Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

Your team is creating a Google Cloud Armor security policy to protect an external HTTP(S) Load Balancer that fronts your company's public website. The policy must meet all of the following requirements:

  • Corporate allow-list - Always allow traffic coming from the Shanghai office IP range 203.0.113.0/24 (these addresses geolocate to country code CN).
  • Geo-block - Block every other request whose source country code is CN.
  • Admin endpoint hardening - For any request whose path starts with /admin, allow it only when the request header X-Admin-Token equals "prod-console"; otherwise block it.
  • Default posture - Permit all other traffic.

Cloud Armor evaluates rules in ascending order of priority (0 is highest) and stops at the first match. You want to satisfy the requirements with the fewest explicit rules (the implicit default rule may remain unchanged).

Which rule sequence accomplishes the goal?

  • priority 100 - ALLOW if inIpRange(origin.ip, '203.0.113.0/24') priority 200 - DENY (403) if origin.region_code == 'CN' priority 300 - ALLOW if request.path.startsWith('/admin') && request.headers['X-Admin-Token']=='prod-console' priority 310 - DENY (403) if request.path.startsWith('/admin') (default rule: ALLOW)

  • priority 100 - DENY (403) if origin.region_code == 'CN' priority 200 - ALLOW if inIpRange(origin.ip, '203.0.113.0/24') priority 300 - ALLOW if request.path.startsWith('/admin') && request.headers['X-Admin-Token']=='prod-console' priority 310 - DENY (403) if request.path.startsWith('/admin') (default rule: ALLOW)

  • priority 100 - ALLOW if request.path.startsWith('/admin') && request.headers['X-Admin-Token']=='prod-console' priority 110 - DENY (403) if request.path.startsWith('/admin') priority 200 - ALLOW if inIpRange(origin.ip, '203.0.113.0/24') priority 300 - DENY (403) if origin.region_code == 'CN' (default rule: ALLOW)

  • priority 100 - ALLOW if inIpRange(origin.ip, '203.0.113.0/24') priority 200 - DENY (403) if origin.region_code == 'CN' priority 300 - DENY (403) if request.path.startsWith('/admin') && request.headers['X-Admin-Token']!='prod-console' (default rule: ALLOW)

GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot