Exam Professional Cloud Network Engineer topic 1 question 1 discussion

Answer C. This question is actually asking specifically about using firewall with a Network LB, because Network Load Balancing is a pass-through load balancer, you control access to the load balancer's backends using Google Cloud firewall rules. https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#firewall_rules

The correct answer is C: Tag the backend instances "application," and create a firewall rule with the target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

Secured perimeters are ment to mitigate data exfiltration. So A and B are ioncorrect. As it says "specific IPs" the appropiate solution is firewall rules, which uses TAGS (not LABLES) so answer is C

C is the correct answer.

The correct option is: C. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges. This option involves tagging the backend instances with a specific tag ("application") and then creating a firewall rule that targets instances with that tag. The rule restricts access to the specified source IP range, ensuring that only allowed clients and Google health check IP ranges can connect. This method provides a level of security by controlling access at the network level through firewall rules.

My answer is C

The correct answer is A because you create a Service Perimeter with gcloud using "gcloud access-context-manager perimeters create". Also, from the question it's not clear which one of the 9 types of load balancer are being used. Therefore, considerations about pass-through or proxy-based types of load balancers are not applicable. With an access-context-manager resource you can restrict the clients' source IP address ranges by leveraging the "origin" object, as clearly specified at page 187 in the newly released book "GCP Professional Cloud Network Engineer Certification Companion", which features a whole chapter about VPC Service Perimeters (and Controls) https://a.co/d/3MWQg39

I was confused between B and C, but then I realized that Load Balancers are actually NOT supported by VPC service controls, C is the correct answer.

This is an ambiguous question. It is an external/internal LB? HTTPS LB or TCP/UDP LB? This would greatly affect the answer given. The specific LB being used needs to be called out.

This is only valid for network load balancers. The question should specify the type of load balancer, since most of them are proxy based and would need a Cloud Armor policy.

https://cloud.google.com/vpc-service-controls - Restrict resource access to allowed IP addresses, identities, and trusted client devices also talks about loadbalancer (could be proxy) not network loadbalancer and therefore C is not valid

B: VPC Service Controls Managed networking functionality for your Google Cloud resources. • Mitigate exfiltration risks by isolating multi-tenant services • Ensure sensitive data can only be accessed from authorized networks • Restrict resource access to allowed IP addresses, identities, and trusted client devices • Control which Google Cloud services are accessible from a VPC network

Looks answer "C" correct for me.

C. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

https://cloud.google.com/load-balancing/docs/https/setting-up-https#configuring_firewall_rules

Looks answer "C" correct for me.

its C for me to.