Securing communications and establishing boundary protection
Drill 20 practice questions focused entirely on Securing communications and establishing boundary protection for the Google Cloud PCSE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A media company serves static video thumbnails through a global external Application Load Balancer with Cloud CDN enabled. Their security team wants to filter requests based on source IP address and geographic region BEFORE any content is served from the CDN cache, so that malicious or out-of-region requests never reach cached or backend content. Which Cloud Armor configuration meets this requirement?
A retail company exposes a public web application through an external HTTP(S) load balancer. Recently, the application was targeted by SQL injection attempts and a volumetric flood of malicious requests from a handful of specific IP ranges. The security team wants to block the known bad IP ranges, mitigate common OWASP Top 10 attacks like SQL injection, and rate-limit abusive clients — all without modifying application code. Which approach should they implement?
A retail company exposes a public web application behind a global external Application Load Balancer. The security team must ensure that only traffic originating from the corporate offices' well-known egress IP ranges can reach the application, while all other public traffic is blocked at the network edge before hitting the backends. The list of corporate IP ranges is large and changes periodically as new offices open. Which approach best meets these requirements while minimizing maintenance overhead?
A retail company runs a public API behind a global external Application Load Balancer. During flash sales, a small number of client IPs generate a massive volume of legitimate-looking requests that overwhelm backends, but the company does not want to fully block these clients — only slow them down when they exceed a fair usage threshold. Which Cloud Armor configuration meets this requirement?
A security operations team at a financial services company needs to investigate a suspected data exfiltration incident. Several private VMs in a subnet use Cloud NAT for outbound internet access to reach a partner API. The team needs to determine exactly which destination IP addresses and ports the VMs connected to during a specific time window, and whether any connections were dropped due to NAT port exhaustion. Currently no NAT observability is configured. What should the team enable to obtain this evidence with the least operational overhead?
A financial services company runs a fleet of 200 backend VMs (no external IPs) in a single subnet. These VMs make a very high volume of outbound API calls to a small number of external partner endpoints. Operations reports intermittent connection failures, and Cloud NAT logs show numerous 'OUT_OF_RESOURCES' drop entries for allocation, even though CPU and network throughput are well within limits. The team needs to resolve the failures without adding public IPs to the VMs. What is the most effective action?
A financial services company runs a fleet of backend processing VMs in a private subnet within a Shared VPC. Organization policy prohibits assigning external IP addresses to these VMs. However, the VMs must periodically download OS security patches and pull dependencies from public package repositories on the internet. Inbound connections from the internet to these VMs must remain impossible. What should the security engineer configure to meet these requirements?
A financial services company runs a fleet of backend processing VMs in a private subnet with no external IP addresses. These VMs must call a third-party payment partner's REST API over the public internet. The partner requires that all inbound traffic originate from a small, fixed set of source IP addresses that the company must register on the partner's allowlist. The security team also needs to guarantee the egress source addresses do not change over time. How should you configure egress connectivity?
A financial services company exposes a partner-facing API through a global external Application Load Balancer. Regulatory requirements mandate that only clients presenting a valid X.509 certificate issued by the company's internal certificate authority may establish a connection to the load balancer. The security team must reject any client that does not present a trusted certificate at the TLS layer, before the request reaches the backend. Which approach meets this requirement?
A financial services company exposes a public web application through a global external Application Load Balancer. A compliance audit requires that the load balancer reject any client connections negotiating TLS versions below 1.2 and disable known-weak cipher suites, while still allowing modern browsers to connect. The security engineer must enforce this at the load balancer's frontend without modifying backend servers. What should the engineer do?
A financial services company runs workloads across 40 projects in three folders (prod, staging, dev) under a single organization. The security team must enforce a non-overridable rule that blocks all inbound RDP (TCP 3389) from the public internet across every current and future project, while still allowing individual project owners to define their own application-specific firewall rules for other ports. What is the most effective way to implement this?
A financial services company is migrating to Google Cloud and needs a dedicated, high-bandwidth (10 Gbps) connection between their on-premises data center and their VPC. A compliance requirement mandates that all traffic traversing the connection between on-premises and Google Cloud must be encrypted in transit. The company wants the lowest-latency dedicated option while still meeting the encryption requirement. Which approach should they implement?
A financial services company runs an internal HTTP(S) API on Compute Engine instances in a producer VPC. Multiple consumer teams in separate VPCs, plus an on-premises data center connected via Cloud Interconnect, need to reach this API. Security requires that all traffic stay on Google's private network with no exposure to the internet, and that the producer team explicitly control which consumer projects can connect. Which approach best meets these requirements?
A financial services company runs several internal microservices in a Shared VPC. They want internal clients within the VPC to reach these microservices through a single internal IP address, with requests routed to different backend service groups based on the URL path (e.g., /payments, /accounts). Traffic must never traverse the public internet, and the solution must support HTTP-based Layer 7 path matching. Which load balancing configuration should the security engineer recommend?
A security engineer deploys an internal Application Load Balancer in front of a managed instance group of backend VMs in a custom-mode VPC. The backends have no external IPs. After deployment, all backends show as UNHEALTHY in the load balancer, and internal clients cannot reach the service. The default 'deny all ingress' behavior applies because no ingress allow rules exist for these VMs. Which action correctly restores health checks and traffic flow while following least-privilege principles?
A financial services company runs on-premises servers connected to a Google Cloud VPC through a Dedicated Interconnect. These servers must call Cloud Storage and BigQuery APIs, but corporate security policy forbids any traffic to Google APIs from traversing the public internet, and the on-premises hosts have no external IPs. DNS resolution for googleapis.com currently returns public IP addresses. What should the security engineer configure to meet these requirements?
A financial services company runs Compute Engine instances in a VPC with no external IP addresses and an organization policy that blocks external IPs. The instances must reach Google APIs such as Cloud Storage and BigQuery, but the security team requires that traffic use a private internal IP endpoint that they fully control and can reference in firewall rules and DNS, rather than the default public API domains. They also want to avoid routing this traffic over the internet or through Cloud NAT. Which approach meets these requirements?
A SaaS provider hosts a multi-tenant analytics application behind an internal load balancer in their own VPC. Your company wants to consume this service from your VPC without exposing traffic to the public internet, without overlapping RFC 1918 ranges between the two VPCs, and without requiring VPC peering that would expose your entire network to the provider. Which solution should you implement?
A SaaS provider (the producer) runs a managed data-processing service in their own VPC. For certain workloads, the producer's service instances must initiate outbound connections into a customer's (consumer's) VPC to reach an on-prem database exposed through the consumer network — while keeping the traffic on Google's backbone and avoiding VPC Peering, which would create IP overlap and full route exchange. The producer wants a network interface that lets their instances originate traffic into the consumer VPC with controlled, one-directional reachability. Which Private Service Connect construct should the producer use?
Your company operates a SaaS analytics platform in a producer VPC. A regulated banking customer wants private, one-way connectivity from their consumer VPC to your service without traversing the public internet, and they must not be able to initiate connections to any other resources in your VPC. You need to publish the service so that only this specific customer's project can create a connection endpoint, and connection requests from any other project must be rejected. Which configuration should you implement on the producer side?
More PCSE practice
Keep going with the other Professional Cloud Security Engineer domains, or take a full timed mock exam.
← Back to PCSE overview