GCP Professional Cloud Security Engineer Practice Question

Your security team must prevent any Compute Engine VM in any Google Cloud project from initiating outbound connections to IP addresses that Google's threat-intelligence service classifies as botnet command-and-control. At the same time, development teams occasionally need to make temporary, tightly scoped exceptions for a few VMs, which they identify with a special network tag. You want a solution that applies automatically to every current and future VPC network in the organization and minimizes ongoing operational work. Which implementation best meets these requirements?

Configure a Cloud Armor security policy that blocks traffic from botnet-classified source IPs and attach it to a shared external HTTP(S) load balancer that all outbound traffic must traverse; allow exceptions by letting teams bypass the load balancer.
Manually add a black-hole static route for every botnet command-and-control subnet to each VPC. Instruct teams to delete the route when they need an exception for specific VMs.
Create an organization-level hierarchical firewall policy with a single egress deny rule for threatIntelligence:botnet-cnc at priority 100, and let project administrators create higher-priority allow rules in their own project-level firewall policies when they need exceptions.
Create a global network firewall policy at the organization node. Add an egress allow rule with a high precedence that matches only VMs tagged c2c-exempt, followed by a lower-precedence deny rule whose match condition is threatIntelligence:botnet-cnc. Attach the policy to all VPC networks in the organization so it is inherited by current and future projects.

Report Issue

Answer Description

A global network firewall policy attached at the organization level is evaluated before any VPC firewall rules, ensuring a single, centrally managed control point for all projects and VPCs. In that policy you create two egress rules:

An allow rule with a high precedence (low numeric priority) that matches traffic only from VMs bearing a designated exception network tag (for example, c2c-exempt).
A second rule with a lower precedence (higher numeric priority) whose match condition is threatIntelligence:botnet-cnc and whose action is deny.

Because rules are processed in order of ascending priority within the same policy, traffic from tagged VMs hits the allow rule first and is permitted, while all other traffic destined for known botnet C2 servers matches the subsequent deny rule and is blocked. Attaching the policy to the entire organization with an all-networks association makes it automatically effective for every existing and future VPC, eliminating the need to replicate rules in each project.

Placing the deny rule in an organization-level policy without a higher-priority allow rule (option B) would prevent lower-level policies from overriding it, so exceptions would be impossible. Implementing per-VPC routes (option C) would require continual manual updates and cannot rely on Google-managed threat-intelligence feeds. Cloud Armor (option D) protects only traffic that traverses HTTP(S) load balancers and cannot enforce egress controls for arbitrary VM traffic.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.