PCSE Week 3 (Network Security)

8/22/23, 9:08 AM PCSE Week 3 (Network security) - Quiz
PCSE Week 3 (Network security) - Quiz

Total points 15/16
This quiz covers the topics from the prior week's coursework. Your identity is not tracked:
this quiz is for practice and self-assessment.
Note that questions on the actual exam will not often be simple knowledge recall.
Which od the following does not represent an attack on the network? 1/1
SYN flood
Denial Of Service
NMAP Scan
Brute force
Feedback
NMAP is a relatively harmless utility for network mapping. It's not a direct attack tool.
https://docs.google.com/forms/d/e/1FAIpQLSf2oXo1vwL5p4T9ix2KVq5-xWZTihns99GCQOkFjLJSNAHS6w/viewscore?viewscore=AE0zAgCNuoL-9n… 1/16
You have defined subnets in a VPC within Google Cloud Platform. You need1/1
multiple projects to create Compute Engine instances with IP addresses
from these subnets. What should you do?
Configure Cloud VPN between the projects.
Use Shared VPC to share the subnets with the other projects.
Change the VPC subnets to enable private Google access.
Set up VPC peering between all related projects.
You are designing a new VPC network that will route traffic to networks in 1/1
your company’s private data center. You want to ensure that your VPC can
support high availability in the future. The data center team requires you to
use a routing protocol that can dynamically fail over if there is a link failure
in the data center. Your management requires your design to use only
native cloud services. Which routing protocol should you use?
BGP
RIP
OSPF
Static routing
Your new project currently requires 5 gigabits per second (Gbps) of egress 1/1
traffic from your Google Cloud environment to your company’s private data
center, but may scale up to 80 Gbps of traffic in the future. You do not have
any public addresses to use. Your company is looking for the most cost
effective long-term solution. Which type of connection should you use?
Carrier Peering
Partner Interconnect
Dedicated Interconnect
A single Virtual Private Network (VPN) tunnel
Choose the two ways that Google Cloud Platform helps mitigate the risk of 1/1
DDoS for its customers (choose 2):
Network capacity many times that of any load
Google Front End which mitigates and absorbs many Layer 4 and below
attacks, such as SYN floods, IP fragment floods port exhaustion, etc
Servers that have no external access
The Google Blacklist API is included with each project
Users are reporting an outage on your public-facing application that is 1/1

hosted on Compute Engine. You suspect that a recent change to your
firewall rules is responsible. You need to test whether your firewall rules are
working properly. What should you do?
Connect to a bastion host in your VPC. Use a network traffic analyzer to determine
at which point your requests are being blocked.
Enable Firewall Rules Logging on the latest rules that were changed. Use Logs
Explorer to analyze whether the rules are working correctly.
In a pre-production environment, disable all firewall rules individually to determine

which one is blocking user traffic.
Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules
are working correctly.
A customer wants to run a batch processing system on VMs and store the 0/1
output files in a Cloud Storage bucket. The networking and security teams
have decided that no VMs may reach the public internet.
How should this be accomplished?
Create a firewall rule to block internet traffic from the VM.
Provision a NAT Gateway to access the Cloud Storage API endpoint.
Enable Private Google Access on the subnet level.
Mount a Cloud Storage bucket as a local filesystem on every VM.
Enable Private Google Access on the VPC level.
Correct answer
Enable Private Google Access on the subnet level.
Which type of load balancer should you use to maintain client IP by default 1/1
while using the standard network tier?
SSL Proxy
TCP Proxy
Internal TCP/UDP
TCP/UDP Network
Feedback
Proxy-based load balancers do not preserve client IP. Internal TCP/UDP LB cannot be set
up with standard network tier (https://cloud.google.com/network-
tiers/docs/overview#premium_tier_and_standard_tier_summary)
A customer needs to launch a 3-tier internal web application on Google 1/1

Cloud Platform (GCP). The customer’s internal compliance requirements
dictate that end-user access may only be allowed if the traffic seems to
originate from a specific known good CIDR. The customer accepts the risk
that their application will only have SYN flood DDoS protection. They want
to use GCP’s native SYN flood protection.
Which product should be used to meet these requirements?
VPC Firewall Rules
Cloud Identity and Access Management
Cloud Armor
Cloud CDN
Your company has deployed an application on Compute Engine. The 1/1

application is accessible by clients on port 587. You need to balance the
load between the different instances running the application. The
connection should be secured using TLS, and terminated by the Load
Balancer.
What type of Load Balancing should you use?
Network Load Balancing
HTTP(S) Load Balancing
TCP Proxy Load Balancing
SSL Proxy Load Balancing
You are a member of your company’s security team. You have been asked 1/1
to reduce your Linux bastion host external attack surface by removing all
public IP addresses. Site Reliability Engineers (SREs) require access to the
bastion host from public locations so they can access the internal VPC
while off-site. How should you enable this access?
Implement Cloud VPN for the region where the bastion host lives.
Implement OS Login with 2-step verification for the bastion host.
Implement Identity-Aware Proxy TCP forwarding for the bastion host.
Implement Google Cloud Armor in front of the bastion host.
Feedback
https://cloud.google.com/architecture/building-internet-connectivity-for-private-vms
An engineering team is launching a web application that will be public on 1/1

the internet. The web application is hosted in multiple GCP regions and will
be directed to the respective backend based on the URL request. Your team
wants to deny traffic from a specific list of malicious IP addresses Which
solution should your team implement to meet these requirements?
Cloud Armor
Network Load Balancing
SSL Proxy Load Balancing
NAT Gateway
A customer has an analytics workload running on Compute Engine that 1/1

should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic
to the internet.
The Compute Engine instances now need to reach out to the public
repository to get security updates.
What should your team do?
Create an egress firewall rule to allow traffic to the CIDR range of the repository
with a priority greater than 1000.
Create an egress firewall rule to allow traffic to the CIDR range of the repository
with a priority less than 1000.
Create an egress firewall rule to allow traffic to the hostname of the repository with
a priority greater than 1000.
Create an egress firewall rule to allow traffic to the hostname of the repository with
a priority less than 1000.
A customer is collaborating with another company to build an application 1/1

on Compute Engine. The customer is building the application tier in their
GCP Organization, and the other company is building the storage tier in a
different GCP Organization. This is a 3-tier web application.
Communication between portions of the application must not traverse the
public internet by any means.
Which connectivity option should be implemented?
VPC peering
Cloud VPN
Cloud Interconnect
Shared VPC
A large e-retailer is moving to Google Cloud Platform with its ecommerce 1/1
website. The company wants to ensure payment information is encrypted
between the customer’s browser and GCP when the customers checkout
online.
What should they do?
Configure an SSL Certificate on a Network TCP Load Balancer and require

encryption.
Configure an SSL Certificate on an L7 Load Balancer and require encryption.
Configure the firewall to allow outbound traffic on port 443, and block all other
outbound traffic.
Configure the firewall to allow inbound traffic on port 443, and block all other
inbound traffic.
Your team sets up a Shared VPC Network where project co-vpc-prod is the 1/1
host project. Your team has configured the firewall rules, subnets, and VPN
gateway on the host project. They need to enable Engineering Group A to
attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this

requirement?
Compute Network User Role at the host project level.
Compute Network User Role at the subnet level.
Compute Shared VPC Admin Role at the host project level.
Compute Shared VPC Admin Role at the service project level.
This form was created inside of Google.com. Privacy & Terms
Forms
https://docs.google.com/forms/d/e/1FAIpQLSf2oXo1vwL5p4T9ix2KVq5-xWZTihns99GCQOkFjLJSNAHS6w/viewscore?viewscore=AE0zAgCNuoL-9… 10/16

PCSE Week 3 (Network Security)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PCSE Week 3 (Network Security)

Uploaded by

Copyright:

Available Formats

8/22/23, 9:08 AM PCSE Week 3 (Network security) - Quiz

PCSE Week 3 (Network security) - Quiz

Configure Cloud VPN between the projects.

Change the VPC subnets to enable private Google access.

Set up VPC peering between all related projects.

A single Virtual Private Network (VPN) tunnel

Network capacity many times that of any load

Servers that have no external access

The Google Blacklist API is included with each project

Users are reporting an outage on your public-facing application that is 1/1

In a pre-production environment, disable all firewall rules individually to determine

How should this be accomplished?

Create a firewall rule to block internet traffic from the VM.

Provision a NAT Gateway to access the Cloud Storage API endpoint.

Enable Private Google Access on the subnet level.

Mount a Cloud Storage bucket as a local filesystem on every VM.

Enable Private Google Access on the VPC level.

Enable Private Google Access on the subnet level.

A customer needs to launch a 3-tier internal web application on Google 1/1

Which product should be used to meet these requirements?

VPC Firewall Rules

Cloud Identity and Access Management

Your company has deployed an application on Compute Engine. The 1/1

What type of Load Balancing should you use?

Network Load Balancing

HTTP(S) Load Balancing

TCP Proxy Load Balancing

SSL Proxy Load Balancing

Implement OS Login with 2-step verification for the bastion host.

Implement Identity-Aware Proxy TCP forwarding for the bastion host.

Implement Google Cloud Armor in front of the bastion host.

An engineering team is launching a web application that will be public on 1/1

Network Load Balancing

SSL Proxy Load Balancing

A customer has an analytics workload running on Compute Engine that 1/1

What should your team do?

A customer is collaborating with another company to build an application 1/1

Which connectivity option should be implemented?

What should they do?

Configure an SSL Certificate on a Network TCP Load Balancer and require

Configure an SSL Certificate on an L7 Load Balancer and require encryption.

What should your team grant to Engineering Group A to meet this

Compute Network User Role at the host project level.

Compute Network User Role at the subnet level.

Compute Shared VPC Admin Role at the host project level.

Compute Shared VPC Admin Role at the service project level.

This form was created inside of Google.com. Privacy & Terms

You might also like