Practice Test 4 | Google Cloud Certified Professional Cloud Network Engineer | Dumps | Mock Test
Your custom VPC network has four GCE instances and two firewall rules with the configuration shown below.
- VM1 has an external IP and network tag = allow-inbound.
- VM2 has an external IP
- VM3 has no external IP and a network tag = server
- VM4 has no external IP and a network tag = client
Firewall Rule1 | Firewall Rule2 |
---|---|
direction: ingress action: allow protocols: TCP source ranges: 0.0.0.0/0 target tags: allow-inbound priority: 1000 |
direction: ingress action: allow protocols: TCP source tags: client target tags: server priority: 1000 |
Which of the options below is not true?
A. VM2 can communicate with VM1
B. VM4 is able to communicate with VM1
C. VM1 is reachable the internet
D. VM2 is unable to communicate with other VMs in the network and is unreachable from the internet
Answer: D
Option A is correct, VM2 would be able to communicate with VM1. Because VM 1 has an external IP, this rule also permits incoming TCP traffic from external hosts on the internet and from VM 2 via external IP addresses
Options B: VM4 is able to communicate with VM1: Yes VM4 can communicate with VM1
Option C: VM1 is reachable on the internet: It’s correct.
Option D: VM2 is unable to communicate with other VMs in the network and is unreachable from the internet
VM2 can communicate with VM1 and Option D is false statement.
-
An ingress rule with priority
1000
is applicable to VM 1. This rule allows incoming TCP traffic from any source (0.0.0.0/0
). TCP traffic from other instances in the VPC network is allowed, subject to applicable egress rules for those other instances. VM 4 is able to communicate with VM 1 over TCP because VM 4 has no egress rule blocking such communication (only the implied allow egress rule is applicable). Because VM 1 has an external IP, this rule also permits incoming TCP traffic from external hosts on the internet and from VM 2 via external IP addresses. - VM 2 has no specified ingress firewall rule, so the implied deny ingress rule blocks all incoming traffic. Connections from other instances in the network are blocked, regardless of egress rules for the other instances. Because VM 2 has an external IP, there is a path to it from external hosts on the internet, but the implied deny ingress rule blocks external incoming traffic as well.
-
An ingress rule with priority
1000
is applicable to VM 3. This rule allows TCP traffic from instances in the network with the network tagclient
, such as VM 4. TCP traffic from VM 4 to VM 3 is allowed because VM 4 has no egress rule blocking such communication (only the implied allow egress rule is applicable). Because VM 3 does not have an external IP, there is no path to it from external hosts on the internet.
Reference:
Comments are closed, but trackbacks and pingbacks are open.