GCP Professional Cloud Security Engineer Practice Question
Your company runs several internal microservices in multiple GCP regions on a Shared VPC. Security policy requires that every outbound TLS connection those services initiate to the public internet be decrypted and inspected so malware uploads can be blocked based on application-layer signatures. The team does not want to deploy or manage host-based or explicit web proxies, and the solution must scale automatically in every current and future region. TLS decryption keys should be generated and rotated automatically by Google Cloud, without any customer-hosted key infrastructure. Which approach best meets these requirements?
Create an organization-level global network firewall policy, add an egress rule that uses a Cloud NGFW TLS inspection policy with Google-managed keys, enable the built-in intrusion-prevention service in blocking mode, and attach the policy to all Shared VPC networks.
Reroute all outbound traffic through an external HTTP(S) load balancer that terminates TLS with Google-managed certificates and apply a Cloud Armor web-application-firewall policy to block malicious uploads.
Enable Private Google Access and Cloud NAT, then add VPC firewall egress rules that deny connections to known malicious IP addresses based on threat-intelligence lists while allowing other destinations.
Deploy Secure Web Proxy in explicit mode, distribute a PAC file to every VM so egress traffic is forwarded through the proxy, and configure TLS interception using certificates issued by Certificate Authority Service.
A global Cloud NGFW network firewall policy can be attached to the Shared VPC so that enforcement happens directly on every VM's virtual NIC in all regions, eliminating the need for per-host proxies. An egress rule in the policy can reference a TLS inspection policy that uses the Google-managed subordinate CA automatically generated and rotated by Cloud NGFW to decrypt, inspect, and then re-encrypt outbound TLS traffic. Enabling the integrated intrusion-prevention service in blocking mode allows the firewall to drop malicious payloads detected at layer 7. Other options either require host-level proxy configuration (Secure Web Proxy), provide inspection only for traffic routed through a load balancer, or operate only at layers 3/4 without payload inspection (VPC firewall with Cloud NAT).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Shared VPC, and why is it useful in GCP?
Open an interactive chat with Bash
What is Cloud NGFW, and how does it handle TLS inspection?
Open an interactive chat with Bash
What is meant by intrusion-prevention service and layer 7 inspection?
Open an interactive chat with Bash
What is Cloud NGFW and how does it help with TLS inspection?
Open an interactive chat with Bash
How does automatic key rotation work in Google-managed CAs for Cloud NGFW?
Open an interactive chat with Bash
What is the difference between layer 7 inspection and layer 3/4 rules in firewall policies?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .