Exam Professional Cloud Security Engineer topic 1 question 113 discussion

(A) For VMs inside shared VPC, the host project needs to be added to the perimeter as well. I had real-life experience with this. However, this creates new security issues as all other VMs in other projects which are attached to shared subnets in the same host project then are also able to access the perimeter. Google recommends setting up Private Service Connect Endpoints to achieve subnet segregation for VPC-SC usage with Host projects.

VPC Service Controls are designed to protect Google Cloud resources (such as BigQuery) from unauthorized access by restricting access to those resources based on service perimeters. • In this scenario, the Compute Engine instances are trying to access BigQuery datasets, which are within a VPC Service Controls perimeter. • Compute Engine instances are in a service project, and to allow them to access resources (BigQuery) within the service perimeter, that service project must be added to the service perimeter.

It's A check this: https://cloud.google.com/compute/docs/instances/protecting-resources-vpc-service-controls#shared-vpc-with-vpc-service-controls

Why not D ? In my opinion, we need A and B to resolve issue, so why not D ?

Answer A: Select the projects that you want to secure within the perimeter. Click Projects. In the Add Projects window, select the projects you want to add. If you are using Shared VPC, make sure to add the host project and service projects. https://cloud.google.com/run/docs/securing/using-vpc-service-controls

B. Add the service project where the Compute Engine instances reside to the service perimeter. Explanation: The VPC Service Controls perimeter restricts data access to a set of resources within a VPC network. To allow Compute Engine instances in the service project to access BigQuery datasets in the protected project, the service project needs to be added to the service perimeter.

It's A and here's why. The questions establishes there's already VPC Service Control Perimeter and a shared VPC. Since the dataset resides in a project protected by a VPC SC perimeter, you wouldn't create a NEW service perimeter. Further, since we know per the question there's a SHARED VPC established & you're TROUBLESHOOTING, per the doc below, it makes sense that they're both not in the same VPC SC perimeter and why access is failing. https://cloud.google.com/vpc-service-controls/docs/troubleshooting#shared_vpc The questions isn't clear where the compute engine instance or dataset live in respect to the VPC SC perimeter. But it's clear, they are both NOT in the same VPC SC perimeter and the question states the BQ dataset is already protected. So B, C and D are wrong and only A ensure BOTH are in the same VPC SC perimeter regardless of which ones live in the host or service project.

As the scenario is for troubleshooting, I'll choose A as answer since it's more likely people would forget to include host project to the service perimeter

A. Add the host project containing the Shared VPC to the service perimeter. Looks good to me based on requirements

Weird question, you need A n B. I'll choose B.

A. Add the host project containing the Shared VPC to the service perimeter.

A is the answer. https://cloud.google.com/vpc-service-controls/docs/service-perimeters#secure-google-managed-resources If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC.

"If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC" => https://cloud.google.com/vpc-service-controls/docs/service-perimeters

"If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC." https://cloud.google.com/vpc-service-controls/docs/service-perimeters B

i think the Answer should be C (a combination of A and B)

Change my answer.

https://cloud.google.com/vpc-service-controls/docs/service-perimeters If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC.