Google Cloud Professional Cloud Network Engineer — Question 195

Your company deployed Cloud Next Generation Firewall Enterprise (Cloud NGFW Enterprise). You have already created a CA pool and a CA in Certificate Authority Service. You need to enable TLS inspection. What should you do?

Answer options

• A. Grant the network security service agent service account the privateca.certificateRequester role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.
• B. Grant the network security service agent service account the privateca.poolReader role. Create a TLS inspection policy linking to the CA pool. Configure your VPC endpoint associations to use the TLS inspection policy. Flip the TLS inspection flag in your firewall policy rules to true.
• C. Grant the network security service agent service account the privateca.certificateRequester role. Create a trust config in Certificate Manager Flip the TLS inspection flag in your firewall policy rules to true.
• D. Grant the network security service agent service account the privateca.certificateRequester role. Create a trust config in Certificate Manager. Flip the TLS inspection flag in your firewall policy rules to true.

Correct answer: A

Explanation

The correct answer is A because it includes granting the necessary privateca.certificateRequester role and creating a TLS inspection policy linked to the CA pool, which is essential for enabling TLS inspection. Options B, C, and D do not include the correct role or the necessary TLS inspection policy setup, which are critical steps for this configuration.