GCP Professional Cloud Security Engineer Practice Question
Your company uses a Shared VPC in the prod-host project; three service projects attach their VM workloads to the shared "prod-vpc" network. Web-tier instances that must receive HTTPS traffic from partner IP range 203.0.113.0/24 all run as the IAM service account [email protected] and share subnets with other internal services that must remain inaccessible from the partner network. You need to create a single VPC firewall rule in the host project to meet the requirement while following least-privilege and minimizing future operational overhead. Which configuration will satisfy the goal?
Attach a network firewall policy to the shared subnet with a rule that allows 0.0.0.0/0 to tcp:443 for any target because stateful inspection will protect other workloads.
Create an ingress firewall rule in prod-host that allows tcp:443 from 203.0.113.0/24, sets target service accounts to [email protected], and assigns a priority higher than the default deny.
Create matching ingress and egress rules that allow tcp:443 between 203.0.113.0/24 and all instances tagged "web", then tag the required VMs.
Create an ingress firewall rule that allows tcp:443 from 203.0.113.0/24 and targets the subnet IP range; rely on the default priority.
A single ingress firewall rule in the prod-host project that targets the specific workload service account and allows TCP port 443 only from 203.0.113.0/24 limits exposure to just the web-tier VMs, even though they share subnets with other instances. Using the target service accounts selector is supported across all service projects attached to the Shared VPC, unlike network tags that require consistent manual tagging and can be mistakenly applied to non-web instances. Applying the rule at a higher priority than a broad deny-all ingress rule ensures traffic is accepted only for the intended destination; no egress rule is needed because return packets are automatically allowed by connection tracking. The other options either expose additional instances, depend on fragile tag management, or add an unnecessary egress rule.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Shared VPC in GCP?
Open an interactive chat with Bash
What is the purpose of target service accounts in GCP firewall rules?
Open an interactive chat with Bash
How does connection tracking work in GCP firewall rules?
Open an interactive chat with Bash
What is a Shared VPC in Google Cloud?
Open an interactive chat with Bash
What is the 'target service accounts' feature in GCP firewall rules?
Open an interactive chat with Bash
Why does connection tracking eliminate the need for egress rules?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .