GCP Professional Cloud Security Engineer Practice Question
Your company is building a PCI-DSS cardholder data environment (CDE) on Google Cloud. The CDE lives in a dedicated folder under the organization and spans multiple projects that share a host VPC. A control states: "Outbound traffic from any CDE subnet must be restricted to a short allow-list of compliance-scanner IPs. No other egress is permitted, and project admins must not bypass or remove the control." Which design meets this requirement while minimizing operational overhead?
Disable Private Google Access and Cloud NAT on the Shared VPC and expose the scanner IPs through external HTTP(S) load balancing so instances cannot send traffic elsewhere.
Create subnet-level egress deny rules in each CDE project with priority 1000 that block all destinations except the scanner IP range; instruct network admins in every project to keep the rules in place.
Configure a VPC Service Controls perimeter around the CDE projects and add the scanner IP range to the perimeter's access level; no additional firewall rules are required.
Attach a hierarchical firewall policy to the CDE folder that first allows egress to the scanner IPs, followed by a lower-priority rule that denies all other egress; ensure project owners lack firewall-policy admin rights.
A hierarchical firewall policy applied at the CDE folder is evaluated before any project-level VPC firewall rules. By creating a high-priority rule that explicitly allows egress only to the required scanner IP addresses and then a lower-priority rule that denies all remaining egress, the policy enforces the mandated segmentation. Because the policy is attached at the folder level, project owners inside the folder cannot modify or remove it unless they have the Organization or Folder Firewall Policy Admin role, so the control cannot be bypassed. VPC Service Controls do not filter arbitrary IP traffic, and relying on subnet-level rules or disabling Cloud NAT would either be labor-intensive or block legitimate traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are hierarchical firewall policies in GCP?
Open an interactive chat with Bash
How does PCI-DSS compliance impact network design?
Open an interactive chat with Bash
What is VPC Service Controls, and why is it not suitable here?
Open an interactive chat with Bash
What is a hierarchical firewall policy in Google Cloud?
Open an interactive chat with Bash
How does attaching a firewall policy to a folder improve security?
Open an interactive chat with Bash
Why is VPC Service Controls ineffective for filtering IP traffic?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .