Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network. How should your team design this network?
A.
Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
B.
Create a different subnet for the frontend application and database to ensure network isolation.
C.
Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
D.
Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
Although A is correct, but B would be more secure when combined with firewall rules to restrict traffic based on subnets.
Ideal solution would be to use Service Account based firewall rules instead of tag based. See the below paragragraph from https://cloud.google.com/solutions/best-practices-vpc-design
"However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped"
I'm inclined to go with A too because without firewall rules the subnets in B would ensure there is no communication at all due to default implicit rules.
"A"
The choice is between A and B. Even though subnet isolation is recommended (which would make B correct), subnet isolation alone without accompanying firewall rules does not ensure security.
Only A emphasizes the use of firewall which makes it more correct than B.
Reference:
https://cloud.google.com/architecture/best-practices-vpc-design#target_filtering
@AzureDP900: Cleared AWS Solution Architect Professional (SAP - CO1) on the last date. followed your answers. Cleared 5 GCP Certificates. Glad that you are here.
Answer is D: you'd want the DB in a separate VPC. Allow vpc peering and connect the Front End's backend to the DB. Don't get confused by the question saying 'front end' Front end only means public facing...
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
singhjoga
Highly Voted 3 years, 9 months agoThisisJohn
2 years, 10 months agoAiffone
2 years, 4 months agoCHECK666
Highly Voted 4 years, 1 month ago[Removed]
Most Recent 1 year, 3 months agoPortugapt
7 months, 1 week agoAzureDP900
1 year, 12 months agoazureaspirant
1 year, 11 months agoAwesomeGCP
2 years agozqwiklabs
3 years, 7 months agomistryminded
2 years, 10 months agodesertlotus1211
3 years, 7 months agoAzureDP900
1 year, 11 months agoJane111
3 years, 6 months agoDebasishLowes
3 years, 8 months ago[Removed]
3 years, 12 months agomlyu
4 years, 1 month ago