ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3.5: Deploying and implementing networking resourcesNetworkingFirewall RulesNetwork TagsSecurity

GCP ACE · Question 30 · Domain 3.5: Deploying and implementing networking resources

You have a three-tier application deployed on Compute Engine: frontend web servers, backend application servers, and a database server. You need to configure firewall rules so that ONLY the frontend servers can communicate with the backend servers on port 8080.

Which TWO actions should you take to implement this securely and efficiently? (Select TWO)

Answer options:

A.

Assign a network tag (e.g., 'frontend') to the web servers and a tag (e.g., 'backend') to the application servers.

B.

Create an ingress firewall rule targeting the 'backend' tag, allowing TCP port 8080, with the source filter set to the 'frontend' tag.

C.

Create an egress firewall rule on the 'frontend' tag to block all traffic except port 8080.

D.

Assign static internal IP addresses to all frontend servers and use those IP addresses in the source filter of the firewall rule.

E.

Place the frontend servers in one VPC and the backend servers in a different VPC, then use VPC peering.

How to approach this question

Recognize that GCP firewall rules use Network Tags (or Service Accounts) to dynamically apply rules to groups of VMs, avoiding the need to hardcode IP addresses.

Full Answer

In Google Cloud, the most efficient and secure way to manage internal traffic between application tiers is by using Network Tags (or Service Accounts). First, you assign specific tags to your instances (e.g., 'frontend' and 'backend'). Then, you create an ingress firewall rule that targets the 'backend' tag. You set the allowed protocol/port to TCP:8080, and crucially, you set the Source Filter to the 'frontend' tag. This ensures that only VMs with the 'frontend' tag can reach the 'backend' VMs on that port. This approach dynamically adapts if frontend instances are added or removed via autoscaling.

Common mistakes

Trying to use static IP addresses, which breaks autoscaling, or overcomplicating the network with multiple VPCs.
29All questions31

Practice the full GCP Associate Cloud Engineer Practice Exam 6

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01What is the primary purpose of a Google Cloud project?EasyQ02Your development team needs to manage Compute Engine instances in a specific project. They need t...MediumQ03You are automating the setup of a new Google Cloud project using a bash script. You need to enabl...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...MediumQ05Your finance team wants to perform granular analysis of your Google Cloud spending using SQL. The...Hard
View all 50 questions →