Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

A security-sensitive workload runs on a Compute Engine VM in a Shared VPC service project. The VM is placed in a private subnet that has no external IP address, and the organization must meet these requirements:

  • The VM needs programmatic access to Cloud Storage and BigQuery APIs.
  • No other outbound internet traffic must be possible from the subnet.
  • The design must minimize operational overhead and avoid adding new gateways outside the VPC.

You are asked to provide the networking configuration that satisfies all requirements. What should you do?

  • Enable Private Google Access on the subnet and add an egress firewall rule that denies 0.0.0.0/0 except 199.36.153.8/30.

  • Create a Cloud NAT gateway for the subnet and restrict egress with a custom static route to 199.36.153.8/30.

  • Assign a temporary external IP address to the VM, enable Cloud Armor WAF, and rely on IAM to protect the APIs.

  • Configure Private Service Connect endpoints for the required APIs and advertise a default-route-reject community on the Cloud Router.

GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot