Free Google Professional Cloud Network Engineer Actual Exam Questions - Question 15 Discussion
need to control internet access from applications to URLs, including hostnames and paths. The
compute instances that run these applications have an associated secure tag. What should you do?
D imo, Cloud NAT doesn’t actually filter URLs or paths—it just manages IP translation. Plus, the secure tag is key here, not a service account, so option D seems off on both counts.
I’m thinking C here. Having a Secure Web Proxy in each region gives better control and likely reduces latency, plus it aligns well with the secure tag setup. C seems more robust than a single global proxy.
It’s B for me. A single Secure Web Proxy with global access seems simpler to manage than setting up one per region, especially if the app subset is spread out. Since the question says controlling URLs including hostnames and paths, a proxy should handle that better than firewall rules or Cloud NAT, which are mostly domain-based. Plus, option D is out because it uses service accounts instead of secure tags, and option A can’t filter by paths anyway. So, B feels like the best fit for detailed URL filtering tied to secure tags.
C Secure Web Proxy in each region makes sense for latency and regional control. Plus, it matches the secure tag requirement and should handle URLs including paths better than relying on Cloud NAT or single global proxy.
I agree that D is off since it mentions service accounts, not secure tags. Also, A uses Cloud NAT with FQDN objects in firewall rules, but I’m not sure if firewall rules can filter by paths; they usually handle domains or IPs only. That makes me doubt A for path-level filtering. Between B and C, deploying one global proxy (B) might be simpler but could introduce latency or single points of failure compared to regional proxies (C). However, I’m not clear if Secure Web Proxy policies really support path-level URL filtering or just domain-level. Anyone confirm how granular the proxy’s filtering c
Actually, D doesn't fit because it uses service accounts, not secure tags like the question requires. That eliminates D right away.
Option B seems to handle global access with a single proxy, which might simplify things, but does anyone know if Secure Web Proxy policies allow path-level control within URLs?