Google Cloud Professional Cloud Security Engineer — Question 81

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

Answer options

• A. 1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
• B. 1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
• C. 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together. 2. Configure a custom route on each network pointed to the virtual appliance.
• D. 1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

Correct answer: D

Explanation

The correct answer is D because it allows the virtual appliance to directly inspect traffic between the two distinct VPC networks by having separate interfaces for each. Option A and B suggest routing all traffic or only internal traffic through a single point, which may not provide the necessary inspection capabilities. Option C involves peering two networks without leveraging a firewall's ability to inspect traffic at the interfaces.