Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.

Option C is the correct choice because it provides strong security boundaries by using separate VPC networks for each tier, which enhances isolation and reduces the risk of lateral movement. VPC peering enables secure communication between tiers while maintaining this isolation. Identity-Aware Proxy (IAP) ensures secure remote access for third-party vendors by requiring authentication and authorization, adhering to the principle of least privilege. In contrast, Option A uses SSH keys and root access, which are less secure and violate least privilege. Option B grants excessive network admin roles and relies on vendor configurations, increasing security risks. Option D gives vendors project ownership and Shared VPC modification rights, which is overly permissive and insecure. The community discussion, with 100% consensus and upvoted comments, supports C for its alignment with security best practices.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You are designing the network architecture for a new 3-tier ecommerce application in Google Cloud that processes sensitive customer data. The design must establish strong security boundaries, enable secure remote maintenance for authorized third-party vendors, and adhere to the principle of least privilege. What is your recommended approach?

Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Provide vendors with SSH keys and root access only to the instances within the VPC for maintenance purposes.

16.7%

Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors and grant the network admin role to the vendors. Deploy a VPN appliance and rely on the vendors’ configurations to secure third-party access.

16.7%

Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.

66.7%

Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors. Grant the vendors ownership of that project and the ability to modify the Shared VPC configuration.