Exam Professional Cloud Security Engineer topic 1 question 239 discussion

Cloud NAT is primarily for providing internet access to instances in private subnets. It doesn't offer the granular control needed to restrict egress traffic based on source VPC networks

Applying a hierarchical firewall policy at the folder level ensures centralized control of egress traffic across all networks and projects within the folder, minimizing implementation and maintenance efforts while enforcing the required network traffic constraints.

But I'm not agree 100% with any of them. B & C are the less worst but not the good ones. C is not complain with: on the folder level B is not complain with: minimize implementation and maintenance effort because of the add external ip addresses to the VMs step

-Folder-Level Policy: A hierarchical firewall policy applied at the folder level ensures consistent enforcement across all VPC networks within that folder. This simplifies management compared to individual project or VPC configurations. -Deny All Egress with Allow Rule: Setting a "deny all egress" rule as the default policy at the folder level strengthens security by explicitly blocking outbound traffic. A separate rule specifically allows egress to the desired IP range (10.58.5.0/24) from the "dev-vpc" network, meeting your requirements. -No VM Configuration Changes: This approach avoids modifying individual VM network configurations, reducing complexity and potential errors.

allowing egress to the entire 10.58.5.0/24 network does not make any sense, enabling Cloud NAT for "dev-vpc" with the target range restricted to 10.58.5.0/24 provides a straightforward and efficient way to enforce egress connections on the folder level, meeting your criteria of minimal implementation and maintenance effort.

In my opinion the less worth option is C. A is wrong because use an other VPC in other Network cannot help to filter egress access B is wrong for me because NAT doesn't allow us to limit access even NAT is could be make between VPC. D by default all egress connections are allow add a rule make no change for me. in C you make a rule applie on all folder that deny egress by default and allow the source network as expected. I don't understand the fact of add a public ip adress that don't help for me but it is not blocking.

Why not B ?

Selected Answer: C https://cloud.google.com/firewall/docs/firewall-policies-examples

The correct answer is C. 1. Attach external IP addresses to the VMs in scope. 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc. This approach allows you to control network traffic at the folder level. By attaching external IP addresses to the VMs in scope, you can ensure that the VMs have a unique, routable IP address for outbound connections. Then, by defining and applying a hierarchical firewall policy at the folder level, you can enforce that egress connections are limited to the specified IP range and only from the specified VPC network.