ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Associate Cloud Engineer All Questions

View all questions & answers for the Associate Cloud Engineer exam
Go to Exam

Exam Associate Cloud Engineer topic 1 question 206 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 206
Topic #: 1
[All Associate Cloud Engineer Questions]

You have two subnets (subnet-a and subnet-b) in the default VPC. Your database servers are running in subnet-a. Your application servers and web servers are running in subnet-b. You want to configure a firewall rule that only allows database traffic from the application servers to the database servers. What should you do?

  • A. • Create service accounts sa-app and sa-db.
    • Associate service account sa-app with the application servers and the service account sa-db with the database servers.
    • Create an ingress firewall rule to allow network traffic from source service account sa-app to target service account sa-db.
  • B. • Create network tags app-server and db-server.
    • Add the app-server tag to the application servers and the db-server tag to the database servers.
    • Create an egress firewall rule to allow network traffic from source network tag app-server to target network tag db-server.
  • C. • Create a service account sa-app and a network tag db-server.
    • Associate the service account sa-app with the application servers and the network tag db-server with the database servers.
    • Create an ingress firewall rule to allow network traffic from source VPC IP addresses and target the subnet-a IP addresses.
  • D. • Create a network tag app-server and service account sa-db.
    • Add the tag to the application servers and associate the service account with the database servers.
    • Create an egress firewall rule to allow network traffic from source network tag app-server to target service account sa-db.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by georgesouzafarias at June 23, 2023, 6:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
scanner2
Highly Voted 1 year, 7 months ago
Selected Answer: A
Both service accounts and network tags can be used for creating a Cloud Firewall rule. The prime word is "to allow network traffic from app server to database server" which is achievable by inbound/ingress rule and not egress rule. https://cloud.google.com/firewall/docs/firewalls#rule_assignment
upvoted 6 times
...
Enamfrancis
Most Recent 7 months ago
Selected Answer: A
A IS CORRECT
upvoted 1 times
...
Ciupaz
7 months, 1 week ago
Selected Answer: B
By specifying the source and target tags in the firewall rule, you can ensure that only traffic from instances with the app-server tag can reach instances with the db-server tag.
upvoted 1 times
...
MariaDoss
1 year, 4 months ago
Selected Answer: A
the answer is A
upvoted 2 times
...
GP123123
1 year, 5 months ago
for "allow" rules, restrict them to only allow specific virtual machines by specifying the virtual machine's service account Refer to https://cloud.google.com/firewall/docs/firewalls
upvoted 3 times
GP123123
1 year, 5 months ago
Answer is A
upvoted 2 times
...
...
carlalap
1 year, 5 months ago
Answer is B. Network tags can be simpler to manage, especially if the access control is based on broader categories (like application servers and database servers) rather than individual instances. If you need fine-grained control and identity-based access, go with service accounts. If you prefer simplicity and broader categorization, network tags may be a suitable choice.
upvoted 2 times
carlalap
1 year, 5 months ago
Although what was previously stated is correct, I must correct it. The correct answer would be option A. Creating an ingress firewall rule on the subnet where your database servers are located is the appropriate approach. This rule would control incoming traffic to the database servers, ensuring that only traffic from the specified application servers (identified by network tags or service accounts) is allowed.
upvoted 1 times
...
...
Captain1212
1 year, 7 months ago
Selected Answer: A
Answer A is correct as question demands traffic to application to database which can be only be achieved by the ingreess rule
upvoted 4 times
...
tatyavinchu
1 year, 8 months ago
Correct Answer is A
upvoted 1 times
...
3arle
1 year, 8 months ago
Selected Answer: A
From the TomFoot link 'for example, allow my “application x” servers to access my “database y.”'
upvoted 1 times
...
juliorevk
1 year, 8 months ago
Selected Answer: B
Even though you could use service accounts for firewall rules, why is B wrong? It seems to do what the question requests and is the standard method.
upvoted 3 times
Ahmed_Y
1 year, 8 months ago
Because we need an ingress firewall.
upvoted 4 times
...
...
_F4LLEN_
1 year, 10 months ago
Selected Answer: A
Service accs can be used for firewall management.
upvoted 1 times
...
TomFoot
1 year, 10 months ago
Selected Answer: A
You can use service for firewall rules. https://cloud.google.com/blog/products/gcp/simplify-cloud-vpc-firewall-management-with-service-accounts
upvoted 2 times
...
gpais
1 year, 10 months ago
Selected Answer: A
A seems to be the most appropriate: https://cloud.google.com/firewall/docs/firewalls
upvoted 2 times
...
gpais
1 year, 10 months ago
A seems to be the most appropriate: https://cloud.google.com/firewall/docs/firewalls
upvoted 2 times
...
georgesouzafarias
1 year, 10 months ago
Selected Answer: B
Service account? It doesn't make any sense. It's clearly a firewall solution.
upvoted 3 times
TomFoot
1 year, 10 months ago
You can use service for firewall rules. https://cloud.google.com/blog/products/gcp/simplify-cloud-vpc-firewall-management-with-service-accounts
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago