Practice Test 1 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test

Correct Answer C

Feedback

C (correct answer) – Ensure that a firewall rule exists to allow load balancer health checks to reach the instances in the instance group.

HTTP health check probes are sent from the IP ranges depending on LB types used. These are IP address ranges that the load balancer uses to connect to backend instances. You must create firewall rules that allows traffic from those ranges to reach your instances

For Network load balancing

When a health check is used with Network load balancing, the health check probes come from addresses in the ranges 209.85.152.0/22, 209.85.204.0/22, and 35.191.0.0/16.

For HTTP(S). SSL proxy. TCP proxy, and Internal load balancing

When a health check is used with HTTP(S), SSL proxy, TCP proxy, or Internal load balancing, the health check probes come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16.

A – Ensure that a firewall rule exists to allow source traffic on HTTP/HTTPS to reach the load balancer.

Firewall controls access at instance level, not load balancer. Must allow load balancer traffic to connect backend instance allowing health check

B – Create a tag on each instance with the name of the load balancer. Configure a firewall rule with the name of the load balancer as the source and the instance tag as the destination.

At this moment it is not possible to set firewall rules over the GCE Load Balancers. You need to create firewall rules that at subnet or instances level allowing specific health check IP ranges (See Answer A above), not the LB tags, to connect to all your load balanced instances.

D – Assign a public IP to each instance and configure a firewall rule to allow the load balancer to reach the instance public IP.

This is not mandatory since your LB could be Internal load balancing so instances’ external IPs may be removed