Q: 18
You control network traffic for a folder in your Google Cloud environment. Your folder includes
multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level
that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network
dev-vpc." You want to minimize implementation and maintenance effort
What should you do?
Options
Discussion
Option B Similar question came up in official practice and it points to using a hierarchical firewall policy for this scenario.
B . Hierarchical firewall policy at folder level targets everything under the folder, so you get consistent control over all projects and networks in scope. It does require attaching external IPs to the VMs, but that's called out in the scenario steps. I'd say it's the most direct way to enforce egress for that IP range with minimal ongoing effort, even if there's some setup. Pretty sure that's why B fits best here.
I don’t think it’s D, since NAT config doesn’t enforce on the folder, and C has extra appliances. B.
Saw something like this on some practice sets, it was B in those as well.
C or D? I like D here since enabling Cloud NAT and restricting the target range feels lower maintenance, and you don't have to touch existing VM configs. Hierarchical firewall in B sounds good but needs external IPs on VMs which isn't always minimal effort in real life. Thoughts if I'm missing something?
B here, C looks tempting but introduces extra overhead. Hierarchical firewall at folder level is less maintenance. Pretty sure about B, but open if someone sees a technical gap in the scenario.
Be respectful. No spam.
