You are working with a user to set up an application in a new VPC behind a firewall. The user is concerned about data egress. You want to configure the fewest open egress ports. What should you do?
A.
Set up a low-priority (65534) rule that blocks all egress and a high-priority rule (1000) that allows only the appropriate ports.
B.
Set up a high-priority (1000) rule that pairs both ingress and egress ports.
C.
Set up a high-priority (1000) rule that blocks all egress and a low-priority (65534) rule that allows only the appropriate ports.
D.
Set up a high-priority (1000) rule to allow the appropriate ports.
Correct Answer is (A):
Implied rules
Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console:
Implied allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination, except for traffic blocked by Google Cloud. A higher priority firewall rule may restrict outbound access. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a Cloud NAT instance. For more information, see Internet access requirements.
Implied deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them. A higher priority rule might allow incoming access. The default network includes some additional rules that override this one, allowing certain types of incoming connections.
https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
Answer is (A) :
First I was going with C but then I read the question again, let's try to understand both options here, the goal is to deny egress and only allow some ports for some functions to perform. If we go with C, lower the number higher the priority (1000) so the rule with this priority 1000 will overwrite (65534), so If we allow only appropriate ports it will be overwritten with the high-priority (1000) rule and all the egress traffic will be blocked.
Remember the goal here is to block egress but not all of it since we still want to configure the fewest open ports and this is statefull meaning for open ports traffic will be both ways.
A fits this condition where it is saying we block all traffic but the required ports are kept open with higher priority which will only allow the required traffic to leave the network.
Default Egress Behavior: In Google Cloud VPCs, the default behavior is to allow all egress traffic. To restrict egress traffic effectively, you need to explicitly set up firewall rules.
Blocking All Egress Traffic: The low-priority rule (priority 65534, near the lowest priority) should be configured to block all egress traffic. This creates a baseline rule that denies all egress traffic by default.
Allowing Specific Ports: The high-priority rule (priority 1000, indicating a higher priority) should be set to allow egress traffic only on the specific ports that are required for the application. Since firewall rules are evaluated in order of priority, this rule will override the default block for these specific ports.
Correct answer is C: By implementing a high-priority rule to block all egress traffic (since it has a lower number than lower-priority rules), and a low-priority rule to selectively allow specific necessary egress ports (with a higher number), you minimize open egress ports to only the required ones while restricting the rest.
The rule is evaluated on higher priority to lower priority and depends first come first serve basis.
https://cloud.google.com/firewall/docs/firewall-policies-overview#rule-evaluation
Correct answer is A.
Answer will not be D, because Egress traffic is Allowed by default. You will have to explicitly set the rule blocking outbound traffic.
Hint : All rules are stateful.
VPC firewall rules are stateful. When a connection is allowed through the firewall in either direction, return traffic matching this connection is also allowed. You cannot configure a firewall rule to deny associated response traffic.
As per question , we want to restrict egress traffic.
So focus to restrict egress traffic based on priority of rules.
Allow incoming traffic for appropriate traffic and block all traffic and allow only which are required.
Hence , as per my view C should be correct answer
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ESP_SAP
Highly Voted 4 years agoRoro_Brother
2 years, 1 month agopatashish
2 years, 1 month agoryumada
2 years agobobthebuilder55110
Highly Voted 2 years agoCynthia2023
Most Recent 8 months agojimmydice
10 months agoscanner2
12 months agoCaptain1212
12 months agofragment137
1 year, 9 months agoryumada
2 years agosonuricky
2 years, 1 month agogscharly
2 years, 1 month agoRoro_Brother
2 years, 1 month agopatashish
2 years, 1 month agopatashish
2 years, 1 month agomani098
2 years, 2 months agopatashish
2 years, 1 month agopnVino27
2 years, 8 months agomaggieli
2 years, 10 months agoaamirahal
2 years, 10 months agovvkds
3 years ago