ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3.5: Deploying and implementing networking resourcesDomain 3.5FirewallNetworkingSecurity

GCP ACE · Question 30 · Domain 3.5: Deploying and implementing networking resources

You have a VPC network with two sets of Compute Engine instances: Web servers and Database servers. You want to create a firewall rule that allows traffic on port 5432 ONLY from the Web servers to the Database servers. You want to ensure this rule automatically applies to any new Web or Database servers created in the future.

Which TWO actions should you take to configure this securely and efficiently? (Select TWO)

Answer options:

A.

Assign a network tag (e.g., 'web') to the Web servers and a tag (e.g., 'db') to the Database servers.

B.

Create an ingress firewall rule targeting the 'db' tag, with the source filter set to the 'web' tag.

C.

Create an egress firewall rule targeting the 'web' tag, with the destination filter set to the 'db' tag.

D.

Assign static internal IP addresses to all servers and use those IPs in the firewall rule.

E.

Place the Web servers and Database servers in different VPC networks and use VPC peering.

How to approach this question

Use network tags to dynamically apply firewall rules to specific groups of instances.

Full Answer

To dynamically apply firewall rules, you should use network tags (or service accounts). By tagging the web servers as 'web' and database servers as 'db', you can create a single ingress firewall rule. The rule's target is the 'db' tag (applying it to the database servers), and the source filter is the 'web' tag (allowing only traffic from the web servers).

Common mistakes

Trying to use destination tags in an egress rule (GCP does not support destination tags, only source tags/service accounts).
29All questions31

Practice the full GCP Associate Cloud Engineer Practice Exam 3

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new project in Google Cloud and need to create a new GCP project and enable th...EasyQ02A new team member has joined your operations team. They need to be able to view all Compute Engin...MediumQ03Your company is migrating to Google Cloud. You currently manage all employee identities in an on-...MediumQ04Your development team is experimenting with new GCP services in a sandbox project. The finance te...MediumQ05Your company wants to perform complex, custom SQL analysis on their Google Cloud billing data to ...Easy
View all 50 questions →