ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 84 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 84
Topic #: 1
[All Professional Cloud Network Engineer Questions]

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

  • A. Enable firewall logging, and forward all filtered egress firewall logs to the IDS.
  • B. Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.
  • C. Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
  • D. Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by moochai at Nov. 29, 2022, 5:04 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
moochai
Highly Voted 2 years ago
It must be C. IDS's cannot accept logs for analysis, they analyze packets. Traffic is not always going to be HTTP(S) and thereofre it is C for TCP proxy.
upvoted 12 times
AzureDP900
2 years ago
I agree with you, initially i thought it is D however I am convinced based on your inputs https://www.youtube.com/watch?v=IClLmDLAzH0&ab_channel=GoogleCloudTech
upvoted 1 times
...
...
Komal697
Highly Voted 1 year, 8 months ago
Selected Answer: B
VPC Flow Logs provide visibility into network traffic that traverses a VPC network, including traffic between VMs, traffic between VMs and Google Services, and traffic between VMs and the Internet. By enabling VPC Flow Logs and creating a sink in Cloud Logging, you can export logs to a variety of monitoring and analysis tools, including an IDS. With VPC Flow Logs, you can filter and export specific log entries based on specific attributes, including the source and destination IP addresses, ports, and protocols. In this case, you can enable VPC Flow Logs and filter for egress traffic from VMs in the us-west2 region and export them to the IDS for monitoring.
upvoted 7 times
Komal697
1 year, 8 months ago
Option A is incorrect because firewall logs only show information about traffic that matches specific firewall rules, and it doesn't provide information about all egress traffic from the VMs. Option C and D are incorrect because Packet Mirroring is a method to copy traffic from a set of source VMs to a destination for packet capture and analysis. It is used for troubleshooting, forensics, and network monitoring. However, in this case, the IDS appliance should monitor all egress traffic from VMs in the us-west2 region, not just from a set of source VMs.
upvoted 1 times
...
...
1f01b87
Most Recent 3 months ago
Selected Answer: C
C is correct
upvoted 1 times
...
kcaro
3 months, 2 weeks ago
Selected Answer: C
It is C: Because the key point is "payloads" you can only have this detail with Packet Mirroring.
upvoted 2 times
...
BenMS
11 months, 3 weeks ago
Selected Answer: C
Option C perfectly describes the recommended architecture for implementing an IDS: https://cloud.google.com/vpc/docs/packet-mirroring#use-cases
upvoted 4 times
...
johncd
11 months, 3 weeks ago
Selected Answer: C
this is about packets mirror, good practice is to setup internal lb
upvoted 3 times
...
nqthien041292
1 year, 3 months ago
Selected Answer: C
Agree with C. IDS requires at least 1 packet mirroring policy attached to it.
upvoted 4 times
...
AzureDP900
2 years ago
C is right
upvoted 2 times
...
Mikelala31
2 years ago
Answer B ttps://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-gcp-account/enable-flow-logs-for-gcp-projects
upvoted 3 times
nosense
2 years ago
wrong. read there https://cloud.google.com/vpc/docs/packet-mirroring
upvoted 2 times
...
...
ccieman2016
2 years ago
Selected Answer: C
Agree, Letter C is correct.
upvoted 5 times
...
Sola_2022
2 years ago
Answer is C. IDS requires at least 1 packet mirroring policy attached to it. https://cloud.google.com/intrusion-detection-system/docs/overvie https://cloud.google.com/vpc/docs/packet-mirroring
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel