Practice Test 4 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test
Rules must be set to allow data traffic to database servers only from application servers, in 3 different projects: A, B, and C.
The resources of the 3 projects must be isolated from each other.
You want to organize operations in order to create simple and intuitive standards to use, which can be repeated for other projects.
In your organization, it is not necessary to provide different security for various projects.
Which of the following strategies will you choose?
A. Create 2 Firewall Rules, one in ingress and one in egress, between each Database Server and App Server using the ephemeral external IP address
B. Create 1 Firewall Rule, in ingress, between each Database Server and App Server using private IP addresses
C. Configure your Servers with appropriate Network Tags (AppVM and DBVM, for example) and create 1 Firewall Rule, in ingress, between each Database Server and App Server using these Tags
D. Configure your Servers with appropriate Network Tags (AppVM and DBVM, for example) and create 2 Firewall Rules, in ingress and egress, between each Database Server and App Server using these Tags
E. Create and assign appropriate Service Accounts and rights to the VMs and create a Firewall Rule between each Database Server and App Server using source-service-accounts and target-service-accounts
Correct Answer – C
GCP firewall rules are stateful.
- When a connection is allowed through the firewall in either direction, return traffic matching this connection is also allowed. You cannot configure a firewall rule to deny associated response traffic.
- Return traffic must match the 5-tuple (source IP, destination IP, source port, destination port, protocol) of the accepted request traffic, but with the source and destination addresses and ports reversed.
Options A and D are incorrect.
A service account represents an identity associated with an instance. Only one service account can be associated with an instance. So it is the best option in case of strict security constraints.
Be careful because you cannot mix and match service accounts and network tags in any firewall rules.
Option E is incorrect because it is not necessary to provide different security to various projects. So service accounts are not required for this requirement.
For any further detail, please refer to the URLs below:
Comments are closed, but trackbacks and pingbacks are open.