GCP Professional Cloud Security Engineer Practice Question
Your security team found that on-premises servers connected to your Google Cloud VPC over HA VPN can reach public Google services such as YouTube, even though the only business requirement is to download build artifacts from Cloud Storage. The subnet used by the Cloud VPN tunnel already has Private Google Access for on-premises hosts enabled, and a custom route (199.36.153.4/30) plus a private DNS zone mapping *.googleapis.com to private.googleapis.com is in place. You must block access to Google services that are not protected by VPC Service Controls, while still allowing private access to Cloud Storage, with minimal configuration changes. What should you do?
Change the private DNS record to resolve *.googleapis.com to restricted.googleapis.com and update the Cloud VPN custom route to advertise 199.36.153.8/30 instead of 199.36.153.4/30.
Attach a global external HTTP(S) load balancer with Cloud Armor to the subnet and block requests to unwanted Google services with WAF rules.
Create a Private Service Connect endpoint for Cloud Storage in the VPC, then disable Private Google Access on the subnet.
Replace Private Google Access with a Cloud NAT gateway and restrict egress to Cloud Storage's public IP ranges by firewall rules.
The VIP 199.36.153.4/30 that backs private.googleapis.com exposes the full set of Google APIs, including consumer services like YouTube. Switching to restricted.googleapis.com (199.36.153.8/30) limits reachable endpoints to the subset of Google APIs that are supported by VPC Service Controls, such as Cloud Storage, and automatically blocks access to consumer services outside that list. Because the subnet already has Private Google Access for on-premises hosts enabled, only the DNS and route need to be updated-no additional infrastructure (such as Private Service Connect or Cloud NAT) is required. Private Service Connect could also provide per-service access control but introduces extra configuration and cost. Firewall rules or Cloud NAT cannot filter traffic once it is inside Google's network and therefore cannot guarantee blocking other Google APIs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between private.googleapis.com and restricted.googleapis.com?
Open an interactive chat with Bash
How does VPC Service Controls enhance security for Google APIs?
Open an interactive chat with Bash
Why can't Cloud NAT or firewall rules block access to unwanted Google APIs?
Open an interactive chat with Bash
What is Private Google Access and how does it work?
Open an interactive chat with Bash
What is the difference between private.googleapis.com and restricted.googleapis.com?
Open an interactive chat with Bash
How do VPC Service Controls improve security for Google Cloud services?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .