Exam Professional Cloud Security Engineer topic 1 question 61 discussion

Answer is B. Keyword is 'authenticated". Reference below: "Isolate VMs using service accounts when possible" "even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped." https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts

VM tags in Google Cloud are a flexible way to categorize and identify virtual machines (VMs) by their function or purpose, such as "frontend," "backend," or "database" for a 3-tier application. By assigning each tier its own tag and applying tag-based firewall rules, the customer can enforce network separation and restrict communication between tiers based on tags. This approach provides authenticated network segmentation by allowing or denying traffic between specific tags, ensuring that only intended communications occur between application tiers.

Ans :C the question asks for network separation. In case of B, all the tiers are still in the same subnet but are isolated using SA or tags, however, with C, you clearly are separating the network. Hence my answer is C

why the other options are less ideal: A. Project labels: Project labels are primarily for organizational purposes and don't provide strong network isolation. B. Service Accounts: While service accounts can be used for authentication, using them alone for network separation can be complex and less effective than subnet-based rules. D. VM tags: VM tags can be used for filtering in firewall rules, but they don't inherently create network separation.

Run each tier with a different Service Account (SA), and use SA-based firewall rules: Service accounts are primarily designed for authentication and authorization of service-to-service interactions. Using them for network separation is possible but is not their primary use case. D. Run each tier with its own VM tags, and use tag-based firewall rules: This is the most recommended method for multi-tier applications. VM tags are a straightforward way to identify the role or purpose of a VM (like 'web', 'app', 'database'). When VMs are tagged appropriately, tag-based firewall rules can easily control which tiers can communicate with each other. For example, firewall rules can be set so that only VMs with the 'web' tag can communicate with VMs with the 'app' tag, and so on.

B - https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts

"B" Keyword here is "authenticated". Service account related answer is the only option that addresses authentication. The rest are network security related. References: https://cloud.google.com/compute/docs/access/service-accounts#use-sas https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts

c is correct answer.

SA accounts

B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.

"As previously mentioned, you can identify the VMs on a specific subnet by applying a unique network tag or service account to those instances. This allows you to create firewall rules that only apply to the VMs in a subnet—those with the associated network tag or service account. For example, to create a firewall rule that permits all communication between VMs in the same subnet, you can use the following rule configuration on the Firewall rules page:" B is the right answer

Answer is B - https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags

C: is incorrect, we need to authenticate, network rules does not apply and not a recommend best practice from google

Ans : C

B as per best practices https://cloud.google.com/solutions/best-practices-vpc-design

B exists?

Ans - C https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#networking_and_security https://cloud.google.com/solutions/best-practices-vpc-design#addresses_and_subnets