Google Cloud Professional Cloud Security Engineer Practice Exam

What is the recommended network design to inspect traffic between untrusted and trusted segments with a next-generation firewall?

• A. Use a single VPC with subnets
• B. Implement one VPC network with a public subnet
• C. Set up two VPC networks, one trusted and one untrusted
• D. Connect both segments through VPN

The correct answer is: Set up two VPC networks, one trusted and one untrusted

The recommended network design to inspect traffic between untrusted and trusted segments using a next-generation firewall involves setting up two separate VPC networks: one designated as trusted and the other as untrusted. This architecture allows for clear segregation of traffic, which is essential for effectively applying security policies and ensuring that traffic flow between these two segments can be closely monitored and controlled by the next-generation firewall. By utilizing separate VPCs, organizations can enforce stricter security measures on the untrusted network while ensuring that trusted resources remain protected from potential threats originating from the untrusted segment. This model also enhances visibility and control, allowing for detailed inspection of all traffic passing between the two environments. The next-generation firewall can provide features such as deep packet inspection, intrusion prevention, and advanced threat detection in a more structured and efficient manner. In contrast, using a single VPC with subnets does not provide the same level of isolation and can complicate the application of security policies. Similarly, having only a public subnet or connecting both segments through a VPN does not facilitate the focused traffic inspection required for maintaining security across distinct environments. The two VPC networks model is aligned with best practices for security in cloud architecture, ensuring effective monitoring and protection of sensitive data.