GCP Professional Cloud Security Engineer Practice Question

Your organization runs an e-commerce front-end in project "web-prod." To achieve PCI-DSS compliance, the payment-processor microservice must reside in a Cardholder Data Environment (CDE) that is strictly isolated from all other workloads. The front-end still needs a private, low-latency way to invoke the payment service, and a centralized logging project must aggregate logs from both environments without creating any additional network path between them. Which design best satisfies these requirements?

Run the payment service in the web-prod project but in a different Kubernetes namespace, enforce Kubernetes Network Policies for segmentation, and forward logs to the centralized logging project.
Place the payment service in a separate subnet of the Shared VPC used by web-prod, restrict access with firewall tags, and export logs to the centralized logging project.
Host the payment service in a dedicated VPC and peer it with the web-prod VPC, limiting traffic by exchanging only required custom routes, and send logs to the centralized logging project.
Deploy the payment service in a separate project with its own VPC network, publish it through Private Service Connect, grant the web-prod project consumer access to the PSC endpoint, and export logs from both projects to the centralized logging project via log sinks.

Report Issue

Answer Description

Creating a dedicated VPC network for the CDE keeps the payment service logically isolated from the rest of the environment, satisfying PCI segmentation requirements. Publishing the service through Private Service Connect (PSC) exposes an internal endpoint inside the consumer VPC without VPC peering, so no broad network connectivity is introduced and latency remains low. Cloud Logging sinks export logs over Google-controlled backend channels, not over your VPC networks, so the logging project can receive logs without opening any traffic path between VPCs.

Using a Shared VPC or a separate subnet inside the same VPC does not provide the required isolation because all resources share the same routing domain. VPC Network Peering allows bidirectional connectivity between all subnets in the peered VPCs, creating an unnecessary attack surface and violating strict CDE isolation. Hosting the payment service in the same project but a different Kubernetes namespace limits pod-to-pod traffic but still shares the underlying VPC, so it is insufficient for PCI DSS network segmentation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.