet Mirroring, and why does it require sources and collectors to be in the same region?
Open an interactive chat with Bash
What is Cloud IDS, and how does it work with Packet Mirroring?
Open an interactive chat with Bash
Why is enabling VPC Flow Logs not required when using Packet Mirroring?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .