GCP Professional Cloud Security Engineer Practice Question
Your organization runs a multi-region application on Google Cloud. Each VPC network contains subnets in us-central1, europe-west1, and asia-southeast1. Security mandates that a single set of egress rules must block known malicious IP ranges and allow outbound HTTPS to partner networks, no matter which region a VM is in. At the same time, network engineers need the flexibility to add region-specific deny rules for legacy systems being phased out only in europe-west1. You plan to use Cloud Next Generation Firewall (Cloud NGFW). Which combination of firewall policy attachments best meets the requirements while minimizing rule duplication and operational overhead?
Attach a hierarchical firewall policy at the organization level for the common rules and another hierarchical policy at the folder level targeting europe-west1 projects.
Attach a regional firewall policy in every region for the common rules and another regional policy in europe-west1 for the legacy deny rules.
Attach a global network firewall policy to each VPC for the common rules and a regional firewall policy only in europe-west1 for the legacy deny rules.
Attach a single global network firewall policy that contains both the common rules and the europe-specific legacy deny rules, using target tags to scope the deny rules to europe-west1.
A global network firewall policy attached to each VPC ensures that the base rules (block threat-intel IPs and allow outbound HTTPS) are evaluated first for every VM in every region. Because regional firewall policies are evaluated after a global network policy that belongs to the same network, attaching a regional firewall policy to the europe-west1 region lets engineers add europe-specific deny rules without affecting VMs in other regions. Using only regional policies would force you to duplicate the common rules in every region, while attaching the europe-west1 policy at the organization or folder level would incorrectly apply the legacy restrictions to all regions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud Next Generation Firewall (Cloud NGFW)?
Open an interactive chat with Bash
What is the difference between global and regional firewall policies in Google Cloud?
Open an interactive chat with Bash
Why are hierarchical firewall policies unsuitable for this scenario?
Open an interactive chat with Bash
What is Cloud Next Generation Firewall (Cloud NGFW)?
Open an interactive chat with Bash
How do global and regional firewall policies differ in Google Cloud?
Open an interactive chat with Bash
Why is minimizing rule duplication important in firewall policy design?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .