Win IT Exam with Last Dumps 2025

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

A. Firewall rule direction: ingress

Action: allow -

Target: VM B service account -
Source ranges: VM A service account
Priority: 1000 B. Firewall rule direction: ingress

Action: allow -

Target: specific VM B tag -
Source ranges: VM A tag and VM A source IP address
Priority: 1000 C. Firewall rule direction: ingress

Action: allow -

Target: VM A service account -
Source ranges: VM B service account and VM B source IP address
Priority: 100 D. Firewall rule direction: ingress

Action: allow -

Target: specific VM A tag -
Source ranges: VM B tag and VM B source IP address
Priority: 100

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

A. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network. B. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred. C. Configure VPC Flow Logs. Review the logs by filtering on the source and destination. D. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

A. Use Network Load Balancing B. Use TCP Proxy Load Balancing with PROXY protocol enabled C. Use External HTTP(S) Load Balancing with URL Maps and custom headers D. Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer. You need to protect the application from potential application-level attacks. What should you do?

A. Enable Cloud CDN on the backend service. B. Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer. C. Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service D. Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service.

You are reviewing and tuning Secure Web Proxy at your organization, Mount Kirk Games. Users have reported that they are unable to reach the documents they need on the Terram Earth website (https://www.terramearth.com/docs/*). The Secure Web Proxy rules configuration is as follows:

You need to enable access to these documents. What should you do?

A. Delete the updates-limiter rule. B. Modify the updates-1 rule to perform the TLS inspection. C. Review Cloud Logging for errors with Cloud NAT. If there are no errors, assign the VM a public IP address. D. Modify the priority of the updates-limiter rule to 1000.

You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?

A. Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router. B. Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router. C. Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center. D. Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

A. Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field. B. Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field. C. Enable VPC Flow Logs for the VPAnalyze the logs and get the source IP addresses from the src_location field. D. Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.
• Always allow Secure Shell (SSH) from your corporate IP address.
• Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?

A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.
2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1. B. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.
2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1. C. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.
2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0. D. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1
2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

A. Create a network load balancer that used backend services containing one instance group with two instances. B. Create a network load balancer that uses a target pool backend with two instances. C. Create a TCP proxy that uses a zonal network endpoint group containing one instance. D. Create a TCP proxy that uses backend services containing an instance group with two instances.

You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do?

A. Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices. B. Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices. C. Deploy your serverless services to the existing VPConfigure firewall rules to allow traffic between the serverless services and your existing microservices. D. Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.