GCP Professional Cloud Security Engineer Practice Question

Your organization is ordering a 10-Gbps Dedicated Interconnect connection to link its on-premises data center with a Google Cloud VPC. Due to regulatory requirements, every packet that traverses the interconnect must be cryptographically protected without sending traffic over the public internet, and you want to avoid adding parallel VPN tunnels that could become a bottleneck at 3 Gbps per tunnel. Which configuration best satisfies these requirements while preserving the full 10-Gbps throughput of the Dedicated Interconnect link?

Enable Private Google Access on all VPC subnets that will use the interconnect.
Attach the interconnect to a Cloud Router that uses Customer-managed encryption keys (CMEK) from Cloud KMS.
Enable MACsec on the Dedicated Interconnect VLAN attachments to provide AES-256 encryption at Layer 2.
Deploy HA VPN over the Dedicated Interconnect to encrypt traffic with IPsec.

Report Issue

Answer Description

Enabling MACsec on a Dedicated Interconnect encrypts all Layer-2 frames as they cross the fiber between your router and Google's edge, providing strong AES-256 encryption with no reduction of the circuit's line-rate throughput. HA VPN over Interconnect would meet the encryption requirement but uses IPsec tunnels limited to a few gigabits per tunnel and introduces additional encapsulation overhead. Enabling Cloud KMS on VLAN attachments or turning on Private Google Access do not encrypt all traffic over the interconnect; KMS secures data at rest, and Private Google Access only affects access to Google APIs. Therefore, enabling MACsec on the Dedicated Interconnect attachments is the only option that meets both the compliance mandate and the full-bandwidth objective.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.