GCP Professional Cloud Security Engineer Practice Question
Your company is building a Vertex AI custom-training workflow that processes sensitive financial data stored in Cloud Storage. Compliance mandates that (1) the training VMs must not have external IP addresses, (2) all traffic between the training service, Cloud Storage, and Vertex AI APIs must stay on Google's private network, and (3) any egress to Google-managed services outside an approved boundary must be blocked. The training image still needs to pull Python packages from an Artifact Registry repository in the same project. Which network design satisfies these requirements while keeping operational overhead low?
Configure Private Service Connect endpoints for Vertex AI and Cloud Storage but allow training VMs to keep their external IPs; rely on Cloud Armor policies to block traffic to unauthorized Google APIs.
Create a VPC Service Controls perimeter that includes Vertex AI, Cloud Storage, and Artifact Registry; configure Private Service Connect endpoints for Vertex AI APIs; run training jobs in a private subnet that has Private Google Access enabled and no external IP addresses.
Enable Private Google Access on the default VPC and apply an organization policy that denies external IPs for Compute Engine; do not configure VPC Service Controls or Private Service Connect.
Disable external IPs on the training VMs and use a Cloud NAT gateway; restrict egress with firewall rules so only Cloud Storage and Artifact Registry IP ranges are allowed.
Placing the project's Google-managed services in a VPC Service Controls perimeter prevents data exfiltration to other Google APIs. Adding Artifact Registry to the same perimeter still allows the training container to download its dependencies. Private Service Connect creates private endpoints for Vertex AI so control-plane calls never traverse the public internet. Running the job on a subnet that has no external IPs but is enabled for Private Google Access lets the training VMs reach Google APIs over Google's private backbone without requiring Cloud NAT or public IPs. The other choices either rely only on firewall rules, still expose public IPs, or do not stop calls to other Google services, so they do not fully meet the exfiltration and public-internet avoidance requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
How does Private Service Connect enhance security?
Open an interactive chat with Bash
Why enable Private Google Access for private subnets?
Open an interactive chat with Bash
What is VPC Service Controls in GCP?
Open an interactive chat with Bash
What is Private Google Access?
Open an interactive chat with Bash
What is Private Service Connect in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .