Exam Professional Cloud Security Engineer topic 1 question 111 discussion

I think the answer is (C). VPC Flow Logs samples each VM's TCP, UDP, ICMP, ESP, and GRE flows. Both inbound and outbound flows are sampled. These flows can be between the VM and another VM, a host in your on-premises data center, a Google service, or a host on the internet. https://cloud.google.com/vpc/docs/flow-logs

B should be the answer. For detecting network anomalies, you need to have payload and header data as well to be effective. Besides C is saying to enable VPC flow logs on a subnet which won't serve our purpose either.

Backet mirroring policies allow you to mirror all traffic passing through a specific network interface or VPC route to a designated destination (e.g., another VM, a Cloud Storage bucket). This captured traffic can then be analyzed by security and network engineers using tools like Suricata or Security Command Center for advanced anomaly detection. This approach provides the necessary level of detail and flexibility for identifying anomalies across all the mentioned traffic types

C is only for subnet, and we need control in many VPCs, so I prefer B

C - we need more than just the VMs here.

The answer is C. The needs is identify all network anomalies within and across VPCs, internal traffic from VMs to VMs ... B- Does not meet all needs. It is limited to the VM and don't cover the needs : across VPCs https://cloud.google.com/vpc/docs/packet-mirroring?hl=en C- Cover all needs https://cloud.google.com/vpc/docs/flow-logs?hl=en

"B" When there's a need for broad and deep network analysis, only packet mirroring can achieve this. Here's the specific use case that matches the quest. https://cloud.google.com/vpc/docs/packet-mirroring#enterprise_security

https://cloud.google.com/vpc/docs/packet-mirroring#enterprise_security Security and network engineering teams must ensure that they are catching all anomalies and threats that might indicate security breaches and intrusions. They mirror all traffic so that they can complete a comprehensive inspection of suspicious flows. Because attacks can span multiple packets, security teams must be able to get all packets for each flow.

As it is a close tie and ambiguity between B&C, I would say it is C - VPC Flow Logs in this instance, as Question 121 is focusing more on Packet Mirroring with the IDS Use Case.

Should be B

C is the answer as B has the limitation against question The mirroring happens on the virtual machine (VM) instances, not on the network. Consequently, Packet Mirroring consumes additional bandwidth on the VMs.

B. Configure packet mirroring policies.

B is the answer. https://cloud.google.com/vpc/docs/packet-mirroring#enterprise_security Security and network engineering teams must ensure that they are catching all anomalies and threats that might indicate security breaches and intrusions. They mirror all traffic so that they can complete a comprehensive inspection of suspicious flows.

100% Answer B: Anomalies means packet miroiring https://cloud.google.com/vpc/docs/packet-mirroring#enterprise_security "Packet Mirroring is useful when you need to monitor and analyze your security status. It exports all traffic, not only the traffic between sampling periods. For example, you can use security software that analyzes mirrored traffic to detect all threats or anomalies. Additionally, you can inspect the full traffic flow to detect application performance issues. For more information, see the example use cases." https://cloud.google.com/vpc/docs/packet-mirroring

First you can use VPC flow log at a subnet level : https://cloud.google.com/vpc/docs/using-flow-logs Then VPC Flow Log main feature is to collect logs that can be used for network monitoring, forensics, real-time security analysis, and expense optimization.

Anomalies -> Packet Mirroring

VPC Flow Logs also helps you perform network forensics when investigating suspicious behavior such as traffic from access from abnormal sources or unexpected volumes of data migration