GCP Professional Cloud Security Engineer Practice Question
Your company operates a production VPC with two private subnets in europe-west1. A Cloud Router peers with an HA VPN gateway that connects to the on-premises network, and a Cloud NAT gateway attached to that router was provisioned by using automatic subnet discovery. During testing, developers in subnet app-svc (10.50.2.0/24) can reach the public internet as expected, but database nodes in subnet db-svc (10.50.3.0/24) are also being NATed, violating a policy that forbids internet access from db-svc. Which configuration change best enforces the policy while continuing to use the same NAT IP addresses for app-svc only?
Disable Private Google Access on the db-svc subnet so its instances cannot reach external addresses.
Create a high-priority egress firewall rule on the db-svc subnet that denies traffic to 0.0.0.0/0.
Deploy a second Cloud NAT gateway dedicated to db-svc and configure it with no external IP addresses.
Reconfigure the existing Cloud NAT gateway to use manual (custom) subnetworks mode and include only the app-svc subnet's primary range.
With automatic subnet discovery, Cloud NAT translates traffic for every current and future subnet in the region. To restrict egress to a specific subnet, switch the NAT gateway to manual (custom) subnet selection and list only the app-svc subnet or its secondary ranges. A blanket egress-deny firewall rule would also block on-prem routes flowing through the HA VPN, disabling Private Google Access does not affect generic internet egress via Cloud NAT, and a NAT gateway cannot function without external IP addresses. Therefore converting the existing NAT configuration to manual subnet selection is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud NAT and how does it function in a VPC?
Open an interactive chat with Bash
What is the difference between automatic and manual configurations in Cloud NAT?
Open an interactive chat with Bash
Why does disabling Private Google Access not prevent internet access in this scenario?
Open an interactive chat with Bash
What is Cloud NAT and how does it work in Google Cloud?
Open an interactive chat with Bash
What does automatic subnet discovery do in Cloud NAT?
Open an interactive chat with Bash
Why is manual subnet selection in Cloud NAT preferable to other solutions in this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .