Google Cloud Professional Cloud Network Engineer — Question 230

Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected. What should you do?

Answer options

• A. Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs.
• B. Use Cloud NGFW Essentials. Create a firewall rule for egress traffic, and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities.
• C. Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content.
• D. Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the --tls-inspect flag, and associate the firewall rules with the VMs.

Correct answer: D

Explanation

The correct answer, D, involves using Cloud NGFW Enterprise, which is specifically designed for inspecting TLS traffic. Options A and B do not provide adequate inspection capabilities for encrypted traffic, while option C requires manual configuration on each VM, which is less efficient and scalable.