Module 3: Securing Communications and Establishing Boundary Protection

Looking for ‘Preparing for Your Professional Cloud Security Engineer Journey Module 3 Answers’?

In this post, I provide complete, accurate, and detailed explanations for the answers to Module 3: Securing Communications and Establishing Boundary Protection of Course 1: Preparing for Your Professional Cloud Security Engineer JourneyPreparing for Google Cloud Certification: Cloud Security Engineer Professional Certificate.

Whether you’re preparing for quizzes or brushing up on your knowledge, these insights will help you master the concepts effectively. Let’s dive into the correct answers and detailed explanations for each question!

Diagnostic questions

Practice Assignment

1. Cymbal Bank has published an API that internal teams will use through the Application Load Balancer. You need to limit the API usage to 200 calls every hour. Any exceeding usage should inform the users that servers are busy. Which gcloud command would you run to throttle the load balancing for the given specification?

  • gcloud compute security-policies rules create priority –security-policy sec-policy –src-ip-ranges=source-range –action=throttle –rate-limit-threshold-count=200 –rate-limit-threshold-interval-sec=3600 –conform-action=allow –exceed-action=deny-429 –enforce-on-key=HTTP-HEADER ✅
  • gcloud compute security-policies rules create priority –security-policy sec-policy –src-ip-ranges=”<source range>” –action=rate-based-ban –rate-limit-threshold-count=200 –rate-limit-threshold-interval-sec=3600 –conform-action=allow –exceed-action=deny-500 –enforce-on-key=IP
  • gcloud compute security-policies rules create priority –security-policy sec-policy –src-ip-ranges=source-range –action=rate-based-ban –rate-limit-threshold-count=200 –rate-limit-threshold-interval-sec=3600 –conform-action=deny –exceed-action=deny-403 –enforce-on-key=HTTP-HEADER
  • gcloud compute security-policies rules create priority –security-policy sec-policy –src-ip-ranges=source-range –action=throttle –rate-limit-threshold-count=200 –rate-limit-threshold-interval-sec=60 –conform-action=deny –exceed-action=deny-404 –enforce-on-key=HTTP-HEADER

Explanation:
This command creates a Cloud Armor security policy rule to throttle traffic after 200 requests per hour, returning a 429 (Too Many Requests) status code.

2. Cymbal Bank is releasing a new loan management application using a Compute Engine managed instance group. External users will connect to the application using a domain name or IP address protected with TLS 1.2. A load balancer already hosts this application and preserves the source IP address. You are tasked with setting up the SSL certificate for this load balancer. What should you do?

  • Import a self-managed SSL certificate. Attach a global static external IP address to the external proxy Network Load Balancer. Validate that an existing URL map will route the incoming service to your managed instance group backend. Load your certificate and create a TCP proxy routing to your URL map. Create a global forwarding rule that routes incoming requests to the proxy.
  • Import a self-managed SSL certificate. Attach a global static external IP address to the external proxy Network Load Balancer. Validate that an existing URL map will route the incoming service to your managed instance group backend. Load your certificate and create an SSL proxy routing to your URL map.
  • Create a global forwarding rule that routes incoming requests to the proxy. Create a Google-managed SSL certificate. Attach a global dynamic external IP address to the internal Application Load Balancer. Validate that an existing URL map will route the incoming service to your managed instance group backend. Load your certificate and create an HTTPS proxy routing to your URL map. Create a global forwarding rule that routes incoming requests to the proxy.
  • Create a Google-managed SSL certificate. Attach a global static external IP address to the global external Application Load Balancer. Validate that an existing URL map will route the incoming service to your managed instance group backend. Load your certificate and create an HTTPS proxy routing to your URL map. Create a global forwarding rule that routes incoming requests to the proxy. ✅

Explanation:
Use a Google-managed SSL cert and an external HTTP(S) Load Balancer with a global static IP, URL map, HTTPS proxy, and global forwarding rule.

3. Your organization has a website running on Compute Engine. This instance only has a private IP address. You need to provide SSH access to an on-premises developer who will debug the website from the authorized on-premises location only. How do you enable this?

  • Set up Cloud VPN. Set up an unencrypted tunnel to one of the hosts in the network. Create outbound or egress firewall rules.
  • Use the private IP address to log in using a gcloud ssh command. Use SOCKS proxy over SSH. Set up an SSH tunnel to one of the hosts in the network. Create the SOCKS proxy on the client side.
  • Use Identity-Aware Proxy (IAP). Set up IAP TCP forwarding by creating ingress firewall rules on port 22 for TCP using the gcloud command. ✅
  • Use the default VPC’s firewall. Open port 22 for TCP protocol using the Google Cloud Console.

Explanation:
IAP TCP forwarding allows you to connect to VMs with only private IPs securely from authorized locations.

4. You have recently joined Cymbal Bank as a cloud engineer. You created a custom VPC network, selecting to use the automatic subnet creation mode and nothing else. The default network still exists in your project. You create a new Linux VM instance and select the custom VPC as the network interface. You try to SSH into your instance, but you are getting a “connection failed” error. What answer best explains why you cannot SSH into the instance?

  • You should have deleted the default network. When you have multiple VPCs in your project, Compute Engine can’t allow you to connect because overlapping IP ranges prevent the API from establishing a root connection.
  • You did not set up any firewall rules on your custom VPC network. While the default VPC comes with a predefined firewall rule that allows SSH traffic, these need to be added to any custom VPCs. ✅
  • You should have used the default network when setting up your instance. While custom networks support instance creation, they should only be used for internal communication.
  • You should have used custom subnet creation mode. Since the default VPC still exists, automatic mode created subnets in the same regions, which led to overlapping IP addresses.

Explanation:
Custom VPCs don’t include the default firewall rules (like SSH). You must manually add them.

5. Cymbal Bank needs to connect its employee MongoDB database to a new human resources web application on the same network. Both the database and the application are autoscaled with the help of Instance templates. As the Security Administrator and Project Editor, you have been tasked with allowing the application to read port 27017 on the database. What should you do?

  • Create service accounts for the application and database. Create a firewall rule using: gcloud compute firewall-rules create ALLOW_MONGO_DB –network network-name –allow ICMP:27017 –source-service-accounts web-application-service-account –target-service-accounts database-service-account
  • Create service accounts for the application and database. Create a firewall rule using: gcloud compute firewall-rules create ALLOW_MONGO_DB –network network-name –allow TCP:27017 –source-service-accounts web-application-service-account –target-service-accounts database-service-account
  • Create a user account for the database admin and a service account for the application. Create a firewall rule using: gcloud compute firewall-rules create ALLOW_MONGO_DB –network network-name –allow TCP:27017 –source-service-accounts web-application-service-account –target-service-accounts database-admin-user-account
  • Create user accounts for the application and database. Create a firewall rule using: gcloud compute firewall-rules create ALLOW_MONGO_DB –network network-name –deny UDP:27017 –source-service-accounts web-application-user-account –target-service-accounts database-admin-user-account

6. Cymbal Bank has designed an application to detect credit card fraud that will analyze sensitive information. The application that’s running on a Compute Engine instance is hosted in a new subnet on an existing VPC. Multiple teams who have access to other VMs in the same VPC must access the VM. You want to configure the access so that unauthorized VMs or users from the internet can’t access the fraud detection VM. What should you do?

  • Use target filtering. Create a tag called ‘app’, and assign the tag to both the source and the target. Create a firewall rule to allow all ingress communication on this tag.
  • Use target filtering. Create two tags called ‘app’ and ‘data’. Assign the ‘app’ tag to the Compute Engine instance hosting the Fraud Detection App (source), and assign the ‘data’ tag to the other Compute Engine instances (target). Create a firewall rule to allow all ingress communication on this tag.
  • Use subnet isolation. Create a service account for the fraud detection VM. Create one service account for all the teams’ Compute Engine instances that will access the fraud detection VM. Create a new firewall rule using: gcloud compute firewall-rules create ACCESS_FRAUD_ENGINE –network <network name> –allow TCP:80 –source-service-accounts <one service account for all teams> –target-service-accounts <fraud detection engine’s service account>
  • Use subnet isolation. Create a service account for the fraud detection engine. Create service accounts for each of the teams’ Compute Engine instances that will access the engine. Add a firewall rule using: gcloud compute firewall-rules create ACCESS_FRAUD_ENGINE –network <network name> –allow TCP:80 –source-service-accounts <list of service accounts> –target-service-accounts <fraud detection engine’s service account> ✅

Explanation:
Using service accounts provides precise control. You allow only authorized service accounts to access the fraud detection VM.

7. The data from Cymbal Bank’s loan applicants resides in a shared VPC. A credit analysis team uses a CRM tool hosted in the App Engine standard environment. You need to provide credit analysts with access to this data. You want the charges to be incurred by the credit analysis team. What should you do?

  • Add egress firewall rules to allow SSH and/or RDP ports for the App Engine standard environment in the Shared VPC network. Create a client-side connector in the Service Project using the IP range of the target VPC. Verify that the connector is in a READY state. Create an egress rule on the Shared VPC network to allow the connector using Network Tags or IP ranges.
  • Add egress firewall rules to allow TCP and UDP ports for the App Engine standard environment in the Shared VPC network. Create either a client-side connector in the Service Project or a server-side connector in the Host Project using the IP Range or Project ID of the target VPC. Verify that the connector is in a READY state. Create an egress rule on the Shared VPC network to allow the connector using Network Tags or IP ranges.
  • Add ingress firewall rules to allow NAT and Health Check ranges for the App Engine standard environment in the Shared VPC network. Create a client-side connector in the Service Project using the Shared VPC Project ID. Verify that the connector is in a READY state. Create an ingress rule on the Shared VPC network to allow the connector using Network Tags or IP ranges.
  • Add ingress firewall rules to allow NAT and Health Check ranges for App Engine standard environment in the Shared VPC network. Create a server-side connector in the Host Project using the Shared VPC Project ID. Verify that the connector is in a READY state. Create an ingress rule on the Shared VPC network to allow the connector using Network Tags or IP ranges.
  • Use target filtering. Create a tag called ‘app’, and assign the tag to both the source and the target. Create a firewall rule to allow all ingress communication on this tag.
  • Use target filtering. Create two tags called ‘app’ and ‘data’. Assign the ‘app’ tag to the Compute Engine instance hosting the Fraud Detection App (source), and assign the ‘data’ tag to the other Compute Engine instances (target). Create a firewall rule to allow all ingress communication on this tag.
  • Use subnet isolation. Create a service account for the fraud detection VM. Create one service account for all the teams’ Compute Engine instances that will access the fraud detection VM. Create a new firewall rule using: gcloud compute firewall-rules create ACCESS_FRAUD_ENGINE –network <network name> –allow TCP:80 –source-service-accounts <one service account for all teams> –target-service-accounts <fraud detection engine’s service account>
  • Use subnet isolation. Create a service account for the fraud detection engine. Create service accounts for each of the teams’ Compute Engine instances that will access the engine. Add a firewall rule using: gcloud compute firewall-rules create ACCESS_FRAUD_ENGINE –network <network name> –allow TCP:80 –source-service-accounts <list of service accounts> –target-service-accounts <fraud detection engine’s service account> ✅

Explanation:
Use VPC connectors for App Engine standard to access resources in a Shared VPC. This ensures billing stays with the service project.

8. Cymbal Bank’s Customer Details API runs on a Compute Engine instance with only an internal IP address. Cymbal Bank’s new branch is co-located outside the Google Cloud points-of-presence (PoPs) and requires a low-latency way for its on-premises apps to consume the API without exposing the requests to the public internet. Which solution would you recommend?

  • Use Carrier Peering. Use a service provider to access their enterprise grade infrastructure to connect to the Google Cloud environment.
  • Use Partner Interconnect. Use a service provider to access their enterprise grade infrastructure to connect to the Google Cloud environment. ✅
  • Use Dedicated Interconnect. Establish direct peering with one of Google’s nearby edge-enabled PoPs.
  • Use a Content Delivery Network (CDN). Establish direct peering with one of Google’s nearby edge-enabled PoPs.

Explanation:

  • Since the instance only has an internal IP, and traffic must not traverse the public internet, using Partner Interconnect provides low-latency and private connectivity via supported service providers—ideal for a co-located facility outside Google’s PoPs.
  • Carrier Peering does not allow access to internal IPs.
  • Dedicated Interconnect is a more expensive and complex option and is used typically by larger enterprises with data centers.
  • CDN is irrelevant here because it’s used for caching content to external users, not private internal traffic.

9. An external audit agency needs to perform a one-time review of Cymbal Bank’s Google Cloud usage. The auditors should be able to access a Default VPC containing BigQuery, Cloud Storage, and Compute Engine instances where all the usage information is stored. You have been tasked with enabling the access from their on-premises environment, which already has a configured VPN. What should you do?

  • Use a Cloud VPN tunnel. Use Cloud DNS to create DNS zones and records for *.googleapis.com. Set up on-premises routing with Cloud Router. Use Cloud Router custom route advertisements to announce routes for Google Cloud destinations. ✅
  • Use Dedicated Interconnect. Configure a VLAN in the auditor’s on-premises environment. Use Cloud DNS to create DNS zones and records for restricted.googleapis.com and private.googleapis.com. Set up on-premises routing with Cloud Router. Add custom static routes in the VPC to connect individually to BigQuery, Cloud Storage, and Compute Engine instances.
  • Use Partner Interconnect. Configure an encrypted tunnel in the auditor’s on-premises environment. Use Cloud DNS to create DNS zones and A records for private.googleapis.com.
  • Use a Cloud VPN tunnel. Use your DNS provider to create DNS zones and records for private.googleapis.com. Connect the DNS provider to your on-premises network. Broadcast the request from the on-premises environment. Use a software-defined firewall to manage incoming and outgoing requests.

Explanation:

  • Since the VPN is already configured, it makes sense to use Cloud VPN and Cloud Router to propagate routes.
  • Cloud DNS is used to resolve Google APIs through private or restricted IPs, so you need zones for *.googleapis.com.
  • This is the most straightforward and cost-effective solution for a temporary access setup.

10. An ecommerce portal uses Google Kubernetes Engine to deploy its recommendation engine in Docker containers. This cluster instance does not have an external IP address. You need to provide internet access to the pods in the Kubernetes cluster. What configuration would you add?

  • Nginx load balancer, subnet secondary IP address range for nodes, and subnet secondary IP address range for pods and services in the cluster
  • Cloud VPN, subnet secondary IP address range for nodes, and subnet secondary IP address range for pods and services in the cluster
  • Cloud NAT gateway, subnet primary IP address range for nodes, and subnet secondary IP address range for pods and services in the cluster ✅
  • Cloud DNS, subnet primary IP address range for nodes, and subnet secondary IP address range for pods and services in the cluster

Explanation:

  • Cloud NAT is used to provide internet access to resources that don’t have external IPs, such as GKE pods in a private cluster.
  • GKE requires both primary and secondary IP ranges: primary for nodes, secondary for pods and services.

Knowledge Check

Practice Assignment

11. Which tool will Cymbal Bank use to enforce authentication and authorization for services deployed to Google Cloud?

  • Identity-Aware proxy ✅
  • Application Load Balancer
  • Google Cloud Armor
  • Firewall rules

Explanation:

  • Identity-Aware Proxy (IAP) is the Google Cloud service used to control access to web applications and VMs by enforcing identity-based authentication and authorization.
  • It integrates with Google Identity or OAuth2 providers and enforces Zero Trust access.

12. How will Cymbal Bank enable resources with only internal IP addresses to make requests to the Internet?

  • Shared VPC
  • Dedicated Interconnect
  • Google private access
  • Cloud NAT ✅

Explanation:

  • Cloud NAT (Network Address Translation) allows VMs or containers without external IPs to access the internet (e.g., for updates or API calls) without being directly accessible from the outside.
  • It’s the recommended solution for private workloads requiring egress to the internet.

Related contents:

Module 2: Configuring Access
Module 4: Ensuring Data Protection
Module 5: Managing Operations
Module 6: Supporting Compliance Requirements

You might also like:

Course 2: Google Cloud Fundamentals: Core Infrastructure
Course 3: Networking in Google Cloud: Fundamentals
Course 4: Networking in Google Cloud: Routing and Addressing
Course 5: Networking in Google Cloud: Network Architecture
Course 6: Networking in Google Cloud: Network Security
Course 7: Networking in Google Cloud: Load Balancing
Course 8: Networking in Google Cloud: Hybrid and Multicloud
Course 9: Managing Security in Google Cloud
Course 10: Security Best Practices in Google Cloud
Course 11: Mitigating Security Vulnerabilities on Google Cloud
Course 12: Logging and Monitoring in Google Cloud
Course 13: Observability in Google Cloud
Course 14: Hands-On Labs in Google Cloud for Security Engineers

Leave a Reply