GCP Professional Cloud Security Engineer Practice Question

Your organization hosts dozens of VPC networks spread across many projects. Security leadership has mandated that

Any egress traffic destined for IP addresses contained in Google's Threat Intelligence feed must be blocked everywhere.
Production VMs may initiate outbound connections only to a short allow-list of partner FQDNs; all other egress from production VMs must be denied.
Development VMs must keep their current ability to reach the public internet for testing purposes.

You have these constraints:

Administration of individual projects is delegated to separate teams.
You must minimize ongoing operational overhead for security teams and avoid forcing project admins to re-create rules.
Future projects added under the same folder structure must inherit the protections automatically.

Which design best meets all requirements while respecting the principle of least privilege?

In every project, replace existing VPC firewall rules with identical sets that deny egress to malicious IPs, then create additional egress rules in each production VPC to allow partner FQDNs and deny all other destinations.
Create an organization-level Cloud NGFW firewall policy with a high-priority deny rule that references the Threat Intelligence "malicious IP" list, attach it to the organization node, and attach a second folder-level firewall policy to the production folder with higher-priority allow rules for the partner FQDNs followed by a deny-all; leave development projects without the folder-level policy.
Deploy separate regional Cloud NAT gateways for production and development; configure the production NAT gateway with custom route advertisements limited to partner IP ranges and leave development NAT open. Use no Cloud NGFW policies.
Enable Identity-Aware Proxy (IAP) for all VMs, require tunnelling outbound traffic through IAP TCP forwarding, and attach a single VPC firewall rule that denies traffic to malicious IPs at each project.

Report Issue

Answer Description

Google Cloud hierarchical firewall policies let you create centrally managed rule sets that apply to all VPC networks inside an organization or folder. Attaching a single organization-level firewall policy that contains a high-priority (low number) deny rule using Threat Intelligence meets requirement 1 globally. Because this policy sits at the org node, every existing or future project inherits the rule automatically, and project owners cannot override it with lower-priority project VPC rules.

Requirement 2 is met by attaching a folder-level firewall policy (or project-level if production projects are grouped under one folder) that contains higher-priority egress rules: first, one or more allow rules matching the approved partner FQDNs, followed by a deny-all egress rule. These apply only to the production projects in that folder. Since hierarchical firewall policies are evaluated in order of attachment depth (org → folder → project) and by rule priority within each policy, the production-specific allow list is evaluated before the organization's deny-malicious-IP rule, ensuring legitimate partner traffic is permitted while malicious IPs are still blocked.

Development projects are outside the production folder, so they inherit only the org-wide Threat Intelligence deny rule. All other egress remains allowed because no additional restrictive rules are attached to their folders or projects, satisfying requirement 3.

Using traditional VPC firewall rules or Cloud NAT policies would force each project team to duplicate or maintain rules, violating the low-overhead goal, and would not guarantee future projects inherit the protections. Implementing Private Service Connect or IAP does not address generic egress control. Therefore, centrally managed hierarchical firewall policies with Threat Intelligence and FQDN-based rules provide the most effective and scalable solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.