GCP Professional Cloud Security Engineer Practice Question
Your organization operates two VPC networks in us-west1 and europe-west1. All Compute Engine VMs have only internal IP addresses but must occasionally access public SaaS applications on the internet. Security policy states that every outbound HTTP and HTTPS request must be filtered against approved URL categories, decrypted and inspected with a corporate-issued root certificate, and exported to Cloud Logging. The solution must be highly available, fully managed, and require minimal ongoing maintenance. Which architecture best meets these requirements?
Deploy Secure Web Proxy in each region behind an internal load balancer, create a proxy policy with URL filtering and threat intelligence, enable TLS inspection using a subordinate CA from Certificate Authority Service, and route all egress traffic to the proxy.
Create an external global HTTPS load balancer with Google-managed SSL certificates, enable Cloud IDS and Cloud Armor, and update the VPC default route to point to the load balancer VIP for all outbound traffic.
Run Squid proxy instances in managed instance groups in both regions, configure URL filtering and TLS interception with the corporate CA, place them behind an internal TCP load balancer, and send logs to Cloud Logging.
Enable Cloud NAT in each region and attach a Cloud Armor security policy with custom rules so Cloud NAT can filter and decrypt outbound TLS traffic before it reaches the internet.
Secure Web Proxy is a fully managed Google Cloud service that provides outbound web filtering, threat intelligence, and URL-category controls. It can perform TLS inspection by re-encrypting traffic with a subordinate CA certificate stored in Certificate Authority Service. A regional deployment automatically scales and is fronted by an internal load balancer, letting VMs without external IP addresses forward traffic by way of a 0.0.0.0/0 route. Cloud NAT, Cloud Armor, and Cloud IDS do not offer outbound URL filtering together with TLS inspection, and self-managed Squid fleets introduce substantial operational overhead, contradicting the "fully managed, minimal maintenance" requirement. Therefore, deploying Secure Web Proxy with a proxy policy and TLS inspection configured through CAS is the correct approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.