Google Cloud Professional Cloud Network Engineer — Question 79

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

Answer options

• A. Enable firewall logging, and forward all filtered egress firewall logs to the IDS.
• B. Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.
• C. Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
• D. Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Correct answer: C

Explanation

The correct answer is C because creating an internal TCP/UDP load balancer for Packet Mirroring allows you to capture and analyze egress traffic effectively. Options A and B do not provide direct monitoring of traffic payloads, as they focus on logging rather than payload analysis. Option D, while similar to C, specifies an HTTP(S) load balancer which is not suitable for general egress traffic monitoring.