Practice Test 4 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test
Rules must be set to allow data traffic to database servers only from application servers, in 3 different projects: A, B, and C.
The resources of the 3 projects must be isolated from each other.
You want to organize operations in order to create simple and intuitive standards to use, which can be repeated for other projects.
In your organization, it is mandatory to provide different security policies/measures to various projects.
Which of the following strategies is the best?
A. Create 2 Firewall Rules, one in ingress and one in egress, between each Database Server and App Server using the ephemeral external IP address
B. Create 1 Firewall Rule in ingress, between each Database Server and App Server using private IP addresses
C. Configure your Servers with appropriate Network Tags (AppVM and DBVM, for example) and create 1 Firewall Rule, in ingress, between each Database Server and App Server using these Tags
D. Configure your Servers with appropriate Network Tags (AppVM and DBVM, for example) and create 2 Firewall Rules, in ingress and egress, between each Database Server and App Server using these Tags
E. Create and assign appropriate Service Accounts and rights to the VMs and create a Firewall Rule between each Database Server and App Server using source-service-accounts and target-service-accounts
Correct Answer: E
GCP firewall rules are stateful. If a connection is allowed between a source and a target, all subsequent traffic in either direction will be allowed as long as the connection is active. In other words, firewall rules allow bidirectional communication once a session is established. The connection is considered active if at least one packet is sent every 10 minutes. Firewall rules cannot allow traffic in one direction while denying the associated return traffic.
So,
A and D are wrong.
A service account represents an identity associated with an instance. Only one service account can be associated with an instance. So it is the best option in case of strict security constraints.
Be careful because you cannot mix and match service accounts and network tags in any firewall rules.
C is wrong because it is necessary to provide different security to various projects. So network tags are arbitrary attributes and are not enough for this requirement.
For any further detail, please refer to the URLs below:
Comments are closed, but trackbacks and pingbacks are open.