GCP Professional Cloud Security Engineer Practice Question
Your company's compliance team requires that all VM instances inside the prod-vpc are allowed to initiate outbound connections only to a short list of corporate SaaS providers whose hostnames may resolve to changing public IP addresses. You are using regional Cloud Next Generation Firewall because classic VPC firewall rules cannot express domain objects. Which configuration will most effectively enforce this requirement while minimizing operational effort when the SaaS providers rotate their IP ranges?
Publish the list of approved SaaS domains in an Organization-level hierarchical firewall policy so that all VPC networks inherit the same egress restriction.
Configure a Cloud NAT gateway for prod-vpc and restrict its allocated external IP addresses to the SaaS providers' address ranges.
Add egress VPC firewall rules in prod-vpc that specify the current public IP ranges of each SaaS provider and update them whenever the providers change their addresses.
Create a regional network firewall policy with egress rules that use FQDN objects for the approved SaaS hostnames, then attach the policy to the prod-vpc network.
Cloud Next Generation Firewall allows the use of Fully Qualified Domain Name (FQDN) objects in egress firewall policy rules. By creating a regional network firewall policy that contains egress rules referencing the approved domains (for example, *.workday.com and api.service-now.com) and applying that policy to the prod-vpc network, Google Cloud automatically resolves the domains and refreshes the address list. You do not need to maintain IP allow-lists manually, and you avoid the wide blast-radius of hierarchical policies that would affect other VPCs. Standard VPC firewall rules and Cloud NAT do not understand FQDN objects and therefore cannot meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Fully Qualified Domain Name (FQDN) object in Cloud Next Generation Firewall?
Open an interactive chat with Bash
How does a regional network firewall policy differ from standard VPC firewall rules in Google Cloud?
Open an interactive chat with Bash
Why are hierarchical firewall policies not suitable for this requirement?
Open an interactive chat with Bash
What is a Fully Qualified Domain Name (FQDN)?
Open an interactive chat with Bash
How does Cloud Next Generation Firewall improve security using FQDN objects?
Open an interactive chat with Bash
Why are hierarchical firewall policies not suitable for this use case?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .