You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?
ACreate a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
BCreate a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
CTag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
DLabel the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.
When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.
What should you do?
ACheck the VPC flow logs for the instance.
BTry connecting to the instance via SSH, and check the logs.
CCreate a new firewall rule to allow traffic from port 22, and enable logs.
DCreate a new firewall rule with priority 65500 to deny all traffic, and enable logs.
You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead. How should you design this topology?
AConfigure a host project with a Shared VPC. Create service projects for Web, App, and Database.
BConfigure one VPC for Web, one VPC for App, and one VPC for Database. Configure HA VPN between each VPC.
CConfigure three Shared VPC host projects, each with a service project: one for Web, one for App, and one for Database.
DConfigure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC Network Peering to connect all VPCs in a full mesh.
Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?
AConfigure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.
BConfigure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.
CConsolidate all existing projects’ subnetworks into a single VPCreate separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.
DConfigure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects’ VPC networks to the hub VPC. Export custom routes from the hub VPC and import on all projects’ VPC networks.
You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements:
• Your on-premises resources should resolve your Google Cloud zones.
• Your Google Cloud resources should resolve your on-premises zones.
• You need the ability to resolve “.internal” zones provisioned by Google Cloud.
What should you do?
AConfigure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.
BConfigure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.
CConfigure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.
DConfigure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.
Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?
A
Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.
Configure DNS peering from the spoke VPCs to the hub VPC.
B
Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.
Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
C
Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.
Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.
D
Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.
Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?
AConfigure Private Google Access to privately access the Cloud Storage service using private IP addresses.
BConfigure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.
CConfigure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.
DConfigure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.
You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?
AReview the VPC audit logs in Cloud Logging for the affected instances.
BUse Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.
CRun Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.
DEnable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.
Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?
A
Configure your VPC routing in regional mode.
Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.
B
Configure your VPC routing in global mode.
Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.
C
Configure your VPC routing in global mode.
Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.
D
Configure your VPC routing in regional mode.
Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.
You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?
AEnable firewall logs, and view the logs in Firewall Insights.
BEnable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.
CEnable VPC Flow Logs, and view the logs in Cloud Logging.
DEnable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.
You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?
ASet up the engineer with Compute Shared VPC Admin IAM role at the folder level.
BSet up the engineer with Compute Shared VPC Admin IAM role at the organization level.
CSet up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.
DSet up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.
You recently deployed Compute Engine instances in regions us-west1 and us-east1 in a Virtual Private Cloud (VPC) with default routing configurations. Your company security policy mandates that virtual machines (VMs) must not have public IP addresses attached to them. You need to allow your instances to fetch updates from the internet while preventing external access. What should you do?
ACreate a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1.
BCreate a single global Cloud NAT gateway and global Cloud Router in the VPC.
CChange the instances’ network interface external IP address from None to Ephemeral.
DCreate a firewall rule that allows egress to destination 0.0.0.0/0.
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules.
Your organization requires using the least privilege necessary.
Which level of permissions should you request?
ASecurity Admin privileges from the Shared VPC Admin.
BService Project Admin privileges from the Shared VPC Admin.
CShared VPC Admin privileges from the Organization Admin.
DOrganization Admin privileges from the Organization Admin.
You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?
AConfigure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.
BConfigure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.
CConfigure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.
DConfigure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.
Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?
AConfigure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.
BConfigure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.
CAnnounce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.
DAnnounce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.
Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?
ACreate a VPC firewall rule in each VPC to block traffic from any source, with priority 0.
BCreate a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.
CCreate two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.
DCreate two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
You have two Google Cloud projects in a perimeter to prevent data exfiltration. You need to move a third project inside the perimeter; however, the move could negatively impact the existing environment. You need to validate the impact of the change. What should you do?
AEnable Firewall Rules Logging inside the third project.
BModify the existing VPC Service Controls policy to include the new project in dry run mode.
CMonitor the Resource Manager audit logs inside the perimeter.
DEnable VPC Flow Logs inside the third project, and monitor the logs for negative impact.
You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?
AConfigure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.
BConfigure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.
CConfigure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.
DConfigure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.
Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:
• Certain data must stay in the project where it is stored and not be exfiltrated to other projects.
• Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.
• All DNS resolution must be done on-premises.
• The solution should only provide access to APIs that are compatible with VPC Service Controls.
What should you do?
A
Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
B
Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.
C
Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
D
Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.
You need to configure a Google Kubernetes Engine (GKE) cluster. The initial deployment should have 5 nodes with the potential to scale to 10 nodes. The maximum number of Pods per node is 8. The number of services could grow from 100 to up to 1024. How should you design the IP schema to optimally meet this requirement?
AConfigure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /22 secondary IP range for the Services.
BConfigure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.
CConfigure a /28 primary IP address range for the node IP addresses. Configure a /28 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.
DConfigure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services.
You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?
ACreate a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.
BCreate a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.
CCreate a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.
DCreate a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.
You just finished your company’s migration to Google Cloud and configured an architecture with 3 Virtual Private Cloud (VPC) networks: one for Sales, one for Finance, and one for Engineering. Every VPC contains over 100 Compute Engine instances, and now developers using instances in the Sales VPC and the Finance VPC require private connectivity between each other. You need to allow communication between Sales and Finance without compromising performance or security. What should you do?
AConfigure an HA VPN gateway between the Finance VPC and the Sales VPC.
BConfigure the instances that require communication between each other with an external IP address.
CCreate a VPC Network Peering connection between the Finance VPC and the Sales VPC.
DConfigure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.
You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.
What should you do?
AUse a 4-byte private ASN 4200000000-4294967294.
BUse a 2-byte private ASN 64512-65535.
CUse a public Google ASN 15169.
DUse a public Google ASN 16550.
You want to create a service in GCP using IPv6.
What should you do?
ACreate the instance with the designated IPv6 address.
BConfigure a TCP Proxy with the designated IPv6 address.
CConfigure a global load balancer with the designated IPv6 address.
DConfigure an internal load balancer with the designated IPv6 address.
You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling. Which configuration should you use?
AUse global SSL Proxy Load Balancing with backends in both regions.
BUse global TCP Proxy Load Balancing with backends in both regions.
CUse global external HTTP(S) Load Balancing with backends in both regions.
DUse Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.
Preview
