Google Cloud Professional Cloud Security Engineer — Question 155

You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks. You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network “dev-vpc”. You want to minimize implementation and maintenance effort.

What should you do?

Answer options

• A. 1. Leave the network configuration of the VMs in scope unchanged. 2. Create a new project including a new VPC network “new-vpc”. 3. Deploy a network appliance in “new-vpc” to filter access requests and only allow egress connections from “dev-vpc” to 10.58.5.0/24.
• B. 1. Leave the network configuration of the VMs in scope unchanged. 2. Enable Cloud NAT for “dev-vpc” and restrict the target range in Cloud NAT to 10.58.5.0/24.
• C. 1. Attach external IP addresses to the VMs in scope. 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.
• D. 1. Attach external IP addresses to the VMs in scope. 2. Configure a VPC Firewall rule in “dev-vpc” that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

Correct answer: C

Explanation

Option C is correct because it effectively implements a hierarchical firewall policy at the folder level, ensuring that egress connections are strictly controlled according to the specified requirements. Options A and B introduce unnecessary complexity and do not meet the requirement of limiting egress connections effectively. Option D allows egress from all source addresses in 'dev-vpc', which does not enforce the desired restriction.