Hard1 markMultiple Choice

Domain 3.5: Deploying and implementing networking resourcesNetworkingFirewall RulesNetwork TagsSecurity

GCP ACE · Question 30 · Domain 3.5: Deploying and implementing networking resources

You have a three-tier application deployed on Compute Engine: frontend web servers, backend application servers, and a database server. You need to configure firewall rules so that ONLY the frontend servers can communicate with the backend servers on port 8080.

Which TWO actions should you take to implement this securely and efficiently? (Select TWO)

Answer options:

Assign a network tag (e.g., 'frontend') to the web servers and a tag (e.g., 'backend') to the application servers.

Create an ingress firewall rule targeting the 'backend' tag, allowing TCP port 8080, with the source filter set to the 'frontend' tag.

Create an egress firewall rule on the 'frontend' tag to block all traffic except port 8080.

Assign static internal IP addresses to all frontend servers and use those IP addresses in the source filter of the firewall rule.

Place the frontend servers in one VPC and the backend servers in a different VPC, then use VPC peering.

How to approach this question

Recognize that GCP firewall rules use Network Tags (or Service Accounts) to dynamically apply rules to groups of VMs, avoiding the need to hardcode IP addresses.

Full Answer

Assign a network tag (e.g., 'frontend') to the web servers and a tag (e.g., 'backend') to the application servers. Create an ingress firewall rule on the 'backend' tag, allowing port 8080, with the source filter set to the 'frontend' tag.

In Google Cloud, the most efficient and secure way to manage internal traffic between application tiers is by using Network Tags (or Service Accounts). First, you assign specific tags to your instances (e.g., 'frontend' and 'backend'). Then, you create an ingress firewall rule that targets the 'backend' tag. You set the allowed protocol/port to TCP:8080, and crucially, you set the Source Filter to the 'frontend' tag. This ensures that only VMs with the 'frontend' tag can reach the 'backend' VMs on that port. This approach dynamically adapts if frontend instances are added or removed via autoscaling.

Common mistakes

Trying to use static IP addresses, which breaks autoscaling, or overcomplicating the network with multiple VPCs.

Question 29 All questions Question 31

Practice the full GCP Associate Cloud Engineer Practice Exam 6

50 questions · hints · full answers · grading

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 6

More questions from this exam