Your organization uses Cloud Run services in multiple projects under a non-production folder. These services primarily communicate internally, but some require external access to specific approved FQDNs while blocking all other external traffic. Internal applications must not be exposed externally. You need to implement granular control where allowlists for specific FQDNs override broader restrictions, but only within designated VPCs. What should you do?

Exam-Like

Implement a global-level allowlist rule for the necessary FQDNs within a hierarchical firewall policy. Apply this policy across all VPCs in the organization and configure Cloud NAT without any additional filtering.

Create a folder-level deny-all rule for outbound traffic within a hierarchical firewall policy. Define FQDN allowlist rules in separate policies and associate them with the necessary VPCs. Configure Cloud NAT for these VPCs.

Create a project-level deny-all rule within a hierarchical structure and apply it broadly. Override this rule with separate FQDN allowlists defined in VPC-level firewall policies associated with the relevant VPCs.

Configure Cloud NAT with IP-based filtering to permit outbound traffic only to the allowlist d FQDNs' IP ranges. Apply Cloud NAT uniformly to all VPCs within the organization's folder structure.

Google Professional Cloud Security Engineer

Get started today

Comments