Free Professional Cloud Security Engineer Exam Braindumps (page: 8)

Page 8 of 60

Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on- premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.

Which type of networking design should your team use to meet these requirements?

  1. Shared VPC Network with a host project and service projects
  2. Grant Compute Admin role to the networking team for each engineering project
  3. VPC peering between all engineering projects using a hub and spoke model
  4. Cloud VPN Gateway between all engineering projects using a hub and spoke model

Answer(s): A


Reference:

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise- organizations#centralize_network_control

Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.



An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.

What solution would help meet the requirements?

  1. Ensure that firewall rules are in place to meet the required controls.
  2. Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
  3. Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
  4. Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Answer(s): C

Explanation:

https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html

Shared responsibility "Security of the Cloud" - GCP is responsible for protecting the infrastructure that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run GCP Cloud services.



A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

Which strategy should you use to meet these needs?

  1. Create an organization node, and assign folders for each business unit.
  2. Establish standalone projects for each business unit, using gmail.com accounts.
  3. Assign GCP resources in a project, with a label identifying which business unit owns the resource.
  4. Assign GCP resources in a VPC for each business unit to separate network access.

Answer(s): A


Reference:

https://cloud.google.com/resource-manager/docs/listing-all-resources Also: https://wideops.com/mapping-your-organization-with-the-google-cloud-platform-resource- hierarchy/



A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location.

How should the company accomplish this?

  1. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
  2. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
  3. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
  4. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Answer(s): A

Explanation:

https://cloud.google.com/load-balancing/docs/tcp

TCP Proxy Load Balancing is implemented on GFEs that are distributed globally. If you choose the

Premium Tier of Network Service Tiers, a TCP proxy load balancer is global. In Premium Tier, you can deploy backends in multiple regions, and the load balancer automatically directs user traffic to the closest region that has capacity. If you choose the Standard Tier, a TCP proxy load balancer can only direct traffic among backends in a single region. https://cloud.google.com/load-balancing/docs/load- balancing-overview#tcp-proxy-load-balancing






Post your Comments and Discuss Google Professional Cloud Security Engineer exam with other Community members:

Professional Cloud Security Engineer Exam Discussions & Posts