GCP Professional Cloud Security Engineer Practice Question
Your company enforces VPC Service Controls to protect sensitive data in Cloud Storage and BigQuery. Linux virtual machines in the prod-vpc subnet have only internal IP addresses but need to call those two services. All other Google APIs must be blocked to reduce the data-exfiltration surface, and no application code changes are allowed. Which network configuration change will meet the security goal with the least operational overhead?
Add an egress VPC firewall rule that denies TCP 443 to 0.0.0.0/0 except for the private.googleapis.com VIP range (199.36.153.4/30).
Create a private Cloud DNS zone that resolves *.googleapis.com to the restricted.googleapis.com VIP (199.36.153.8/30) and keep Private Google Access enabled on the subnet.
Deploy a Cloud NAT gateway and configure destination filters so that only the public IP ranges of Cloud Storage and BigQuery can be reached.
Insert an external HTTP(S) load balancer with custom URL maps in front of the VMs and allow only paths that match storage.googleapis.com and bigquery.googleapis.com.
With Private Google Access enabled, VM traffic to *.googleapis.com is still resolved to the default private.googleapis.com virtual IP range 199.36.153.4/30, which allows connectivity to every Google API and therefore does not satisfy the restriction requirement. Creating a private Cloud DNS zone that maps *.googleapis.com to the restricted VIP 199.36.153.8/30 transparently redirects all API calls to restricted.googleapis.com. This limits access to only those services supported by VPC Service Controls (including Cloud Storage and BigQuery) while blocking other Google APIs, and it requires no changes to application code. Alternatives such as Cloud NAT with IP allow-lists, external load balancers, or selective firewall rules either leave gaps, are complex to maintain, or still expose unrestricted API endpoints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Google Access in GCP?
Open an interactive chat with Bash
What is the purpose of VPC Service Controls in GCP?
Open an interactive chat with Bash
What does a private Cloud DNS zone and restricted.googleapis.com VIP do?
Open an interactive chat with Bash
What are VPC Service Controls in GCP, and how do they protect sensitive data?
Open an interactive chat with Bash
How does Private Google Access work in GCP?
Open an interactive chat with Bash
What is a private Cloud DNS zone, and why is it used in this solution?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .