GCP Professional Cloud Security Engineer Practice Question
Your company has several Google Cloud projects grouped under a Dev folder. A new compliance control states that every VPC in that folder must deny all egress traffic by default, permit only HTTPS access to *.gcr.io and metadata.googleapis.com for image pulls and OS updates, and automatically block any connection whose destination IP appears on Google-maintained threat-intelligence lists. What is the most efficient way to meet these requirements with minimal ongoing operational effort?
Enable Identity-Aware Proxy for all workloads and create a VPC Service Controls perimeter that only allows access to gcr.io; rely on these services to satisfy the new egress restrictions.
Deploy a shared VPC with a Cloud NAT gateway restricted to port 443 and use Cloud DNS policies to block unwanted domains while relying on default VPC firewall rules for egress control.
Create a global Cloud NGFW policy and attach it to the Dev folder; set the default egress action to deny, add FQDN allow rules for *.gcr.io and metadata.googleapis.com, and enable Threat Intelligence blocking in the same policy.
Configure identical VPC firewall rules in every project: one egress deny rule for 0.0.0.0/0, two allow rules for the required domains, and apply Cloud Armor security policies to each VM to block malicious IPs.
A global Cloud Next Generation Firewall (Cloud NGFW) policy attached at the folder level is enforced on every VPC in child projects, so you can manage rules centrally. Setting the policy's default egress action to deny satisfies the blanket block. Adding FQDN-based allow rules for *.gcr.io and metadata.googleapis.com meets the specific-destination exception. Enabling Threat Intelligence in the same policy causes automatic deny or logging of traffic to IPs on Google's known malicious lists. The alternative approaches either require per-project rule management, rely on services (Cloud Armor, IAP, VPC Service Controls) that do not enforce egress firewall filtering, or cannot implement FQDN and threat-intel blocking, so they fail to satisfy both the technical and operational requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud NGFW and how does it work in Google Cloud?
Open an interactive chat with Bash
What is Threat Intelligence and how does it help in firewall policies?
Open an interactive chat with Bash
What does FQDN-based firewall rules mean, and why are they used?
Open an interactive chat with Bash
What is a Cloud Next Generation Firewall (Cloud NGFW)?
Open an interactive chat with Bash
How do FQDN-based rules work in Cloud NGFW policies?
Open an interactive chat with Bash
What is Threat Intelligence in Cloud NGFW policies?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .