ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 81 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 81
Topic #: 1
[All Professional Cloud Security Engineer Questions]

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage.
Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

  • A. Configure Private Google Access on the Compute Engine subnet
  • B. Avoid assigning public IP addresses to the Compute Engine cluster.
  • C. Make sure that the Compute Engine cluster is running on a separate subnet.
  • D. Turn off IP forwarding on the Compute Engine instances in the cluster.
  • E. Configure a Cloud NAT gateway.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by MohitA at Sept. 2, 2020, 10:38 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MohitA
Highly Voted 3 years, 7 months ago
AB suits well
upvoted 20 times
...
DebasishLowes
Highly Voted 3 years, 1 month ago
Ans : AB
upvoted 7 times
...
Mauratay
Most Recent 2 months, 3 weeks ago
Selected Answer: AE
AE A. Configuring Private Google Access on the Compute Engine subnet: This feature enables instances without public IP addresses to connect to Google APIs and services over internal IP addresses, ensuring that the instances cannot be accessed from the internet. E. Configuring a Cloud NAT gateway: This ensures that instances within the VPC can connect to the internet, but only to specific IP ranges and ports and it also ensures that the instances cannot initiate connection to the internet. By configuring both options, you are providing your Compute Engine instances with a way to access Google services while also being isolated from the internet and that is the best way to ensure that this workload will not be able to access, or be accessed from, the internet.
upvoted 1 times
...
[Removed]
9 months ago
Selected Answer: AB
A,B Has to be A and B together. A (Private Google Access) has minimal effect on instances with public IP so we also need to avoid assigning public IP to get the desired (internal only) effect. https://cloud.google.com/vpc/docs/private-google-access
upvoted 2 times
...
gcpengineer
11 months, 1 week ago
Selected Answer: AB
AB, A to access the cloud storage privately
upvoted 2 times
...
gcpengineer
11 months, 2 weeks ago
Selected Answer: BE
BE. no public ip in vm and nat to access the cloud storage
upvoted 1 times
gcpengineer
11 months, 1 week ago
AB, A to access the cloud storage privately
upvoted 1 times
...
...
therealsohail
1 year, 3 months ago
AE A. Configuring Private Google Access on the Compute Engine subnet: This feature enables instances without public IP addresses to connect to Google APIs and services over internal IP addresses, ensuring that the instances cannot be accessed from the internet. E. Configuring a Cloud NAT gateway: This ensures that instances within the VPC can connect to the internet, but only to specific IP ranges and ports and it also ensures that the instances cannot initiate connection to the internet. By configuring both options, you are providing your Compute Engine instances with a way to access Google services while also being isolated from the internet and that is the best way to ensure that this workload will not be able to access, or be accessed from, the internet.
upvoted 2 times
diasporabro
1 year, 3 months ago
NAT Gateway allows an instance to access the public internet (while not being accessible from the public internet), so it is incorrect
upvoted 3 times
...
...
AzureDP900
1 year, 5 months ago
AB is correct A. Configure Private Google Access on the Compute Engine subnet B. Avoid assigning public IP addresses to the Compute Engine cluster.
upvoted 1 times
...
AwesomeGCP
1 year, 6 months ago
Selected Answer: AB
A. Configure Private Google Access on the Compute Engine subnet B. Avoid assigning public IP addresses to the Compute Engine cluster.
upvoted 2 times
...
cloudprincipal
1 year, 10 months ago
Selected Answer: AB
agree with all the others
upvoted 2 times
...
pfilourenco
2 years, 11 months ago
B and E: "make sure that this workload will not be able to access, or be accessed from, the internet." If we have cloud NAT we are able to access the internet! Also with public IP.
upvoted 2 times
Rupo7
2 years, 2 months ago
The question says " not be able to access, or be accessed from, the internet." A NAT gateway enables access to the internet, just behind a static IP. A. Private access for the subnet is required to enable access to GCS. B is a good measure, as then the instance cannot access the internet at all (without a NAT Gateway that is).
upvoted 1 times
gcpengineer
11 months, 2 weeks ago
private access of storage is required not of the VMs
upvoted 1 times
...
...
...
[Removed]
3 years ago
Not A https://cloud.google.com/vpc/docs/private-google-access
upvoted 1 times
tanfromvn
2 years, 10 months ago
A_B, why not A? Private access just accepts traffic in GCP and to GG API
upvoted 2 times
...
[Removed]
3 years ago
NOt D, because by de fault IP forwarding is disabled. You do not need to turn it off.
upvoted 1 times
[Removed]
3 years ago
So B and E is the right answer.
upvoted 3 times
...
...
...
ffdd1234
3 years, 3 months ago
if you Avoid assigning public IP addresses to the Compute Engine cluster the instance could access to internet if have a nat gateway, maybe the answer is A and D
upvoted 1 times
ffdd1234
2 years, 5 months ago
+1 A-D
upvoted 1 times
ffdd1234
2 years, 5 months ago
But not sure "Ensure that IP Forwarding feature is not enabled at the Google Compute Engine instance level for security and compliance reasons, as instances with IP Forwarding enabled act as routers/packet forwarders." IP FW is for route packets could not be D
upvoted 1 times
...
...
...
Topsy
3 years, 4 months ago
A and B is correct
upvoted 4 times
...
[Removed]
3 years, 6 months ago
Ans - AB
upvoted 2 times
...
genesis3k
3 years, 6 months ago
AB is the correct answer.
upvoted 1 times
...
Wooky
3 years, 7 months ago
B,D not A Private google access provides public google api access without public IP
upvoted 1 times
Wooky
3 years, 7 months ago
My mistake, ans is AB.
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago