Google Cloud Professional Cloud Network Engineer — Question 203

Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag. What should you do?

Answer options

• A. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account.
• B. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag.
• C. Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
• D. Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

Correct answer: D

Explanation

The correct answer is D because deploying a Secure Web Proxy instance in each region allows for localized control of URL access based on the secure tag. Option A and B incorrectly suggest using a Cloud NAT gateway, which does not provide URL filtering capabilities. Option C suggests a single global Proxy, which may not meet the requirements for regional applications.