GCP Professional Cloud Security Engineer Practice Question

Your security team wants to replace a set of regional VM-based firewalls that currently hairpin all traffic through a few "choke point" instances. The new solution must keep filtering close to each workload, automatically scale to tens of Tbps without creating additional hops, and provide one place to apply advanced threat intelligence rules across all VPC networks. Which Google Cloud capability best meets these requirements?

Deploy Cloud IDS sensors and use Packet Mirroring for threat detection
Cloud Armor web application firewall in front of the existing firewalls
Cloud Next Generation Firewall with hierarchical or network firewall policies
VPC firewall rules with manual instance tags in each subnet

Report Issue

Answer Description

Cloud Next Generation Firewall is implemented inside Google's virtual networking data plane, so every packet that enters or leaves a VPC subnet is inspected at the point of ingress or egress-there is no need to route traffic through separate firewall appliances or gateways. Because enforcement is fully distributed, capacity scales automatically with Google's infrastructure and applies consistently across regions. Hierarchical and network firewall policies let administrators define a single set of rules, including threat-intelligence controls, that protect all selected VPCs. Traditional VPC firewall rules lack advanced threat intelligence, Cloud Armor protects only load-balanced (north-south) HTTP(S) traffic, and Cloud IDS relies on mirrored copies of traffic rather than in-path enforcement, so none of those options satisfy all stated requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.