• JCON
  • New member
  • Offline

Topic: Google Security Engineer topic 1 question 179

You need to set up a Cloud Interconnect connection between your company’s on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A.
Enable Private Google Access on the regional subnets and global dynamic routing mode.
B.
Create a CNAME to map *.googleapis.com to restricted.googleapis.com, and create A records for restricted.googleapis.com mapped to 199.36.153.8/30.
C.
Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.
D.
Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Re: Google Security Engineer topic 1 question 179

This is a repeated question

Re: Google Security Engineer topic 1 question 179

D is correct,
A - doesn't address the issue
B - Looks good but for restricted API the subnet address will be 199.36.153.4/30 not 8/30
c - wrong
D - everything looks good

Re: Google Security Engineer topic 1 question 179

D, use restricted google.apis.com.

https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid

Re: Google Security Engineer topic 1 question 179

D, restricted